Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-bbw14sdb58
Target 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics
SHA256 9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565
Tags
dcrat evasion execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565

Threat Level: Known bad

The file 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan

DcRat

Process spawned unexpected child process

DCRat payload

Dcrat family

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 00:58

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 00:58

Reported

2024-05-16 01:01

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\SppExtComObj.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Desktop\SppExtComObj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\87a3d061194d9e C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\56085415360792 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5390.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\sihost.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\sihost.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX517C.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCX69C2.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX5826.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\RCX5CAD.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX65B9.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCX67BE.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bcastdvr\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Windows\bcastdvr\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\bcastdvr\RCX6C44.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\bcastdvr\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Public\Desktop\SppExtComObj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 3044 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 4792 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4792 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4792 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 4792 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 1704 wrote to memory of 4136 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1704 wrote to memory of 4136 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1704 wrote to memory of 1784 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1704 wrote to memory of 1784 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4136 wrote to memory of 1384 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 4136 wrote to memory of 1384 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 1384 wrote to memory of 1904 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1384 wrote to memory of 1904 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1384 wrote to memory of 3280 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1384 wrote to memory of 3280 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 3288 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 1904 wrote to memory of 3288 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 3288 wrote to memory of 2928 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3288 wrote to memory of 2928 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3288 wrote to memory of 1792 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3288 wrote to memory of 1792 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2928 wrote to memory of 3776 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 2928 wrote to memory of 3776 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 3776 wrote to memory of 4716 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3776 wrote to memory of 4716 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3776 wrote to memory of 228 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3776 wrote to memory of 228 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 3408 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 4716 wrote to memory of 3408 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 3408 wrote to memory of 4784 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3408 wrote to memory of 4784 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3408 wrote to memory of 3348 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3408 wrote to memory of 3348 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4784 wrote to memory of 5000 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 4784 wrote to memory of 5000 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 5000 wrote to memory of 1384 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 5000 wrote to memory of 1384 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 5000 wrote to memory of 380 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 5000 wrote to memory of 380 N/A C:\Users\Public\Desktop\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1384 wrote to memory of 3120 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe
PID 1384 wrote to memory of 3120 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Desktop\SppExtComObj.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Desktop\SppExtComObj.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics6" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics6" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1eVLovZyht.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Desktop\SppExtComObj.exe

"C:\Users\Public\Desktop\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b638d4-5fd7-4ac3-b40a-cd953d17e58f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d119284-8c4e-4797-8e43-f3f3244f12cd.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\867031d9-3c18-4d21-987a-aacad3495529.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2026a482-574d-4e98-b261-11b280a3fed3.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4c6de94-e9f3-4cab-a86b-cda169f9474e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bceecce9-87f2-4b2a-9c0c-4e05f369fa9c.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc410e8a-6f72-4d31-a2f8-0587f0818a32.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6abdcbeb-a372-477b-8f54-da3530e6afef.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f19afa23-5b72-4b35-8c12-968589555f98.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31203692-cd40-4d7e-927c-1ce8d80e6cbd.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56f1c34c-937d-41f2-b542-6e188445a0f6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d11dba5-ec05-4476-80d2-eeb70a435eac.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1c06223-4f0e-4374-b106-c2c26ed41918.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35db84db-db0d-465d-b4da-e3de513ba0e5.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e005aae2-6eb8-4de4-a14a-f77e451453fa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0db83065-d0d7-48f7-b260-f53b52911d8f.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f87e97-7f4d-4087-a731-f2d1dcd041c0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6748e0eb-3968-4af7-ae19-2310aec5b166.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b30ed35c-1114-4a4b-a00c-84bdf94a1257.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1d8ffe-3da1-4838-b1db-681923ce0094.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c47d47-75b7-40fa-985b-463997eece38.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f45d6431-ef34-429e-9131-eb400fee206d.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07634cb4-1ff0-47e6-94fa-496d320b59df.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8320cc67-1b2d-4a06-b65f-254cf1f143c8.vbs"

