Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-c9fmfsha2y
Target 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics
SHA256 6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb
Tags
rat dcrat evasion execution infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb

Threat Level: Known bad

The file 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer persistence trojan

Dcrat family

DCRat payload

Modifies WinLogon for persistence

UAC bypass

Process spawned unexpected child process

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

System policy modification

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 02:46

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 02:46

Reported

2024-05-16 02:48

Platform

win7-20240221-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\", \"C:\\Users\\Public\\Libraries\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\", \"C:\\Users\\Public\\Libraries\\dwm.exe\", \"C:\\Users\\Default User\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\", \"C:\\Users\\Public\\Libraries\\dwm.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Libraries\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Libraries\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics = "\"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics = "\"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\taskhost.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\taskhost.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Skins\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCX25CC.tmp C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\RCX2CB2.tmp C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\RCX23C8.tmp C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX283D.tmp C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Windows\Vss\Writers\Application\65cd17f60dedcf C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Vss\Writers\Application\RCX2AAE.tmp C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2156 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2156 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 832 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 832 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 832 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 832 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Uninstall Information\taskhost.exe
PID 832 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Uninstall Information\taskhost.exe
PID 832 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Uninstall Information\taskhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Uninstall Information\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics8" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics8" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4ecGZdzFA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Uninstall Information\taskhost.exe

"C:\Program Files (x86)\Uninstall Information\taskhost.exe"

Network

Country Destination Domain Proto
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp

Files

memory/2156-0-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

memory/2156-1-0x0000000000100000-0x00000000003C0000-memory.dmp

memory/2156-2-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2156-3-0x0000000000680000-0x0000000000688000-memory.dmp

memory/2156-4-0x0000000000690000-0x00000000006AC000-memory.dmp

memory/2156-5-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/2156-6-0x00000000006D0000-0x00000000006E0000-memory.dmp

memory/2156-7-0x0000000000770000-0x0000000000786000-memory.dmp

memory/2156-8-0x00000000006E0000-0x00000000006E8000-memory.dmp

memory/2156-9-0x0000000000790000-0x0000000000798000-memory.dmp

memory/2156-10-0x00000000007B0000-0x00000000007C0000-memory.dmp

memory/2156-11-0x00000000007A0000-0x00000000007AA000-memory.dmp

memory/2156-12-0x000000001ADD0000-0x000000001AE26000-memory.dmp

memory/2156-13-0x00000000007C0000-0x00000000007C8000-memory.dmp

memory/2156-17-0x0000000002490000-0x000000000249C000-memory.dmp

memory/2156-16-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2156-15-0x0000000002280000-0x000000000228C000-memory.dmp

memory/2156-14-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2156-18-0x00000000024A0000-0x00000000024AC000-memory.dmp

memory/2156-19-0x00000000024B0000-0x00000000024B8000-memory.dmp

memory/2156-20-0x000000001A9C0000-0x000000001A9C8000-memory.dmp

memory/2156-21-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

memory/2156-22-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

memory/2156-23-0x000000001A9F0000-0x000000001A9F8000-memory.dmp

memory/2156-25-0x000000001AF30000-0x000000001AF3C000-memory.dmp

memory/2156-24-0x000000001AE20000-0x000000001AE2A000-memory.dmp

memory/2156-26-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe

MD5 842d88a85052060e936fdc2ea92b43a0
SHA1 4c2a334ee317b586bd284f5e4f514801cc65f3c5
SHA256 6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb
SHA512 b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb

C:\Users\Default\RCX3126.tmp

MD5 73c24f844a0956368802a3452aaac5f8
SHA1 6f0f376169076d420d2c7880eb595718c2ce6d5b
SHA256 3efe7d2109957de103b0259ec8f4a3fcdb1f33cbf5bb53e6842fd51e2d63d276
SHA512 219ca88b9a6d0bf9f14b7023ee27b22f236cccfed23dab62c53d2f77ed5fb1ccfa0daafaf6e021df2af2eed2e766198777577409834d19ab1f4a33ecc05a21a9

memory/1280-118-0x0000000001E60000-0x0000000001E68000-memory.dmp

memory/1280-117-0x000000001B580000-0x000000001B862000-memory.dmp

memory/2156-116-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\J4ecGZdzFA.bat

