Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-gh4mesee7w
Target a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics
SHA256 4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836

Threat Level: Known bad

The file a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

UAC bypass

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 05:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 05:49

Reported

2024-05-16 05:51

Platform

win7-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCX39E7.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX40CD.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX4C27.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\Idle.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\Idle.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\AppPatch\AppPatch64\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Registration\CRMLog\RCX530D.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\AppPatch\AppPatch64\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\Registration\CRMLog\System.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\Registration\CRMLog\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\AppPatch\AppPatch64\RCX433E.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Registration\CRMLog\System.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\AppPatch\AppPatch64\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\RCX3BEB.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX4820.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A
N/A N/A C:\Users\Default User\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2916 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2916 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2932 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\explorer.exe
PID 2932 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\explorer.exe
PID 2932 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\explorer.exe
PID 2740 wrote to memory of 1324 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 1324 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 1324 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 2184 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 2184 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 2184 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 1324 wrote to memory of 1912 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\explorer.exe
PID 1324 wrote to memory of 1912 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\explorer.exe
PID 1324 wrote to memory of 1912 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\explorer.exe
PID 1912 wrote to memory of 1116 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 1116 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 1116 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 2036 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 2036 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 2036 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe
PID 1116 wrote to memory of 900 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\explorer.exe
PID 1116 wrote to memory of 900 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\explorer.exe
PID 1116 wrote to memory of 900 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\explorer.exe
PID 900 wrote to memory of 2720 N/A C:\Users\Default User\explorer.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ysdVHTnJN0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a103a78f-e69e-4984-a98e-02fbdc3036ca.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf32d81-2334-4beb-8790-6d40e34b86f1.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f48389c-5fe3-4edb-8897-1f3a2970d12c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46bb77b-488d-47ed-853d-92024bc74635.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c28514-d9f2-4328-bf7e-ccccb591eb51.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bea4c72-b1dd-4f2b-838b-0ef599d892cc.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363e9cb1-9fa6-4511-896e-bffa6e147617.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9a3003c-2cf5-4c22-94d4-e1af823e26f2.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49b05093-abad-4a08-9315-6f4ba8024643.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c388c0e-ff71-4de1-8956-42a35fcf6e39.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a05d262-3d9e-4444-827e-2fd7e20c2a9e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fb2d96-9d6e-4108-9606-48f561a1beb3.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66eb1788-9bf1-484a-9680-9b2cd437ade7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9653902-85a6-4ec7-a7fb-05181742a7ce.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5856f763-0706-4448-a9a9-7a507254ebdb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e044797a-682b-4f31-8703-0404eb87f85d.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddd21ad2-deb4-4f54-bc37-d8c5b4cdf663.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9579227-adf1-401e-a06c-b6a0db3b9a8f.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c5ecdb-6242-4970-8ff2-216e3ce08404.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71719c5-d0a5-453d-8d12-a7b08c39d2be.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4ed6ce-a865-4918-9580-f21e3c8129b7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d58e40c2-ec4a-468b-9331-f58b49a88554.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af619b65-e94e-4518-8fd3-3b38b9aa7901.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\746f13de-eede-4584-84e2-6147e48d5ba7.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20f997a6-e691-449e-b4ab-f54325f1d1a5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b0d352-4272-4049-911b-423f0bed4820.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efc3972d-4bc8-4538-a7d7-15111adfb2e6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f797ed-15b6-4c67-bca6-87a1c538e50b.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f2ec64b-07d9-40ac-b63d-a60925424799.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40b97223-d627-4df8-a0c2-9553b0654e44.vbs"

C:\Users\Default User\explorer.exe

"C:\Users\Default User\explorer.exe"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/2916-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

memory/2916-1-0x00000000003D0000-0x00000000006B6000-memory.dmp

memory/2916-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

memory/2916-3-0x0000000000350000-0x000000000036C000-memory.dmp

memory/2916-4-0x0000000000380000-0x0000000000388000-memory.dmp

memory/2916-5-0x0000000000390000-0x00000000003A0000-memory.dmp

memory/2916-6-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/2916-7-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/2916-9-0x0000000002460000-0x0000000002470000-memory.dmp