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Users\Public\Desktop\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef36fb5e-85ed-439c-a95c-2abb601307f0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7db721d0-cf02-4855-853b-4f3bc8229a91.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/3044-0-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmp

memory/3044-1-0x00000000000A0000-0x0000000000386000-memory.dmp

memory/3044-2-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

memory/3044-4-0x000000001B610000-0x000000001B660000-memory.dmp

memory/3044-5-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

memory/3044-8-0x000000001B600000-0x000000001B608000-memory.dmp

memory/3044-9-0x000000001B660000-0x000000001B668000-memory.dmp

memory/3044-7-0x000000001B5E0000-0x000000001B5F6000-memory.dmp

memory/3044-6-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

memory/3044-3-0x000000001AE90000-0x000000001AEAC000-memory.dmp

memory/3044-10-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3044-11-0x000000001B680000-0x000000001B68A000-memory.dmp

memory/3044-12-0x000000001B690000-0x000000001B6E6000-memory.dmp

memory/3044-13-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

memory/3044-14-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

memory/3044-15-0x000000001B700000-0x000000001B70C000-memory.dmp

memory/3044-16-0x000000001B710000-0x000000001B722000-memory.dmp

memory/3044-17-0x000000001BC70000-0x000000001C198000-memory.dmp

memory/3044-23-0x000000001B790000-0x000000001B79E000-memory.dmp

memory/3044-22-0x000000001B780000-0x000000001B788000-memory.dmp

memory/3044-21-0x000000001B770000-0x000000001B77E000-memory.dmp

memory/3044-26-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

memory/3044-20-0x000000001B760000-0x000000001B76A000-memory.dmp

memory/3044-19-0x000000001B750000-0x000000001B758000-memory.dmp

memory/3044-18-0x000000001B740000-0x000000001B748000-memory.dmp

memory/3044-25-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

memory/3044-27-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

memory/3044-24-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

C:\Users\Public\Desktop\SppExtComObj.exe

MD5 6a9aaa3fc23d1561df97e3f9eb2de110
SHA1 d0effad0bad292fb0bcb377cbafacd8db83a474e
SHA256 9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565
SHA512 7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

C:\Recovery\WindowsRE\SppExtComObj.exe

MD5 58cfbffa0af1c9236549bbaf09bffe18
SHA1 f24b635b342c3d430d1bf17df62baceaa04a1456
SHA256 dae9ec9ec48f22aeeac80182ffe9571cda634bfdb51ae0f7ba093871eb5e472d
SHA512 c438cd19957408cac5c88d1f95d58e521bf3a9ca625c9ca5fd197800a8ca9581908f8b358f2e750de311e2bafffbd4687be51100eaf0bde51028042bd40b0d47

memory/3044-148-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

memory/3408-154-0x00000264F5F70000-0x00000264F5F92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbwngwwr.nba.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\1eVLovZyht.bat

MD5 ae030a9d77ff40e28b11ad64afdbdf97
SHA1 bfcced4adf723e7ace2365328582d5e88dc56dd0
SHA256 44edfdb71cb6d02b02164805829e5660b80eb0bdbcdbfe8b7b18ee995e35f0f8
SHA512 ad12b0292f43ab97171166c5f3bdf01ea07eab928c0dbeea52637ef0a239873bf54019b69dc2fa4a892dcb4993573884e96f7e8aa15adf93af779cd5a1061dfd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a154efa7af25bb8b94d0d9c7b4f15cd
SHA1 5e0e04103e4eef1bc7ef242b730aed1958f98e1f
SHA256 c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce
SHA512 fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/1704-276-0x000000001B200000-0x000000001B212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c7b638d4-5fd7-4ac3-b40a-cd953d17e58f.vbs

MD5 ff352044ac62337fb143b877f57bee46
SHA1 2ed6d6c461477de5aa7562b26ab13830d236e32e
SHA256 b2e91443b5e16bca555399529bd7aef8f95bc27c9f056ce5cf1a3a3960f4f91c
SHA512 ef74d9105e82a8c946f5c34940cc7f64de5a8a6fa11c651a025c99b9785bfe857ab1daa5eb361aa47761c5e987119f4b0875d2b467f6cd7f5a31f2704a625000

