Malware Analysis Report

2024-11-13 13:42

Sample ID 240515-twjwdshf42
Target d96af1f18f70dd1401179685f518b060_NeikiAnalytics
SHA256 cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8
Tags
dcrat evasion execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8

Threat Level: Known bad

The file d96af1f18f70dd1401179685f518b060_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan

DcRat

DCRat payload

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 16:24

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 16:24

Reported

2024-05-15 16:26

Platform

win7-20240220-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX3AA1.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX1BA2.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX1BA3.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCX1FAB.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\RCX3196.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\RCX3197.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\56085415360792 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Journal\Templates\dllhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Journal\Templates\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX26D2.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\RCX28E7.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\explorer.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\taskhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\RCX2D6E.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\dllhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX389D.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX3AA2.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX382F.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\TableTextService\de-DE\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCX2019.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX26D3.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\RCX28E8.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\taskhost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\RCX2D6D.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\explorer.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX35AD.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX361B.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\wininit.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Windows\Microsoft.NET\56085415360792 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Microsoft.NET\RCX3CA6.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Microsoft.NET\RCX3D14.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Microsoft.NET\wininit.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Windows\rescache\rc0005\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Windows\Speech\Common\fr-FR\lsm.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2072 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2072 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 2072 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 2072 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 1632 wrote to memory of 2864 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 1632 wrote to memory of 2864 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 1632 wrote to memory of 2864 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 1632 wrote to memory of 2192 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 1632 wrote to memory of 2192 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 1632 wrote to memory of 2192 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 2864 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 2864 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 2864 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 2636 wrote to memory of 2304 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2304 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2304 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 1540 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 1540 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 1540 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe
PID 2304 wrote to memory of 1508 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 2304 wrote to memory of 1508 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 2304 wrote to memory of 1508 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Common Files\explorer.exe
PID 1508 wrote to memory of 812 N/A C:\Program Files (x86)\Common Files\explorer.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalyticsd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalytics" /sc ONLOGON /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalyticsd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Common Files\explorer.exe

"C:\Program Files (x86)\Common Files\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceafe375-0abb-497f-a952-4d6c04f676be.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4943d02a-22e7-4b41-aea2-6406a6163081.vbs"

C:\Program Files (x86)\Common Files\explorer.exe

"C:\Program Files (x86)\Common Files\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ca795b-343c-49bf-84d1-9e80a04268e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d961c263-cddb-4e23-a452-d54bec58cc26.vbs"

C:\Program Files (x86)\Common Files\explorer.exe

"C:\Program Files (x86)\Common Files\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8cb4794-11eb-4df8-983d-20a1ef8014f8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76e91a14-3198-48c2-9223-6279937d43b2.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/2068-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

memory/2068-1-0x0000000000240000-0x000000000057C000-memory.dmp

memory/2068-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2068-3-0x0000000000700000-0x000000000070E000-memory.dmp

