Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-j2bf4abd7v
Target c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics
SHA256 cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40

Threat Level: Known bad

The file c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

DCRat payload

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

Dcrat family

DCRat payload

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 08:09

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 08:09

Reported

2024-05-16 08:11

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\rescache\rc0005\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Users\\Default\\NetHood\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Users\\Default\\NetHood\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Users\\Default\\NetHood\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\", \"C:\\Users\\Default\\Local Settings\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\inf\\es-ES\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\it-IT\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Local Settings\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\it-IT\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Local Settings\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\inf\\es-ES\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\NetHood\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\NetHood\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX38A6.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\wininit.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\RCX3006.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\RCX2B90.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\RCX3007.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\56085415360792 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\RCX2B8F.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX349D.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX38A7.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\dwm.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\6521988ad37612 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX1FA4.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX349C.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX1FA3.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\dwm.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\wininit.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\inf\es-ES\RCX2E02.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\it-IT\RCX320B.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\it-IT\smss.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\rescache\rc0005\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\inf\es-ES\RCX2E01.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\it-IT\smss.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\it-IT\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\inf\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\it-IT\RCX3279.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\inf\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\inf\es-ES\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\es-ES\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\inf\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe

"C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 jorikbz3.beget.tech udp

Files

memory/2420-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

memory/2420-1-0x00000000012B0000-0x00000000014BC000-memory.dmp

memory/2420-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2420-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

memory/2420-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/2420-5-0x0000000000460000-0x0000000000470000-memory.dmp

memory/2420-6-0x00000000004C0000-0x00000000004D6000-memory.dmp

memory/2420-7-0x00000000004E0000-0x0000000000536000-memory.dmp

memory/2420-8-0x00000000005B0000-0x00000000005BC000-memory.dmp

memory/2420-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

memory/2420-10-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/2420-11-0x00000000005E0000-0x00000000005EE000-memory.dmp

memory/2420-12-0x00000000005F0000-0x00000000005FE000-memory.dmp

memory/2420-13-0x0000000000600000-0x000000000060A000-memory.dmp

C:\Users\Public\Videos\Sample Videos\csrss.exe

MD5 c4dd0b6efb900035ac550ea40274b180
SHA1 6b286cc85750702c1721a3f7eac27d7cc2548a2d
SHA256 cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40
SHA512 b26fe5a9067f40e484add6ea5668bd6879e4cedba3935b0f3f3a848cb318cab4f7323dc06978851f261c48a5923fe2e78da94c3f4c0cf9a010556b17762ce6f7

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe

MD5 0ec289702082e9950bd93759aef96586
SHA1 ab1ec5f52a6f48084798c65797bb046896d0325b
SHA256 49aa78bd1d54833904cd7d6ce70edb3454a76d0495487bdaebb7566bec40c7c5
SHA512 e92123d066669aba11292980a2e80d5914b18aafef4f83c0cbf64c523d356c2dd69c110bc7b0572a8110b0c015deebe54a2950fb5cfcb7778184e08711ca64b8

C:\Users\Public\Videos\Sample Videos\csrss.exe

MD5 7d5c8616ccf2a54cf520d9234d1251f8
SHA1 ca1233e619e4872f6061dc5a83ec00de9bb46a9e
SHA256 b7780878408494df4d4b1bea1c26e421a3b55cf4c028a65375ddfa6642c09ceb
SHA512 abcc22ba3827b5dae8aa2f873e2a2616c3acba8b0f243a1d06010a3523c11060f206d67c7d13a17c8825d5e4f30126eedbb3aa7597e66c7563c15bd414600839

C:\Windows\it-IT\smss.exe

MD5 57fbbc5da63490b3873b30c8b10a82e9
SHA1 1b01bd5ebc83867e93e96da5664adb328dbd5b55
SHA256 138c1d6195e13b7ea2f3e97eb4988c29f444346d55e88bc5c6ee4bb2fc56c6cd
SHA512 d8a94f8042d31644ccb37c337878e4f31e3ef9e833e025bcfd6da7f9bd69a3b075542dcc59e9d5bd3c6bd20dcb1af7286f71dbf20a6f4c97e59907fe5aea7c9f

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\csrss.exe

MD5 f0b47eaccc1bf880672a14d3fefbd39d
SHA1 4af307e39e5d775e09e2ab7bae90eec204025d52
SHA256 b6af629f87b39e767dc9dc9b061a3365a5a465704cf8d8455119268ae332d869
SHA512 43784c4ddb0394525e1a1cadda1a41de45ac9a5e438d81bbbd8eaa696015ceb45f8f67845a5571b18bbb60d761fd067eebe8ba67d7b4879a6f201ecf9908720f

memory/2420-235-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2292-234-0x0000000001030000-0x000000000123C000-memory.dmp

memory/2292-236-0x00000000004A0000-0x00000000004F6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 08:09