C:\Users\Admin\AppData\Local\Temp\8d119284-8c4e-4797-8e43-f3f3244f12cd.vbs

MD5 233fb7bd35a95558de2fe5a22997950f
SHA1 3c697d5b988768f31d827c41a8c3344c3271622e
SHA256 ed8c8b6efe7dff654b7555f043e9b45d8d3187403660e3a759dc67de75509181
SHA512 e8b15093390acc2c885cedee6599ef6e5b28a814f89c9ff7fa376432761d4a44f07284afcde4afbaf0faea5327d524284dc895d5a6091f9c2b17be798ce5aa3c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\867031d9-3c18-4d21-987a-aacad3495529.vbs

MD5 df127eecf3a4aa43a70c0d795f2b2047
SHA1 f79d32f6343ef009d52e3d6cdba686b1602a6691
SHA256 4db5bd507e4695e1c78d38f7d05e9453b6dac8890ffd75308c366db7dc5a857f
SHA512 d32b18c4b598ddc13c6a9fdcc30647332496066e27e8ebe1bcb3e08a74fa983bd7d0fe92af3230b7e4c113b843e445fb115ec5c2aba274c51594362aa9bfb9ee

C:\Users\Admin\AppData\Local\Temp\f4c6de94-e9f3-4cab-a86b-cda169f9474e.vbs

MD5 02892f91880a5fbce36efb0b5a01e223
SHA1 ac5815053655b90080dac69218900c0409a8398a
SHA256 2a1c323344b4e1e095694d06b3e584226ec0879409229d3b95e026ddd633c9d7
SHA512 cc33ae2206b07dccca14b4589e9c70c5192fd869a45a80be6262f101801292cc681d66991396c0758aa4fbb3557abf70115dac0d8ecf5acc5afd88c540d857f7

C:\Users\Admin\AppData\Local\Temp\dc410e8a-6f72-4d31-a2f8-0587f0818a32.vbs

MD5 11ace1362dcbce73adfe71f62d7776a8
SHA1 29faf41a74e3db8b09c6035f87198861ef81a84c
SHA256 a6238e8b37b2ffd64152cbdad39195f80c49d40a97f16edb63136ef45ace3219
SHA512 10124ceb82264e06d00c0d2540eec25b96ccad8eef6e59c419e03a2360043868aaf6af4acce5d6ef93aa36f509d4c7570c9c19f4c852bcbd9c9967186634c8ba

C:\Users\Admin\AppData\Local\Temp\f19afa23-5b72-4b35-8c12-968589555f98.vbs

MD5 621d7767269bfbad5c4a89b6df4743fc
SHA1 ec3992ce710e53e3ce19a238d4513e61051ab467
SHA256 aadce17bb88b813f0c01e006cbbddc180f76923d262a55417450f2496a900747
SHA512 e9067d9f8328da6c38e8e0966c5f0801460fbd97f38f5f9decdd5831856e114e2750ae25d91915cb286fa6c73ee761ee687ff7d95d482c5b996bb2b6057f08e4

C:\Users\Admin\AppData\Local\Temp\56f1c34c-937d-41f2-b542-6e188445a0f6.vbs

MD5 5f80dd244750ae9d77296f14c5aa32cd
SHA1 1da76c8406cd851e3104dca8afc8d34180c6fec9
SHA256 f24e91c8a1cb7e255b3dda7ad2b5a79bf8bfbdf899a28a2987976d0857a844b3
SHA512 1a0d03ad65d78a7d965d2135aa41d3c4769fdb4e8fe8a33352a8e8f3102d65e2bcfc045cc971ae4865d2cc885ff344c79f7151f6efe5ac051c24a5d0e110a07c