memory/2068-4-0x0000000000710000-0x000000000071E000-memory.dmp

memory/2068-5-0x0000000000720000-0x0000000000728000-memory.dmp

memory/2068-6-0x00000000008C0000-0x00000000008DC000-memory.dmp

memory/2068-7-0x0000000000730000-0x0000000000738000-memory.dmp

memory/2068-8-0x00000000008E0000-0x00000000008F0000-memory.dmp

memory/2068-9-0x00000000008F0000-0x0000000000906000-memory.dmp

memory/2068-10-0x0000000000910000-0x0000000000918000-memory.dmp

memory/2068-11-0x0000000000930000-0x0000000000940000-memory.dmp

memory/2068-12-0x0000000000920000-0x000000000092A000-memory.dmp

memory/2068-13-0x0000000002370000-0x00000000023C6000-memory.dmp

memory/2068-14-0x0000000000940000-0x000000000094C000-memory.dmp

memory/2068-15-0x0000000000950000-0x0000000000958000-memory.dmp

memory/2068-16-0x0000000000960000-0x000000000096C000-memory.dmp

memory/2068-17-0x0000000000970000-0x0000000000978000-memory.dmp

memory/2068-18-0x0000000000B20000-0x0000000000B32000-memory.dmp

memory/2068-19-0x0000000002440000-0x000000000244C000-memory.dmp

memory/2068-20-0x0000000002550000-0x000000000255C000-memory.dmp

memory/2068-21-0x0000000002560000-0x000000000256C000-memory.dmp

memory/2068-22-0x0000000002570000-0x000000000257C000-memory.dmp

memory/2068-23-0x000000001AEA0000-0x000000001AEA8000-memory.dmp

memory/2068-25-0x000000001AE40000-0x000000001AE4E000-memory.dmp

memory/2068-24-0x0000000002580000-0x000000000258A000-memory.dmp

memory/2068-26-0x000000001AE50000-0x000000001AE58000-memory.dmp

memory/2068-27-0x000000001AEB0000-0x000000001AEBE000-memory.dmp

memory/2068-28-0x000000001AF40000-0x000000001AF4C000-memory.dmp

memory/2068-29-0x000000001AF50000-0x000000001AF58000-memory.dmp

memory/2068-30-0x000000001AF60000-0x000000001AF6A000-memory.dmp

memory/2068-31-0x000000001AF70000-0x000000001AF7C000-memory.dmp

memory/2068-32-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe

MD5 d96af1f18f70dd1401179685f518b060
SHA1 2111cbea44fe1c5af0c3bfd7b48c9de09e769f3e
SHA256 cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8
SHA512 5ef31420588da5afed32d8c0fc6e6dc1742927abe1658a5ffe36cc0e82794b1c03a94a7ba9e8d6d18a6fe82e1deba5c825fde442ffbe0c0e7ce8658ebc317c98

C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe

MD5 a4dc042a79c198e8eed774604ada5713
SHA1 9136f47ae7f02d8f5569bca13effdb87faf7d57f
SHA256 6cfad97fcf955b449f2acfa106d419eec13058489ebfc34a27ea63a1813448ca
SHA512 1afd5f5ed6b76e7a43855b7038d1497730ee8030b41f1b05091ac9f218633528889fc0e2b0dcae3e31e6efaf869f35bd2206223f3b0ab416920bdc0d943712dc

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe

MD5 bebea6e3ba1977435aee586a2806e37e
SHA1 1528146da2456465519484479cd52ed34fdb015f
SHA256 1042b21760cdb8580bb3976e1a98d264459580dc9729830e50deea45021e4e92
SHA512 1d8c750ff8eea176bc6bb3728b3397104da569a386857cf783e3306a02b4c0fb7cbc53788550b3481f76851b0d819182eb1b9f962115d4aab27ca5c77ddc570d

C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe

MD5 dba4a22533a36142458421bc04dec249
SHA1 caafd86aed2e81d2b3acdbf8e4bb8cf022dead95
SHA256 8f184d55e83ca88f9591a1405fc0316f5c3adfff304d19c26cac7b5c749dbd5f
SHA512 e3e44da964605002de435029af13f5e144f120a576fa41aadd7ec01fb47bb10ea7f894dc20935cbb9a2854b879131f43f2b98efed8c273a642012f5eb9384230

C:\MSOCache\All Users\RCX2F72.tmp

MD5 1b1714bac4f627d1769016a1717c643c
SHA1 2ca0858b164a325b66c57c7767ded01b9eed4d08
SHA256 a5167fa16c1ea630355300b06b8bc5ebdddf48a2f086fe83f89cca33b01c253e
SHA512 df1f1ed405019e4942c4d08703f7dd48f35c95976c27623e95f305362cea769579fb5fff52e044f73c3a8ce1950452d5d792f9349b8610429e6fbce695250bd6

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe

MD5 ef0d1de9745028444813b3e4ae790604
SHA1 baf2482ec616e41571383dcec1a74da02d3da386
SHA256 1a2c2f0bfabe7ba39074859978c36ae99e3687476b984dfc65c7b197eda93095
SHA512 bc18d305524e6fae19b469a29314c1d128a2b71fd6df6adf71b8a5ebc83ff4c5238d4e830b189aa91193f755c89816cd10535518a570667bf9ac08b81f714595

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe

MD5 8e18dbca8d56bf6af117afb870ea6323
SHA1 2bd630f2220a14d8580fd244de438735aee07ebe
SHA256 ffbf70373e8a471d16268ce18353021c8835dde61f6f66f2b84a65ddcea7aed2
SHA512 a1130a5cd09512d7992bc251d55aa5959eb0374a468306e22faab965128557f2b4d08e3dd1d92024b3e049f668211b41edadf05c43fb81c389a8b6417a4b86ff