memory/2916-8-0x0000000000A90000-0x0000000000A98000-memory.dmp

memory/2916-10-0x00000000023D0000-0x00000000023DA000-memory.dmp

memory/2916-11-0x000000001A900000-0x000000001A956000-memory.dmp

memory/2916-12-0x0000000002470000-0x000000000247C000-memory.dmp

memory/2916-13-0x000000001A950000-0x000000001A958000-memory.dmp

memory/2916-14-0x000000001A960000-0x000000001A96C000-memory.dmp

memory/2916-15-0x000000001A970000-0x000000001A982000-memory.dmp

memory/2916-16-0x000000001AE70000-0x000000001AE78000-memory.dmp

memory/2916-19-0x000000001AEA0000-0x000000001AEAE000-memory.dmp

memory/2916-18-0x000000001AE90000-0x000000001AE9A000-memory.dmp

memory/2916-17-0x000000001AE80000-0x000000001AE88000-memory.dmp

memory/2916-20-0x000000001AEB0000-0x000000001AEB8000-memory.dmp

memory/2916-21-0x000000001AEC0000-0x000000001AECE000-memory.dmp

memory/2916-22-0x000000001AED0000-0x000000001AEDC000-memory.dmp

memory/2916-23-0x000000001AEE0000-0x000000001AEE8000-memory.dmp

memory/2916-24-0x000000001AEF0000-0x000000001AEFA000-memory.dmp

memory/2916-25-0x000000001AF40000-0x000000001AF4C000-memory.dmp

C:\Program Files (x86)\Windows Portable Devices\dllhost.exe

MD5 a8afc525e8ae9a9c34f01e2efb7fdab0
SHA1 6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d
SHA256 4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836
SHA512 d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d

C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\RCX4A23.tmp

MD5 44436a33067d0a0f891727bc4fb08ae0
SHA1 ca94d039b7a3ad474b6a8d8557b89ea8671b553f
SHA256 e035aebba4b502bf1a002fcbffb99bcce4ce74f3b8b7bc794977fa36aff01e15
SHA512 7f07b35fee3e6594fe327ab1d944ef09f04c2833d8b3b4769e8eff91384dbb580b11eec9515f19a5de303ffda516e90dfe9774bb559fb29dbab2fdf4b018bbfc

memory/2916-177-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 385c61ebb84899b6c237418d46361ec0
SHA1 032b60538924eaa68fdefcb0104a169349214813
SHA256 234b10b7f8359feef9540045b0adf98284c405326422de78387e7fe51ef3f55f
SHA512 6b430751f645c2bb0ab99d60f602b777a746758023671c50ca1681d70032cf40efa1ee73eb2493dccf4fa367a5b10f5ed3842b513d71dbfe149ea5a55f6db50c

memory/2508-201-0x00000000027A0000-0x00000000027A8000-memory.dmp

memory/2032-199-0x000000001B600000-0x000000001B8E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ysdVHTnJN0.bat

MD5 5e987f294a58b481115f6f419b4fdb0e
SHA1 39a56c7c58f94522aa62b371d2a7d16b28bf90cf
SHA256 d5bcd09252fd6a9ef309885bbff877f89102f2bcb47915f079dd1b7d13ba66e3
SHA512 bc42ff46d829fd32116322133ffc7e0ed6af3cff88522ed3e13e841343504ccad78ccb3d3a39616a6a138c164473e265632dadd13da68e804a525a23cc566e9b

C:\Users\Default User\explorer.exe

MD5 bb329817c94e26958235e548ecf4b299
SHA1 9f54532fd35427c7f6a3cc736fff38562d9ccdd1
SHA256 82cee8bf2fb5dc31e2cd5e0d2c1968b021de724f525c15f549e8cb397d30f7a5
SHA512 223df78f5240530a871be607e73b2d4a0f3f0320bb08d31b66229ef1002cae1d4405c5e0ff975ab0342fdb4dcf16c40a14fa0e2a3df4b2fa0fe8aa4253d5ecc3

memory/2740-239-0x0000000000B80000-0x0000000000E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cbf32d81-2334-4beb-8790-6d40e34b86f1.vbs

MD5 1c2f36472004060d89caa407f30b543c
SHA1 c1cc08c35d5c362880ecfc2ea61f63af19e7128f
SHA256 cc493f9fcba742b167d62bb8797d061a3a7ff89cf307724ba1db4e619ee4bc85
SHA512 c63bfb9764edf8dcf5f0a0e01e574674f2fd262f58acc5e7f8bf756c4ac934e48eebcac19e1747fed5201833e2ab25cc86c4b454adfdb0618abf22428bd219f6