C:\Users\Admin\AppData\Local\Temp\c1c06223-4f0e-4374-b106-c2c26ed41918.vbs

MD5 e091691c10039e69b06cf1b580cbe2d0
SHA1 2d1d004c5f20453413b94f894005c521cf5d12a0
SHA256 57e45836487c5287693c452369d1383f8684f541a00b09de8d7467fb8b5a29eb
SHA512 77d788872d2df68e760ec732217678333dd0627bb3e1e09f37ea1689a5ee1c556d70d624d655ea79501cd6741ec58ec8126bd93c2f9df82e383f330f74037df0

memory/3684-354-0x000000001BC70000-0x000000001BC82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e005aae2-6eb8-4de4-a14a-f77e451453fa.vbs

MD5 ba9a3042ea9101f89bf1d7c7dd7bf135
SHA1 681f794813cd4f77acdfa72b6e219e3b5e83a817
SHA256 d1a03e54612beb93356efe14db33a01ce89aba71d69dba6b9e3fb9077a4ba4f7
SHA512 9b73b65efb24d6d4f94097444b7c8b6ccdef89d9ebe3f6762ebbc70debe4fe5eb9133fa3993b5ca585232f74f28827c5feb74b44b4d4e80734d83c1a272a2974

memory/3040-366-0x000000001B3B0000-0x000000001B3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80f87e97-7f4d-4087-a731-f2d1dcd041c0.vbs

MD5 01d6a0d2f6013409e77b60ed768ead8e
SHA1 6463b2cd80e7e4e541e8202c6f9625245f29ff85
SHA256 528e0f32871bb0b17f17bb9112e6e0427bfe5d00a6ac2661a0437a291a098280
SHA512 4f4a516a266c7af3c9702467b2ed3af22194477266f7cb9c16cff51039c2e36761fa70ef1e68fe2bc2d9d065792e9ff1458dfaaed6bc7e29e26d9c1fe9250c4e

C:\Users\Admin\AppData\Local\Temp\b30ed35c-1114-4a4b-a00c-84bdf94a1257.vbs

MD5 aefc45548b2ad92a160ea58a3f7d5926
SHA1 9db942bce6a67c8276019dde50c5acb6a72ba5df
SHA256 2bff36881d908f1b3fe3739f9321c06487b207faae5974ca5ee9c147cec1bfe8
SHA512 73d3f3a971b9138778e78419deacb6276484c8fd2428c00fc16be43da025187851b06a83e27d45dacf32dda6607ed1a72ed494e41813df30b48d9d8197d4cfec

C:\Users\Admin\AppData\Local\Temp\b6c47d47-75b7-40fa-985b-463997eece38.vbs

MD5 30e010047ed5d53cb9ade01766dc09c9
SHA1 d254619cad92050edf8829c97f48fcf9e02d4d24
SHA256 00c4f467e4668d6a934ec3219e20eb8d5f54b2a0d7888725596739519e7a84fa
SHA512 9a9980134ff145750028a95c99b6f99a26d9c0088e0860ad26640173b37d5690d4de528292718611b20c37149cd37c9ce7583cc31a604281fdda20ce5f9b5635

C:\Users\Admin\AppData\Local\Temp\07634cb4-1ff0-47e6-94fa-496d320b59df.vbs

MD5 e74f2a0eda2c8fa14900a4c9d2b391a7
SHA1 ad326baca00fed05388abbd27df53cec02e2f34f
SHA256 d31e92f54b182a30249a00f29d35e1f25a4fb5b7ad0a33a540ac5214e34e5af6
SHA512 22e40d048328baf116e5d466dbd5f58dd7fac663f888dee58fe50d851d8723fa2ccdab6e61c977cbd19edb50c416821e9b6a0791a3a9885151e082182461bf07

memory/4604-411-0x000000001B460000-0x000000001B472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ef36fb5e-85ed-439c-a95c-2abb601307f0.vbs

MD5 76bacbf0c2500e5a052c3fc7bdecccf4
SHA1 30b6e8c3e80e585f78bc5dd5d16ac3a35c0f4c4d
SHA256 76ff6246e872cded4cefe2b8242c273264814c19d2a14ef45c25faf81b95edc3
SHA512 cc1699ef947616e20249ba58592414442b5b9b32cc08a15ecc8528ef36aae61e989b2028c5deedb974c3c2a63dd5dc9880754e3f894a56b8f806cc191ebad293

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 00:58

Reported

2024-05-16 01:01

Platform

win7-20240419-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\lsass.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\RCX13D2.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\RCX1C4E.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX28D2.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\lsass.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\Office14\csrss.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\Office14\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\csrss.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\csrss.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\OEM\RCX1142.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\OEM\lsm.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\CSC\csrss.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\RCX1E52.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\Idle.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Windows\Help\OEM\lsm.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Windows\Help\OEM\101b941d020240 C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Windows\CSC\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\Idle.exe C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\CSC\RCX15D6.tmp C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1628 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1628 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1628 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1628 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 1628 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 1628 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 2236 wrote to memory of 2080 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 2080 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 2080 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 880 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 880 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 880 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2080 wrote to memory of 2436 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 2080 wrote to memory of 2436 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 2080 wrote to memory of 2436 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 2436 wrote to memory of 1416 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2436 wrote to memory of 1416 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2436 wrote to memory of 1416 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2436 wrote to memory of 2648 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2436 wrote to memory of 2648 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 2436 wrote to memory of 2648 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe
PID 1416 wrote to memory of 1988 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 1416 wrote to memory of 1988 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 1416 wrote to memory of 1988 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\Idle.exe
PID 1988 wrote to memory of 1720 N/A C:\Program Files\Windows Sidebar\es-ES\Idle.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\CSC\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49826c25-5c99-4bc1-aa3f-4a738c1ab5e2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\466efd95-f006-4848-bbaa-281cded59da6.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bbdc585-da7f-4571-9fac-1cb196e7f7f4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a3c98e-2b1f-4142-acb0-96f19afcaaac.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54e22a20-532b-4fa5-a601-e7966162b9dc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4bc378b-678a-4ee0-8826-6b292d37a714.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab9cc3c9-0286-43f6-beb3-dc9eb48f02b6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ac1b5e-1d4c-45fd-986f-136b9951809a.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd28b351-d58b-4743-95cd-b85d6e0bc30d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d97d438-9e60-4465-b438-390ce9b614b8.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1144ab3c-b35d-41f5-b82d-b7e715f57d14.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3297548-a8f4-4875-8fc1-362465cdbcac.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3329b7e-3343-4468-87e9-32c0397bd0bc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ddce6bb-633c-49a0-baf6-510e9aa6d729.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e29a1080-1ed8-4f23-a275-d0f29b93cf5c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f0a07ac-7cc7-422d-b1b8-934afefac1b0.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9be8320-80fa-4dc0-99a4-dfa97402f70f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2627fa4f-d541-46fb-877a-9a70b04b7fe5.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a07731de-3150-4c5a-bade-fdb118f8f4da.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d085139-99b0-4712-a783-7797906660a5.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49a39565-ba88-4436-99d1-f3fdd6b76258.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a11dd9-cae8-4f9d-970e-3f569a75999a.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80d6d7fb-e896-49a5-811a-a4e7dd703909.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e93b0419-f4e4-49b8-b814-9ca3e3ec3769.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6343f0ad-b255-429d-b213-78c192783808.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce710fd-9994-4f5a-bb6a-bb4f08529873.vbs"

C:\Program Files\Windows Sidebar\es-ES\Idle.exe

"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\589ef245-c9bb-443e-8ca5-b45d1d50d637.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ae23af8-939f-4d80-8691-30b9e82ec339.vbs"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/2424-0-0x000007FEF5613000-0x000007FEF5614000-memory.dmp

memory/2424-1-0x00000000003C0000-0x00000000006A6000-memory.dmp

memory/2424-2-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

memory/2424-3-0x0000000000150000-0x000000000016C000-memory.dmp

memory/2424-4-0x0000000000170000-0x0000000000178000-memory.dmp

memory/2424-5-0x0000000000180000-0x0000000000190000-memory.dmp

memory/2424-6-0x0000000000390000-0x00000000003A6000-memory.dmp

memory/2424-7-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2424-8-0x0000000000720000-0x0000000000728000-memory.dmp