C:\Windows\Microsoft.NET\wininit.exe

MD5 b145d4a6c36ea250856c967124ea3cbc
SHA1 96014f4313b13ba7ae87291865375bc534792002
SHA256 fd657a08a7fa46736e0c4531c492f14cc1c1544e483235f3c5ab04c23cfbe8ed
SHA512 5a1eab15c548e1ca0255de33e4e94505f7e24ab172833937ec32fa9af8a72ed4f95d5c801cf4d778f8741f3661e45c4e4724df29664823c8019dd7696a0565b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 91f1590577a7348a3ea1845a150e8b3c
SHA1 9190600dde3c212bfc768dd8139eae89bfb9a959
SHA256 7595464968fdf94db3cb55e8f45a5e4db5c811a2d68014060f51f70a655c3822
SHA512 06f5e0b09a4a5e23c048bfc416faba6d5106b06c6ee34084b3695e56762ee4dc10f3feb34950c896e102f86a372d52a5729cbe055dac68975342fb4034ae9b6f

memory/2068-284-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat

MD5 59623ce557cc5c7923d5ea53a55477f8
SHA1 7aa15a413c3e28bdf2bc6feff4589290c618a97b
SHA256 8c280b76d7dbabf865e07b2f7be73c5856fb4b023ede0802f0cee4ce2bf41aee
SHA512 1342a64c51f8d0efe61de2bfdbd89cfbc04147f95cdab6bcdfd61ebf8aac61cee7b2c8fb3eaa0fafeb4dfbbc1ee727a425a83264d9633245a6bd5c8cee0a9736

memory/1368-311-0x000000001B690000-0x000000001B972000-memory.dmp

memory/1664-322-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/1632-344-0x0000000001280000-0x00000000015BC000-memory.dmp

memory/1632-345-0x0000000000D90000-0x0000000000DE6000-memory.dmp

memory/1632-346-0x0000000000BF0000-0x0000000000C02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4943d02a-22e7-4b41-aea2-6406a6163081.vbs

MD5 47cf4a07a01cc9df9699e67b7d401232
SHA1 1e26d5363cf5a1bcb62cbc61b6d6a5401c6ff088
SHA256 0821b191359c952ddb8b8f8321b3f21f669ad40b058823335fb3e16c349bba07
SHA512 4a26905203bbfb55082932b06a7b70956daf696cb1164be6c91fe4b7dfd572e98a63cc208f4b36bb5afa8a80d8eab9eac2fc463510a75f2776dddaa5b22cb8a4

C:\Users\Admin\AppData\Local\Temp\ceafe375-0abb-497f-a952-4d6c04f676be.vbs

MD5 1881d126adc0770c904ca1634090639a
SHA1 8466dae668f6290c4004d6aebe6b3e57970336b1
SHA256 6d23e29db8d2fe6308fc7937474732c5e2475e441bc0e4a377d35841813528dc
SHA512 eaf4c61402c72836c423891f4f5024b06d6791c4dc30bfceac9fec2a1e70c75255305dd0d00b094ed919b2090cab3ded205d7f13db15646e29dce982399891d2

memory/2636-357-0x0000000001150000-0x00000000011A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c6ca795b-343c-49bf-84d1-9e80a04268e4.vbs

MD5 7deeceee1997a31cca899febaa61dd3f
SHA1 0439648e019b01b9c3cc3d837a51baae3a341389
SHA256 2cc993f8b10c62edb2627fd815f82fbf5f58ada0492cad1b6720c1ac8dec74c9
SHA512 cb2456ce34723b76b32eb4677988268e6b6ecea71490ea1d629c23c82894ca886cc3a8ed366ab04d76aed091e12b4b4525c48bb3d767ca99cd632a53bfea9d4b

C:\Users\Admin\AppData\Local\Temp\e8cb4794-11eb-4df8-983d-20a1ef8014f8.vbs

MD5 d30b8d1cb9b49bc333bb40ca1d881d7d
SHA1 187e4e1e388270c5c7a3753548bc2ca2994360a2
SHA256 c914d42ff418afb660361ac35ff5ee350e59d67b7b1e9d86169d4a51987a88f5
SHA512 74aa3b2a3da41ef8bab2277f7dd27923bb5540427de21a342d3b01ba5d1a79eb1467a83e3a48a644286924d7aee1222dfe104e82441f694640c4690dcc4aa80b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 16:24