C:\Users\Admin\AppData\Local\Temp\a103a78f-e69e-4984-a98e-02fbdc3036ca.vbs

MD5 8211a40ed2336dd1fd9dfbbc27992da8
SHA1 92512caa7fd00f14ea86bb69d41701d64f71b685
SHA256 85d5519b16cf93d5af2a8001bc8d0ff5024e46bcb1a181a99b184718e535c267
SHA512 c45ced917a1a4a1b83793fe1331ada83dae344c715d7ffa1039cc7b57876fed54bb0abdbd669137ce5d68a3ca0b37d5d4f7ec3c017acc180fbcb32b6bfa79590

memory/1912-250-0x0000000000F00000-0x00000000011E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f48389c-5fe3-4edb-8897-1f3a2970d12c.vbs

MD5 03c0266b5bff2bef60df923994cd9649
SHA1 bc644b9ad5a63b8c6ae193fb0775e8b856cbfadb
SHA256 e0230ad0251c667d8c7af42f20ebc15b5aaf3a4cbd6bd9add614c1e0d587de27
SHA512 b8ae7d6964b5b8deb10b4c670fd3cbbb6d4df2d00d9a76f6065667e551e17e79ea290b5a47a30bdad5d83d08c679cb157297fc82f3327bd828550947597ee72b

C:\Users\Admin\AppData\Local\Temp\c2c28514-d9f2-4328-bf7e-ccccb591eb51.vbs

MD5 41ac08dfea8ccfa548aff02b7c894b71
SHA1 b38cc1b2a0aa8d84817033a39fdb4d0eb0ae2789
SHA256 9eb845b876a14978d6054a77f85b3a9f2baf70ab48cce9b64dabf0917d1d8371
SHA512 38916801d169cd21401cf4f00bd5a308ebbee3f347b6665255dd97ae8bfb9b144cfbbaa38c990ec519aae50c9a9bdb3bc8f35503d1bf6366549ee33e842ba7d9

memory/1356-273-0x0000000001080000-0x0000000001366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\363e9cb1-9fa6-4511-896e-bffa6e147617.vbs

MD5 77b4f91f849a13506d2863959d7d5271
SHA1 9b8eaafd9981d0dd84c4f220c1f6271d72628d3c
SHA256 e5b8b1617b5b8ba2ffd82bf4a268f53032999b1ce0482b7a21fb1a8f42df1f3b
SHA512 2866ff9551b9163e9ade90f23830cf1cb1b7daa12c953678e5340bd47047f1ed916a48420d52f93d68c7fa1fb6fbe065942b53c6cbf6944514fbadc588c6a785

memory/692-285-0x0000000001340000-0x0000000001626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49b05093-abad-4a08-9315-6f4ba8024643.vbs

MD5 dde2c2cd95c9fbf964f53391cce772cd
SHA1 1e6db9c34910485cf4ba7d993e517f581c3e28a0
SHA256 9dbc6df11da61e79b3ea24f279ba2127da950431dcd677558d3b13cb7e27e34b
SHA512 6b2f93fa8e507096923ee99eaf0fe925343dd615b07c649070af68fbc755ad14a2eb027a585e8104ef3df2e789eea8f3c740eeb8393c0e7c5fe5381caf0bdc95

memory/1280-297-0x0000000001330000-0x0000000001342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7a05d262-3d9e-4444-827e-2fd7e20c2a9e.vbs

MD5 b2a9f21ab75442a9c49709d943909f53
SHA1 61cf811310f01e21f7b9e1696f300469edfca865
SHA256 c071864763d744838488100cc2b7345d0db41b2c926bd197c46162ee6d6ff1c8
SHA512 c2a55d7c4a53fd0053141b9c23ca7fbea8ea79f435c703bc826990a9f339e7a3690ef696371afd8e43ef3d3624a7a78f6f389c2abb4c236c367db90730c44a17

memory/3036-309-0x00000000002E0000-0x00000000005C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\66eb1788-9bf1-484a-9680-9b2cd437ade7.vbs

MD5 436abedf4c75b2b7d1469d6e32a080e6
SHA1 cb9c2ff4e88d6bd0e85b05d525ec443a21a5eaf6
SHA256 bf248970d9fe707a26c11e4608412c453f84eda7f7ec37dc51e0c709ea794ba0
SHA512 6a078f8e73949c3a14ac6e87d6064a785e55ab5232724b229459bbaabaf8a1d7b1c5a044e36069c83d633302af4c96ec7da473894911a8dfb9ce2a11e64295c7

memory/2108-321-0x0000000000180000-0x0000000000466000-memory.dmp

memory/2108-322-0x00000000024A0000-0x00000000024B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5856f763-0706-4448-a9a9-7a507254ebdb.vbs

MD5 c8a3ff7e6889fa4be2cb61fb8c2b3e3c
SHA1 db27fa765eb7396a9bc495d1030cb0de26adaf10
SHA256 6510fe533cac0b04513d7ec46fde8b01ceb004b011935100837f0e54cfb71e6e
SHA512 18345ec505d8fde99771efb90b3468e6b9e71ebd123515adbacda9f1a60f83126577e7312f17560f6c835eb4ddf7c95a01f1b5e6be514cc3f928e957ca2ea672

memory/108-334-0x0000000000EE0000-0x00000000011C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ddd21ad2-deb4-4f54-bc37-d8c5b4cdf663.vbs

MD5 360e4511635271df794301ad9e892aef
SHA1 6f7ef3c50758d764420087f36fa5db88f9983419
SHA256 39124004cc318cdded86a0fec0a825839068787fbb84f3dfb0addaff845a6566
SHA512 2ee7ba3f322c8400127959d3362d91c9f73c02071e731cf826bdc2c1cca3b18ae86bb5a99b828512c774c388724048d5c98a75b237aa6e5b4b30874c05d75d8a

memory/2836-346-0x00000000013D0000-0x00000000016B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\05c5ecdb-6242-4970-8ff2-216e3ce08404.vbs

MD5 8b6760853264e9b1289ba72b5ac5d262
SHA1 3d7369a19ead3c2a6571853cc412cde1cdfd6ad9
SHA256 b33e5243c0cf17697d0d0ad3b9e2213dd6f6360f1ddf05129d55d80bec026f90
SHA512 1a6fc54f7f2d52a6e1a92a7626f8335965c6a756f26d0bda5e84a105a6a237004f60c4a35c170c87bc86fc206c76aad33cafc129246b11af91251b1b541ba5f7

memory/2868-358-0x0000000000B40000-0x0000000000B52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc4ed6ce-a865-4918-9580-f21e3c8129b7.vbs

MD5 25821d49b304d69d0b8265d0ae9aa653
SHA1 1771439b248eb23918800b42ec1df6fd09560cec
SHA256 8bca05d98783e7f69de335c2cd445feac3b236549df025f7a29574a6d7cdc0c8
SHA512 b335f1cf089c5916c00c9cf6a41291a635686f22b20068c0e2a1d70431d267dec8025af1567a3c166612ac12fd1f0896cdbc89a2c11fc1dd6764386689f440d8

memory/2928-370-0x0000000000D60000-0x0000000000D72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\af619b65-e94e-4518-8fd3-3b38b9aa7901.vbs

MD5 833204edc74a46c1b3c31f0162f1bea9
SHA1 5d74bb81526a30a74808c2ae4a61244126f23be0
SHA256 f619801be262b907e1a2ccf8ce86536599409c13b08fa5d6b8f7d2b7c0ea1c40
SHA512 6e52ca5114e68f4417f3249d147a76672118ef8b6ed494234737ee0e2a2d3d0b5a3626c99ed4f73a3dc3346db78e95a09821ece29ca62f775d17e3dd83f21226

memory/2968-408-0x00000000005F0000-0x0000000000646000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 05:49