memory/2424-9-0x0000000000740000-0x0000000000750000-memory.dmp

memory/2424-10-0x0000000000730000-0x000000000073A000-memory.dmp

memory/2424-11-0x0000000000760000-0x00000000007B6000-memory.dmp

memory/2424-12-0x00000000007B0000-0x00000000007BC000-memory.dmp

memory/2424-13-0x00000000007C0000-0x00000000007C8000-memory.dmp

memory/2424-14-0x00000000007D0000-0x00000000007DC000-memory.dmp

memory/2424-15-0x00000000007E0000-0x00000000007F2000-memory.dmp

memory/2424-16-0x00000000007F0000-0x00000000007F8000-memory.dmp

memory/2424-17-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/2424-18-0x00000000009B0000-0x00000000009BA000-memory.dmp

memory/2424-19-0x00000000009C0000-0x00000000009CE000-memory.dmp

memory/2424-20-0x00000000009D0000-0x00000000009D8000-memory.dmp

memory/2424-21-0x00000000009E0000-0x00000000009EE000-memory.dmp

memory/2424-22-0x00000000009F0000-0x00000000009FC000-memory.dmp

memory/2424-23-0x0000000000A00000-0x0000000000A08000-memory.dmp

memory/2424-24-0x0000000000A10000-0x0000000000A1A000-memory.dmp

memory/2424-25-0x00000000022C0000-0x00000000022CC000-memory.dmp

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe

MD5 6a9aaa3fc23d1561df97e3f9eb2de110
SHA1 d0effad0bad292fb0bcb377cbafacd8db83a474e
SHA256 9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565
SHA512 7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

C:\Windows\Help\OEM\lsm.exe

MD5 e17fb157eae52b5f58b87dad6502a016
SHA1 cf2fa3279fb7954d22d217944c92857325937906
SHA256 50bb441932784356b8610a513d3d014b5318db54b867e5c6328742bd6baa08d3
SHA512 a339bd3bfa9db7ccc3bbd84936bfa161102b4039e047e8c236d67d40784c7153062f6c766a72f80c9e5cfe0848d8e38077c925fb79eb55983e4a0a7f1c9f79d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 29cc22c9bc4b490cadc2c8f53fbeba1c
SHA1 8084f70d9d3a21e8842bc38ec4f1d8886f574047
SHA256 b63901388181cff633d54e92ad2334c8160bae2484fd59c010a9ff72d91ebf27
SHA512 59336a701b951fd5ce04d73bf303971d3ed39d786a54a43811ca2bcbba5df947ebacc69abea0e2556dc6ba85ef21ca87880f42f45bc1b59f265fa85d41a5c1f2

memory/2424-151-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

memory/2808-177-0x0000000002800000-0x0000000002808000-memory.dmp

memory/2116-171-0x000000001B660000-0x000000001B942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat

MD5 4cee3ee745316361d33736371fae099d
SHA1 189c9b3a489a4be6f073d8dd9f63793521083ef0
SHA256 881f602be8eff02d6088ff59c4f446f8dbee2e1314b340761054d5d3ca120cfe
SHA512 142b43bc4958d3f8b716d54052a3e9ea82b26b7d44bc9f6029fcc4f55fda89b0af653682c109227b249d57fe80cf8a4cb068fff01bf8319e65d239f6e8219aa5

memory/2236-211-0x0000000000E30000-0x0000000001116000-memory.dmp

memory/2236-212-0x00000000004E0000-0x0000000000536000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49826c25-5c99-4bc1-aa3f-4a738c1ab5e2.vbs

MD5 9c14c796aaaa7a71c730e5faa3597e48
SHA1 2c3cee02bd3caa7ba8b504a399132036d6abc41e
SHA256 869146406fdac76f9f31814d24e2a15306602b95faf517cd834df61fedd7aa39
SHA512 a404169f5f92895834c452486fca2fe5e99531471de9021d57d48212daa04400630c02b5cdd0f8aa8bcabe77a71d9d4de2b5e728b7bb64ca4ecf1242400fb992

C:\Users\Admin\AppData\Local\Temp\466efd95-f006-4848-bbaa-281cded59da6.vbs

MD5 d279ffeddb672c0574d50fd0603b352c
SHA1 7e30272da64301c8143262cec0b05efd35c19fb8
SHA256 fa6403f7d4faacc86308a9f6bcf34383bcd94a1e57c39c9e48fd0086d0454e49
SHA512 dc38dd5b1f5082b433dcf48769372a163fd4aae56706e22a73b5f2dc880f57839cf1987eba5ad688cd46784ad731d1b996fa4639035240e61292a9de687f9909

C:\Users\Admin\AppData\Local\Temp\4bbdc585-da7f-4571-9fac-1cb196e7f7f4.vbs

MD5 23f71b5f3305a97992dc772954807b17
SHA1 5106448da55a9536568fc14064e621c27dc47fe1
SHA256 271361ce5b08262507403455f2be075341f12954edf5242c7cd4dbcab15cabdc
SHA512 ceb87fea61c4406468099795a7449f5f1a8f30e235d1570443519559c9b4c81d9b0be86845fa9c9f6031066469e29e776aedfddc801fb08dbabb36a7ebb15413

C:\Users\Admin\AppData\Local\Temp\54e22a20-532b-4fa5-a601-e7966162b9dc.vbs

MD5 c364b4d79b175b8b44d50420aacd5b50
SHA1 1743da052c0588f5e93e42cce8b2e2e36c298d4e
SHA256 aeb2531a45d7c56c3ab2bab367cd58e337fcab93fa5d49fc0aee175b69d00c14
SHA512 ed03307cd18cc985ab002d9004273e4c143a4e4921d28f968fcff2d78c7df3f3371ad63994bb6b49eb09ac8f20afe64cca4ded60e99ec4187e42cb8f0f853336

C:\Users\Admin\AppData\Local\Temp\ab9cc3c9-0286-43f6-beb3-dc9eb48f02b6.vbs

MD5 3dba91318ab6b4edadddaeb4b6afbf9b
SHA1 911aa03677b68032e72a5e6aa6e4c41d737d7988
SHA256 9e06037f15528beabedd5b19cdf2081ab500688614bce1a2ac98ce6705fdeafc
SHA512 e94126c2aade4943abda820dc61d6bf4b5b24d1893f6b75b2333d97aa3eb4de32ba118020ff3b75d7fab67bc0b1351ddae3f681cbc48f89cae8eafc646a6b21d

C:\Users\Admin\AppData\Local\Temp\cd28b351-d58b-4743-95cd-b85d6e0bc30d.vbs

MD5 63d03fd8ec4ebba8c937ec34cabdea8e
SHA1 3379279e93bbd2beff77b599437343f046905c5f
SHA256 da1c497968b43920141acb9ecbe72eeb5d304de585db2ecb24058d06d2871442
SHA512 f004a76135b3186376cc766fd99248d7831c974bc2367d72bfb48d07be7f5b0b589c5af40cc05e95bc2618f9372800e666a9af64ef535c3e6ab221beac14c911

C:\Users\Admin\AppData\Local\Temp\1144ab3c-b35d-41f5-b82d-b7e715f57d14.vbs

MD5 57cbccde450509c6ab09c5d3b1199d8a
SHA1 3e9ac7caeb054a8ece0b066fd8599e96fff607cb
SHA256 5e829a39874046829407ac06056eabbd1da31aabbd9e0b9af94f7256c58e31cf
SHA512 e8c58f70b53baa4374fbeaa57060c16041e065d5cdcf7614a741377281ae27ce2e9879ebb460e1cfbe0e2bf0bbfe77960d61c3cae3425b24d7941ac514aa00da

memory/2884-278-0x00000000011B0000-0x0000000001496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3329b7e-3343-4468-87e9-32c0397bd0bc.vbs

MD5 eceb5c103f395835002b77f022abd363
SHA1 3adac56971ecc3f5b36d1e9fd59911a34a65d063
SHA256 f9291020956e02b71888b7e5b3f18d8a42ba3855de918b9f2a7d3f4aaac03840
SHA512 0d70724d96754ed93de42ef65c47a2e988e64ba57527f83d36fa57c9c0b0512bc87b6558841b846f7605f81b9493e696f0e46c1cf7dbb32d0617cecda8bebcee