Reported

2024-05-15 16:27

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Google\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Google\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Google\dwm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Google\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Google\dwm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Security\BrowserCore\RCX5AD7.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\dwm.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\dwm.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCX5CEB.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCX5CEC.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\RCX5AD6.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\services.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX6CF7.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX6193.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX6194.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\RCX63A9.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\RCX63A8.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\services.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX6D07.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Windows\CbsTemp\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File created C:\Windows\CbsTemp\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX58C2.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\CbsTemp\RCX6A66.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\CbsTemp\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX58B1.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\CbsTemp\RCX6A65.tmp C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files (x86)\Google\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files (x86)\Google\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files (x86)\Google\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1536 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1536 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 884 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 884 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 884 wrote to memory of 3804 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Google\dwm.exe
PID 884 wrote to memory of 3804 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Google\dwm.exe
PID 3804 wrote to memory of 920 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 920 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 2296 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 2296 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 920 wrote to memory of 3404 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Google\dwm.exe
PID 920 wrote to memory of 3404 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Google\dwm.exe
PID 3404 wrote to memory of 1476 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3404 wrote to memory of 1476 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3404 wrote to memory of 3820 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3404 wrote to memory of 3820 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Google\dwm.exe
PID 1476 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Google\dwm.exe
PID 3944 wrote to memory of 1944 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 1944 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 5060 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 5060 N/A C:\Program Files (x86)\Google\dwm.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\dwm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LH1do4tUVM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Google\dwm.exe

"C:\Program Files (x86)\Google\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd4e2be-5f61-453e-992d-491f9f5e1d8f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fba18f7a-ffb1-4758-88de-fdd3fdc496cd.vbs"

C:\Program Files (x86)\Google\dwm.exe

"C:\Program Files (x86)\Google\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca91e15b-e88d-4efb-a025-c599a67b8639.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a55b14fc-ae06-4bf7-a361-e3015ec23377.vbs"

C:\Program Files (x86)\Google\dwm.exe

"C:\Program Files (x86)\Google\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0de3adb-9c37-423c-b99c-ccb9aa438c0c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\421b40f5-a575-45a7-8df6-38ab6b9dcbcb.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
BE 2.17.107.122:443 www.bing.com tcp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 122.107.17.2.in-addr.arpa udp
BE 2.17.107.122:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/1536-0-0x00007FFD6E663000-0x00007FFD6E665000-memory.dmp

memory/1536-1-0x0000000000340000-0x000000000067C000-memory.dmp

memory/1536-2-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

memory/1536-3-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

memory/1536-4-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

memory/1536-5-0x00000000027C0000-0x00000000027C8000-memory.dmp

memory/1536-6-0x00000000027D0000-0x00000000027EC000-memory.dmp

memory/1536-7-0x000000001B340000-0x000000001B390000-memory.dmp

memory/1536-9-0x0000000002800000-0x0000000002810000-memory.dmp

memory/1536-8-0x00000000027F0000-0x00000000027F8000-memory.dmp

memory/1536-10-0x0000000002810000-0x0000000002826000-memory.dmp

memory/1536-11-0x0000000002830000-0x0000000002838000-memory.dmp

memory/1536-12-0x0000000002840000-0x0000000002850000-memory.dmp

memory/1536-13-0x0000000002850000-0x000000000285A000-memory.dmp

memory/1536-14-0x000000001B9A0000-0x000000001B9F6000-memory.dmp

memory/1536-15-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

memory/1536-16-0x000000001BA00000-0x000000001BA08000-memory.dmp

memory/1536-17-0x000000001BA10000-0x000000001BA1C000-memory.dmp

memory/1536-18-0x000000001BA20000-0x000000001BA28000-memory.dmp

memory/1536-19-0x000000001BA30000-0x000000001BA42000-memory.dmp

memory/1536-20-0x000000001BF90000-0x000000001C4B8000-memory.dmp

memory/1536-22-0x000000001BA70000-0x000000001BA7C000-memory.dmp

memory/1536-23-0x000000001BA80000-0x000000001BA8C000-memory.dmp

memory/1536-21-0x000000001BA60000-0x000000001BA6C000-memory.dmp

memory/1536-24-0x000000001BA90000-0x000000001BA9C000-memory.dmp

memory/1536-25-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

memory/1536-27-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

memory/1536-31-0x000000001BD40000-0x000000001BD48000-memory.dmp

memory/1536-33-0x000000001BD50000-0x000000001BD5C000-memory.dmp

memory/1536-32-0x000000001BE50000-0x000000001BE5A000-memory.dmp

memory/1536-30-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

memory/1536-34-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

memory/1536-29-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

memory/1536-28-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

memory/1536-26-0x000000001BBB0000-0x000000001BBBA000-memory.dmp

memory/1536-37-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

memory/1536-38-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe

MD5 d96af1f18f70dd1401179685f518b060
SHA1 2111cbea44fe1c5af0c3bfd7b48c9de09e769f3e
SHA256 cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8
SHA512 5ef31420588da5afed32d8c0fc6e6dc1742927abe1658a5ffe36cc0e82794b1c03a94a7ba9e8d6d18a6fe82e1deba5c825fde442ffbe0c0e7ce8658ebc317c98

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mu2binww.yu5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1944-207-0x000002047B260000-0x000002047B282000-memory.dmp

memory/1536-227-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LH1do4tUVM.bat

MD5 0a4dfc8f5717eb2997ff3b2d6ca2736b
SHA1 0eef7d7f4065c6162bd2a1b91ecb23fa16747c63
SHA256 a765d6ce3f1c8d20a2c680d2afc3774adf24650adc0e7dc4424a8523106ea7de
SHA512 3ddf2f073c7e88408a9782af9449efb312b729979fb17291814be497f1f09739e1ec0892ba18f1cce99eb4588eaea01fce8f3a0658a3e1f8754778c70ee501c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\3fd4e2be-5f61-453e-992d-491f9f5e1d8f.vbs

MD5 d42c4eac3481acb5e3391454ded3a4e1
SHA1 4faaf29c594896e0dbf354c9e6e58cce7d5d4fe1
SHA256 0fbcc126f9720dd8ee053df05120491db6660be63aadc39411558f495829ed2a
SHA512 90cd736061704a4c142f6d9897e437667b76a2631273c320fe2fbf1891c340e0a48048c29df084170aed0006a8d07f9a31987e0b63e22721f9b04e3a4a514e37

C:\Users\Admin\AppData\Local\Temp\fba18f7a-ffb1-4758-88de-fdd3fdc496cd.vbs

MD5 dee4894cca6517b2ed77c972145155e6
SHA1 a0f49a0617b300c0e60d1bd3c2b40686bde2f706
SHA256 f91dd8472740952da164a43885f92e89c99f7fd9cdcf99c39ceaebe4ad040de8
SHA512 875be515a80ce50ff8c817792cc0edecdf7207aef6195361255c244600e725b2c3924becc79a705f52d7d6219d52be9102ae17df84895f45d5454b7ce297bde0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\ca91e15b-e88d-4efb-a025-c599a67b8639.vbs

MD5 89d6279d98ef11c5202fa2c9d8458e95
SHA1 b91d0972ae20d8e875ca0c22292c691fbaeaaff4
SHA256 195f3497457bb2f24ba3466cab675bd97bb3b575528be46208ae734a03eaeb43
SHA512 2df1f50a7fb98dd4f9004982807d8f10dec3a979642ea49bee168b97bb89442ebb49d013e61198b6f31d02429213143b88ec391cce758b9ac4e0f9e5399c0921

memory/3944-350-0x000000001B7E0000-0x000000001B836000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f0de3adb-9c37-423c-b99c-ccb9aa438c0c.vbs

MD5 84e1629d9ed1f7a299e8f18702ff57e2
SHA1 72139e1e86ee33538e9147273ca258ebc866b169
SHA256 2f740ba460cecf59c23f2a2378ae2ba472f4b90861846e1e750679195311573b
SHA512 342c5204f7446b7ba8b7b96eb061379dc31f2768ed81b02b1b690405cd1937a3243b83df000f8769d2c6e7b2a5632efcd1914b49dc96f6c3f3c02946d20b4cc8