MD5 13eb83412fde6b99e9ededb2127960c9
SHA1 03b4e85488cfdb3094278337d9f9cef049e6c6b6
SHA256 addc3326f05360cf9e79117b8492a7980298d83cacc977841a23e5c8844e230d
SHA512 1db95f03fa144b383c7c8dfcea7f082eb2414ed751bee02033fac96c9d23a1713fb5d5214bb1574b318f8c4ef1bfe71a8949fc2bfbc04e48b656319252722fee

C:\Program Files (x86)\Uninstall Information\taskhost.exe

MD5 ae624a87c9ff606c9145aae0a44aac94
SHA1 31d161fa9a297d4ec1d7d5004a59686fd7f84c04
SHA256 839c430e1c22f5a5d6e83257b0581fe05733e4bea09d8903b1defe872a0fe655
SHA512 1d9cc60afc4d3d876524216ffc9833298ddf05d45731e1b34321aac4e0ea5f61076ed0e255c5590fc6e8e4c43e4139e81dbefce64edff2920b75eb9375021105

memory/2068-122-0x0000000000C30000-0x0000000000EF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 02:46

Reported

2024-05-16 02:48

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Windows\\debug\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\debug\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\debug\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\debug\sysmon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\debug\sysmon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\debug\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\debug\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\debug\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\debug\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\debug\sysmon.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File created C:\Windows\debug\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\RCXB96.tmp C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\sysmon.exe C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A
N/A N/A C:\Windows\debug\sysmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\sysmon.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\debug\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\debug\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\debug\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\debug\sysmon.exe

"C:\Windows\debug\sysmon.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp
US 8.8.8.8:53 250.255.250.94.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3236-0-0x00007FFB408D3000-0x00007FFB408D5000-memory.dmp

memory/3236-1-0x0000000000EA0000-0x0000000001160000-memory.dmp

memory/3236-2-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

memory/3236-3-0x00000000019C0000-0x00000000019C8000-memory.dmp

memory/3236-4-0x00000000019D0000-0x00000000019EC000-memory.dmp

memory/3236-6-0x00000000033B0000-0x00000000033B8000-memory.dmp

memory/3236-7-0x00000000033C0000-0x00000000033D0000-memory.dmp

memory/3236-5-0x000000001BE10000-0x000000001BE60000-memory.dmp

memory/3236-8-0x000000001BDC0000-0x000000001BDD6000-memory.dmp

memory/3236-9-0x00000000033D0000-0x00000000033D8000-memory.dmp

memory/3236-10-0x000000001BDE0000-0x000000001BDE8000-memory.dmp

memory/3236-11-0x000000001BDF0000-0x000000001BE00000-memory.dmp

memory/3236-12-0x000000001BE00000-0x000000001BE0A000-memory.dmp

memory/3236-13-0x000000001BE60000-0x000000001BEB6000-memory.dmp

memory/3236-14-0x000000001C4C0000-0x000000001C4C8000-memory.dmp

memory/3236-15-0x000000001C5E0000-0x000000001C5E8000-memory.dmp

memory/3236-16-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

memory/3236-17-0x000000001C4E0000-0x000000001C4E8000-memory.dmp

memory/3236-18-0x000000001C4F0000-0x000000001C4FC000-memory.dmp

memory/3236-19-0x000000001C500000-0x000000001C50C000-memory.dmp

memory/3236-20-0x000000001C580000-0x000000001C588000-memory.dmp

memory/3236-21-0x000000001C510000-0x000000001C518000-memory.dmp

memory/3236-23-0x000000001C530000-0x000000001C53C000-memory.dmp

memory/3236-22-0x000000001C520000-0x000000001C52C000-memory.dmp

memory/3236-26-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

memory/3236-25-0x000000001C5A0000-0x000000001C5AA000-memory.dmp

memory/3236-24-0x000000001C590000-0x000000001C598000-memory.dmp

memory/3236-27-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

memory/3236-30-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

C:\Recovery\WindowsRE\msedge.exe

MD5 842d88a85052060e936fdc2ea92b43a0
SHA1 4c2a334ee317b586bd284f5e4f514801cc65f3c5
SHA256 6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb
SHA512 b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vu2habpp.34q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1884-98-0x0000022459120000-0x0000022459142000-memory.dmp

memory/3236-119-0x00007FFB408D0000-0x00007FFB41391000-memory.dmp

memory/2196-122-0x000000001B9E0000-0x000000001BA36000-memory.dmp