Reported

2024-05-16 05:51

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Program Files\dotnet\swidtag\System.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\dotnet\swidtag\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\upfc.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\swidtag\System.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\upfc.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\swidtag\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\RCX5C5B.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\System.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCX760A.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\RCX6F6F.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\RCX6D6B.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\RCX780F.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX5A57.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX64AC.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\e89e8506bc9c9a C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DiagTrack\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ModemLogs\RCX7405.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\twain_32\csrss.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\twain_32\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\DiagTrack\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\DiagTrack\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\twain_32\RCX6298.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\DiagTrack\RCX6AE9.tmp C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ModemLogs\smss.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\ModemLogs\smss.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File created C:\Windows\ModemLogs\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\twain_32\csrss.exe C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Program Files\dotnet\swidtag\System.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A
N/A N/A C:\Program Files\dotnet\swidtag\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\dotnet\swidtag\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1420 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2720 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2720 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2720 wrote to memory of 5296 N/A C:\Windows\System32\cmd.exe C:\Program Files\dotnet\swidtag\System.exe
PID 2720 wrote to memory of 5296 N/A C:\Windows\System32\cmd.exe C:\Program Files\dotnet\swidtag\System.exe
PID 5296 wrote to memory of 5500 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5296 wrote to memory of 5500 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5296 wrote to memory of 5544 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5296 wrote to memory of 5544 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5500 wrote to memory of 5712 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 5500 wrote to memory of 5712 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 5712 wrote to memory of 5880 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5712 wrote to memory of 5880 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5712 wrote to memory of 5928 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5712 wrote to memory of 5928 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 5880 wrote to memory of 6076 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 5880 wrote to memory of 6076 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 6076 wrote to memory of 3540 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 6076 wrote to memory of 3540 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 6076 wrote to memory of 4864 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 6076 wrote to memory of 4864 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 3540 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 3540 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 2796 wrote to memory of 4436 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 4436 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 3736 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 3736 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 4436 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 4436 wrote to memory of 2912 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 2912 wrote to memory of 4644 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 4644 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 4980 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 2912 wrote to memory of 4980 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 936 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 4644 wrote to memory of 936 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 936 wrote to memory of 4732 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 936 wrote to memory of 4732 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 936 wrote to memory of 1408 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 936 wrote to memory of 1408 N/A C:\Program Files\dotnet\swidtag\System.exe C:\Windows\System32\WScript.exe
PID 4732 wrote to memory of 5312 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe
PID 4732 wrote to memory of 5312 N/A C:\Windows\System32\WScript.exe C:\Program Files\dotnet\swidtag\System.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\dotnet\swidtag\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\dotnet\swidtag\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalyticsa" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalyticsa" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Links\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Documents\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U3xVM6PQLh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81f75e1a-5ede-4883-a03a-b7e16ecacfdd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e445b310-c7c2-414c-9d15-e45d689b04be.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac04cd05-46ac-40b8-a34e-18cdf1e6605a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e17fdfc-9d3a-4b13-976d-4d88cfdfdc63.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6368dd9-c571-488c-8bb1-422af6182adb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d568da6-b483-406a-b3f8-43a5f035db11.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8faeba6-9ae1-41ed-a528-84dda39cccc8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9882725b-11cd-40c9-9f7b-7463a6ad7fac.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d20f3306-4e35-46f6-b7e9-c82194a1a269.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697d4c62-43ea-4b32-b7c3-583a20277f8f.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe2e06b6-6c37-42de-8658-130013668675.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b691a4-14fe-4da3-b397-1f44c822e938.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\719e169f-903c-4569-a74a-fa94cc4178a2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2f62c84-6bee-43aa-afbd-b7458af06888.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a01b7f7f-817b-43a8-82ba-ade5a662e2b0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea8fd2d6-68c8-4dfa-85a9-3d8c48513509.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7960f7f-439a-44aa-a2f7-27b560e4b9ac.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bf8ac19-b53f-413f-94c3-0b06d396ed10.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f2a231-b325-4c4b-afba-1b61ebb5c891.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3651f02-5395-474d-b367-ee32436e5be6.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db4ef1d8-91d7-4060-93d4-c943c3ee3da7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9bcd02-e3f7-48bb-a851-d15130deb456.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a67a3a51-6220-48b6-8ac9-fc67a4cd4b40.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83bb50e7-6ec4-4593-9944-e7a711ebc540.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee3762b-8af4-4bbe-afbb-769b535487eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e42af9e-4a9e-4b3f-87f9-1ed082f1c2be.vbs"

C:\Program Files\dotnet\swidtag\System.exe

"C:\Program Files\dotnet\swidtag\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7afeb9-4690-44b9-84fb-30d576701e7a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75a50156-2663-4b4b-bf25-7f45c26ab261.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.155:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/1420-0-0x00007FFB7BAB3000-0x00007FFB7BAB5000-memory.dmp

memory/1420-1-0x0000000000290000-0x0000000000576000-memory.dmp

memory/1420-2-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/1420-4-0x000000001B870000-0x000000001B8C0000-memory.dmp

memory/1420-6-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

memory/1420-8-0x000000001B1D0000-0x000000001B1D8000-memory.dmp

memory/1420-10-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/1420-9-0x000000001B1E0000-0x000000001B1E8000-memory.dmp

memory/1420-7-0x0000000000F30000-0x0000000000F46000-memory.dmp

memory/1420-5-0x0000000000C40000-0x0000000000C48000-memory.dmp

memory/1420-3-0x0000000000F10000-0x0000000000F2C000-memory.dmp

memory/1420-11-0x000000001B200000-0x000000001B20A000-memory.dmp

memory/1420-12-0x000000001B8C0000-0x000000001B916000-memory.dmp

memory/1420-13-0x000000001B210000-0x000000001B21C000-memory.dmp

memory/1420-14-0x000000001B230000-0x000000001B238000-memory.dmp

memory/1420-15-0x000000001B240000-0x000000001B24C000-memory.dmp

memory/1420-16-0x000000001B250000-0x000000001B262000-memory.dmp

memory/1420-18-0x000000001B930000-0x000000001B938000-memory.dmp

memory/1420-23-0x000000001B980000-0x000000001B98E000-memory.dmp

memory/1420-22-0x000000001B970000-0x000000001B978000-memory.dmp

memory/1420-21-0x000000001B960000-0x000000001B96E000-memory.dmp

memory/1420-24-0x000000001B990000-0x000000001B99C000-memory.dmp

memory/1420-26-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

memory/1420-25-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

memory/1420-20-0x000000001B950000-0x000000001B95A000-memory.dmp

memory/1420-19-0x000000001B940000-0x000000001B948000-memory.dmp

memory/1420-17-0x000000001BE60000-0x000000001C388000-memory.dmp

memory/1420-27-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

C:\Users\Public\Videos\backgroundTaskHost.exe

MD5 a8afc525e8ae9a9c34f01e2efb7fdab0
SHA1 6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d
SHA256 4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836
SHA512 d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d

C:\Users\Default\Links\RCX66C1.tmp

MD5 4744187154f1bf883aeda07c68503d56
SHA1 a9c48238455eddaf8df79ae13c03493d9b03ec00
SHA256 c3c37738590e567bbffda3930e540ac020e85f13357df65716d5c3cbfd21e371
SHA512 d6f63c83285c72cb3f6c4b8dbfe5a04e9d2ceedc0bd051b830f3180fa1592fade83c18f9f29524fbd2c93eec86d84ee9f1fff11624e0503696d321a5a06158c2

C:\Windows\DiagTrack\spoolsv.exe

MD5 43374f10cb920500e15ff29ce26531bd
SHA1 928af16db8da595319f5f182c48be4e568d2d356
SHA256 e142849ab90316f280db6dbba3ede5f30571aa752939b44b5d41b3926fffe33a
SHA512 75bc3ff6975e530a5df66d991a8684107af246d00345acd14099fdaf97923c3e3567b7ff16787ecabf278f3a46385f175bc5b7695a26908ab88137120e2fd8c9

C:\Program Files\dotnet\swidtag\System.exe

MD5 3ed22f1f48857191340f0c760ceed1cc
SHA1 ef8253c7eab15ad662686b8ce5634b7973a7bc75
SHA256 c2ab608be2caf318294a24c45d434a5acd18a9fcc01d8602c171d2b0c54c8ab7
SHA512 34c63b51d0b5e9b6f5b490b4f303c1da3ee7c860a1d8ea16e67053530b0a98be1646300e6de78c65fd10901a2bf314e07b8d179fb67642d026c61144d0311ce4

memory/1420-178-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/2568-179-0x0000025972630000-0x0000025972652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bckveki.anc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\U3xVM6PQLh.bat

MD5 72014a208bb9ec64d95becb5d17987ce
SHA1 86a499b20e4a29c1bd66037a4694d58fb9d898e4
SHA256 b25638cd8a9402cd01cedd5173d631f031be3cc475b83190a0416da5369cfb6b
SHA512 90aee720455b9442a5326724292adf5d5cb73ff5042f5243b5cdc387fc0d893704e76b9d8c94178311e080691e1d5f556a58a69a585cac3f5305e2b9a7a32810

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3235c0b45a0ee14bd4e5213339b30705
SHA1 49ebee3177d8bf7d2b1ce8df3f28f3cc576364aa
SHA256 e407d81c185f5505e1f76e43cfe12076caf7fc7ffb35fd8df087c12c35125b9f
SHA512 2e3e467a766e7f05c81f661472bf8ce944f915cf829f70b4f988b65fc55165580fe37bb8683851e28b939313707c995849fefb1f402d57998412de96cfe0cd54

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

memory/5296-304-0x0000000000450000-0x0000000000736000-memory.dmp

memory/5296-305-0x000000001B4B0000-0x000000001B4C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81f75e1a-5ede-4883-a03a-b7e16ecacfdd.vbs

MD5 959eaf14d146841f9b813bc3e0bfac45
SHA1 e41b1208a4ffacfe2acee7dd877d6fc96898f01c
SHA256 e4458cf4c8acf988ff8d2f07ffe8da3d37ee51ea13cb29524f79b138daa06b46
SHA512 0f0aa0eb00de2bf3dafd5e943dcce0eb85a82b1df37576b0ea9dc253c45f428b2cfde270796920f0acd656080803539f3b81171d556f107420e263a38d93422b

C:\Users\Admin\AppData\Local\Temp\e445b310-c7c2-414c-9d15-e45d689b04be.vbs

MD5 834c014c4755534762bde05d0ad5499a
SHA1 29eb404a4c2811667de93fbdc603ba26d9674db9
SHA256 b71765f62aece19d35777b6becf95b9e7dd7cfbdf06ee3520e465e4ae6d60ff7
SHA512 c62a7fd854e9e7bd45699aacdbe043792e9ae163361fafd93ac00aa097c5e3a8b4eb8515b41d03f271193ff3e3dfb636932883662ed8efa237d525ea9ba2de10

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\ac04cd05-46ac-40b8-a34e-18cdf1e6605a.vbs

MD5 d34f801b2a9fa3d5733c1d4aec3e3c30
SHA1 6c829dee2eb3f1eb220cad1e4d2aa9a406b92752
SHA256 8176851426fc9cf2a9eb3c91cab6b05d8b66e08c9ed4fc978bf03d4b76e031c0
SHA512 edc2427fbf1765ccdeec051c3a249c699ed7a100ef8176f819f1bb7e0e0160c7a4123bd4dcaa10ff807956d36f5ac6d414b238a2379a4b219386edc2412f4bb0

C:\Users\Admin\AppData\Local\Temp\d6368dd9-c571-488c-8bb1-422af6182adb.vbs

MD5 14409cdbb57eb036e434e0367ccb5e63
SHA1 4f6dba244df002e172f362e3d761308b06d07e18
SHA256 6670599d757e45b001c29430d2289b0cc71fead30177f274e8853371e0a2ac38
SHA512 cae6a3b02dd4019fcaaea8178139ab0b3905fae864879962e6d8509788b36afe545012f88785bf0dc86be6ff01bedd3392b66ff8e57f5eb5de617351dcb3439b

memory/2796-340-0x000000001BDE0000-0x000000001BE36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c8faeba6-9ae1-41ed-a528-84dda39cccc8.vbs

MD5 f69936edfbf3f6bf2908cd48ede83b78
SHA1 14dee1d2007b0853092de9f5d2e965856832a421
SHA256 14b2b0e382605cfdff5ae1add199927cf50896d6eb005d4511f13487c1bef527
SHA512 e34e11d00f4b6c944e4e3870594980ed899a3c39779edb4ba8f917f91b9d66443f41c3a32d6c8aea0af3b797631cb35f18c0c0865f30051937e411521ae634d6

C:\Users\Admin\AppData\Local\Temp\d20f3306-4e35-46f6-b7e9-c82194a1a269.vbs

MD5 4ec82340f322861c6dbc0d7b364f96c0
SHA1 acd8bd9323a71531c2164d9ecf519f549c7637d7
SHA256 e71ac10770bc65e9f5b2022a8fd8e2bb7a847e7cb6330a516adff733cd3f11bb
SHA512 c668680fc8931c753639a3579cae6a299136fa57bb2b06364fdf10435b7bcc17283137ce8cf411d46b75093e4222dce46fb7d6783d202800fd89f3af9418ffdb

C:\Users\Admin\AppData\Local\Temp\fe2e06b6-6c37-42de-8658-130013668675.vbs

MD5 87b10fbd2a282bedfe207dc93260db7c
SHA1 049df64cf2c17efec21dfd3f39d8fa519981e2ac
SHA256 068eca96d96d8c777e934344100361861e36d129ec1c7e47c1093e6b05715da5
SHA512 4357d672b1b83c6c6195962a90b83ef436e532419fdc6c95ad1bc08cda5454e08ce278a99cc2186de2e59c504c6aabeb22566b140893ee073562ca27a8774a52

memory/5312-374-0x000000001B310000-0x000000001B322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\719e169f-903c-4569-a74a-fa94cc4178a2.vbs

MD5 bf239895c8c73d7365297742ffb74cb4
SHA1 7c970f4aa11401716a4a6cf5b219229256c3426d
SHA256 fa382062c752222cf5c81f5ee9be606c4110f617727e9f7b9e408db30d4e6954
SHA512 93fde9013772169e3855d5506bc89def4901b77e786fe138c87f656c195497809d92b4e991b40636efd1b234bd076868edd5a6b532d2ab0f9e6854a878ff6cfa

memory/5564-386-0x000000001BCF0000-0x000000001BD02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a01b7f7f-817b-43a8-82ba-ade5a662e2b0.vbs

MD5 a96c81ca98475098243479df76191d38
SHA1 0d55f4b45f08b13119fc8f9b017ddeb6361ff074
SHA256 7212089a3ea5ac7891d6622cc826711f06adb7b67fa9f92f72cb2d241433edca
SHA512 8c65b9ab90bb5083522aef89b467915c9bbc0a2e3f3d6ddbfc2fcf14d53db963cb520fe208914d28d1f8300bc848ace93854cd6c849b1d414f5fe043f94bdea5

C:\Users\Admin\AppData\Local\Temp\f7960f7f-439a-44aa-a2f7-27b560e4b9ac.vbs

MD5 51a44cddc79288e802d506e2ab6ddd79
SHA1 a17324ea606c5970e6a604a51cca1ab51f8360ad
SHA256 0fc93dd409a54ff28af45cdc62c83a83d044277acce7cafe031d7ce99372ab87
SHA512 7d5970500c8573888d0b01a58ae077ae8e5ed911ad15777ca50a9c58bf619b17a353658d4d77f88d6b882e1a56b48cd343c1a10fe6091b359711fdb651c91e78

C:\Users\Admin\AppData\Local\Temp\77f2a231-b325-4c4b-afba-1b61ebb5c891.vbs

MD5 1bc6524f234f3066c34eaed964217786
SHA1 f8e7a00227a36dd151f557cda9b58297a4e9f4c1
SHA256 d1863e8545f91c6524184fb642e14a266963f0f1345fe4a9f19b04ba1a0603c9
SHA512 03ebc955e54cfb6d2329e74781bb04eaa8f5167bef8a3cf4b60ad73e5fe26f3374cf6e2bf95dca94dbcafe3bddb65a42822d61883555ea53b6bd01c8f417e81c

memory/2056-420-0x000000001B990000-0x000000001B9A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db4ef1d8-91d7-4060-93d4-c943c3ee3da7.vbs

MD5 3a2ed28dfc17fb1ac1a54f3a87b0e69a
SHA1 b7f775662fd8773c9ac87d5839114fbcb9b82092
SHA256 92b87f9c77e01955f0762cf0dc3d5817c38bc1e73f28b4fe74f0f7fbe9c35b42
SHA512 82ef09833ca4aa6100049e39e54177224c0baeae462a45d3eef745109383baec773176bc496b0e31373dff00e3330f14ab4270e487f96212c5eaebd384bab915

C:\Users\Admin\AppData\Local\Temp\a67a3a51-6220-48b6-8ac9-fc67a4cd4b40.vbs

MD5 db19227aac8ed34a2746e4062b4e4ee4
SHA1 6864e81308c2be1d095e0d8453439782463c4035
SHA256 2fde7b070cde433da934d8fc290d48738f5a8462d2c21ef25cd0b65ee583d40e
SHA512 bdf79033a113ceae20e41c6b868415c9cb37d9aa292a66994168972d7695f30763c7439b874f0b5d255ce99522f3063fe246e5f22ac4ea40d50e420f57ed1700

C:\Users\Admin\AppData\Local\Temp\7ee3762b-8af4-4bbe-afbb-769b535487eb.vbs

MD5 3feac04591e6a6557eb7eb98ecd4402d
SHA1 17b82499a5cd59b3f375a25e3ee5a82bcb3fc758
SHA256 3ab02661d08307532cf73b30faa6b2a4a5dd40c560b7421b9e411fbc2fe2276e
SHA512 4dba88a5bcc9fdcdc14f2255a0389257dedc4a428080bb1e9ecf3934f40f92e74f5393ce3050476f73feb5cf7d53fc6c54e3fd11ef82e39f74c755026f9819d8

memory/3780-453-0x000000001B8B0000-0x000000001B8C2000-memory.dmp