C:\Users\Admin\AppData\Local\Temp\e29a1080-1ed8-4f23-a275-d0f29b93cf5c.vbs

MD5 17558f8fc91934b0855dde2ee53a1b33
SHA1 07d0004c9e010e4f51f3f90fd06743b9e0002d11
SHA256 fa081074d0e5d0813fff17302feec10cb97c0330e90abc01d55475a66fb646b2
SHA512 2b497c895a9124f62c0bcc9c877e8db646830186744bc0681e2cd23ae4e87aa0ff8ef5b7682adcabcacd8379ac28a7fa3049e613d6ce5b1e9aeb5b84e886d165

memory/2492-301-0x0000000001200000-0x00000000014E6000-memory.dmp

memory/2492-302-0x0000000000C20000-0x0000000000C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a9be8320-80fa-4dc0-99a4-dfa97402f70f.vbs

MD5 97f9bf57867013cb6778c85684b0f45f
SHA1 954cdf489203c6765127ad729d3f711d2fb9acc4
SHA256 08cd93e0a3881df5123d50da9d398a5317fb66d560ab45ae6b1cbfabe3ad0021
SHA512 1b150acc9d029f1b517def6a7a3714638b3217798dea0f5fa4092996ccf00f199415f93ba96a6291df957e0dc1dd91ec6295e5e928582f642fc4b6f20820dab9

C:\Users\Admin\AppData\Local\Temp\a07731de-3150-4c5a-bade-fdb118f8f4da.vbs

MD5 60c81da70dca8a46ccbc7a7b6b742179
SHA1 1e87b8fe172be8b0967243a92c9bfa4cb8149d90
SHA256 8e2ae07b1a1faa45503db9980c0293e86aabd7d0d231f1b557445b82a2a06fc8
SHA512 2270a70595d3445dad2ee07ee2772e90cc727a4df3b1deb744e7bada360a7d39eee1b81e65065b04d2f2b738f9f699c99e9483d32fc44c551bfe0a49a618a899

memory/1948-324-0x0000000000A90000-0x0000000000AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49a39565-ba88-4436-99d1-f3fdd6b76258.vbs

MD5 f83fd66632482cc8837f21f1260c2a9c
SHA1 5b398cb7b34313833d88512716b87fc715d6deb7
SHA256 213fea3636a3f4cb18bf4e7deefa055bbd7128f778a039ae18b4286aa57d69eb
SHA512 a09500ff85e331ed5762d7e864e70dca372c1986f10c92874f48f8fbee5c72178915eb863dbf5f568f27af364600a899bad59f64c454d85db0845ffc7c842966

memory/2504-336-0x00000000007F0000-0x0000000000846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80d6d7fb-e896-49a5-811a-a4e7dd703909.vbs

MD5 9aca1ae2c4da37692ef932d77cbe1cd4
SHA1 adc19a474ccbf5d684b4d40a0aad6f277daa770b
SHA256 8394f54db95eceb863e6b064ec383b6af6dfc3c9e2ba573c83344740c87961d9
SHA512 22211aebe13205814abe45b6e384acfd349c5552c73d6b85de7274a6354be74c438f9ac4134444a8c0fcf5b246a6ea4b2dd3f88c947ec323185e75478cb54407

memory/1520-348-0x00000000001D0000-0x00000000004B6000-memory.dmp

memory/1520-349-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6343f0ad-b255-429d-b213-78c192783808.vbs

MD5 b79027b0a0bf5b17a7e15b95f056d73a
SHA1 c659609f22f2610854bed6a84500e61012e4537f
SHA256 e63d7237f0ca2aa52dd99a7b424b01caf641a7547c0bd993cb512bd0342a0211
SHA512 f7c6afed874444b2a7cb8dc21c5a5221905e5a5bc30a1f54eb12f838f7e8f862f5869895c06b491540234d066537afc51fd4d112080c1585ae0424b3deceb8ca

memory/2556-361-0x0000000000CD0000-0x0000000000FB6000-memory.dmp