Reported

2024-05-16 08:11

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Common Files\System\de-DE\services.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\System\de-DE\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\root\\Licenses16\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\de-DE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\de-DE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files\\Microsoft Office\\root\\Licenses16\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files\\Microsoft Office\\root\\Licenses16\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\RCX5A0A.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5E33.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\RCX75E5.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\System\de-DE\services.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX6069.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\RCX7577.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5E53.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\RCX5A09.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX6068.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\System\de-DE\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsApps\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\6521988ad37612 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\services.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\de-DE\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\de-DE\RCX5C1E.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\de-DE\RCX5C1F.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX715D.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX70DF.tmp C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Links\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 jorikbz3.beget.tech udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1344-0-0x00007FF8EDF53000-0x00007FF8EDF55000-memory.dmp

memory/1344-1-0x0000000000AB0000-0x0000000000CBC000-memory.dmp

memory/1344-2-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp

memory/1344-3-0x0000000002ED0000-0x0000000002EEC000-memory.dmp

memory/1344-4-0x0000000003070000-0x00000000030C0000-memory.dmp

memory/1344-6-0x0000000002EF0000-0x0000000002F00000-memory.dmp

memory/1344-5-0x0000000001510000-0x0000000001518000-memory.dmp

memory/1344-8-0x000000001B9C0000-0x000000001BA16000-memory.dmp

memory/1344-7-0x0000000002F00000-0x0000000002F16000-memory.dmp

memory/1344-9-0x0000000002F20000-0x0000000002F2C000-memory.dmp

memory/1344-10-0x0000000002F30000-0x0000000002F3C000-memory.dmp

memory/1344-13-0x00000000030D0000-0x00000000030DE000-memory.dmp

memory/1344-12-0x00000000030C0000-0x00000000030CE000-memory.dmp

memory/1344-11-0x0000000002F40000-0x0000000002F4C000-memory.dmp

memory/1344-14-0x00000000030E0000-0x00000000030EA000-memory.dmp

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 c4dd0b6efb900035ac550ea40274b180
SHA1 6b286cc85750702c1721a3f7eac27d7cc2548a2d
SHA256 cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40
SHA512 b26fe5a9067f40e484add6ea5668bd6879e4cedba3935b0f3f3a848cb318cab4f7323dc06978851f261c48a5923fe2e78da94c3f4c0cf9a010556b17762ce6f7

C:\Users\Default\Links\backgroundTaskHost.exe

MD5 d1510a4ffa9be375064dad2f24f426a3
SHA1 b2ec5561b60f3629e132aff288901a0760708fcb
SHA256 9949d40be05ada382442b8741e866669cdf426abb1d618c11e7a49305f08c63f
SHA512 bd99358d9d51554923ec65a4e28940ff94748b35e6ed8dd4de57341a6b6b2e1987cc1d267c41fee805817fc93b86f5d714c29544de931ff3261f49dae2f17b99

C:\Recovery\WindowsRE\sysmon.exe

MD5 170a317c16c0d8f8af302b7a82f71bd4
SHA1 fef39d2afa797e57f4d46e0bcde59f3f502d0f29
SHA256 345acd1f84c9136c5f8896f8455b6d31ba76e5ccef27ae2c338aff42c73cda45
SHA512 9102468e54d2e4c0140664c338bcaa840436f9d9cfbc089d61819fdb6ea7e472c9bbc75f82fb3f62c4db565ced268bcc82fd7a6ec6bb803f0392f75c0f0f51c4

C:\Recovery\WindowsRE\MusNotification.exe

MD5 a93132578e9b8915307decbf1153448a
SHA1 ccd71f504fe5ac99bc12408421adb25a61113b37
SHA256 596a0aa54a9ca84cd4c30b278dc1c19228939f59c1dc8c42d9b53116ca774703
SHA512 49de145eb6f348832869035070e94833090a8aced0154eba199129668cc00949f053f979fad44e33060722e14dc4138fd95a013b73e77c5766b035eb533a028b

C:\Windows\Fonts\sppsvc.exe

MD5 64c128e2defbbeeec3488f5b2b1350f7
SHA1 cbd22f6e4156cdb43fef28b819f0b5adf18340ed
SHA256 35ecec2dadd137d0cd9a96d14a851ad51e8d0da7d9145b91338ed36f185d391e
SHA512 6872f74c82abcaa87fa67a226cc89a5e192a234eac0b73cff12e06d1fb6ec44fd452dd593f5066d0e0afeae43ab0935543612ce4980cc8d7e89ce7b520924ca1

memory/1344-247-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp