Analysis Overview
SHA256
3f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44
Threat Level: Known bad
The file dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
UAC bypass
Dcrat family
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Checks whether UAC is enabled
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
System policy modification
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 11:17
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 11:17
Reported
2024-05-16 11:19
Platform
win7-20240419-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX122D.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\RCX14AE.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\fr-FR\RCX1BC5.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\explorer.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\csrss.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\7a0fd90576e088 | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\56085415360792 | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX121C.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\RCX2725.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\RCX1440.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\csrss.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\RCX2521.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\fr-FR\RCX1BC6.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\RCX2520.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\explorer.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\RCX2724.tmp | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\es-ES\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\csrss.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C6ojzqIZqD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Common Files\csrss.exe
"C:\Program Files (x86)\Common Files\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a6f3677-dbcc-4b3c-a7be-3a88cfb5c71d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7010f0-a0bf-46bb-9996-bde873b688d7.vbs"
C:\Program Files (x86)\Common Files\csrss.exe
"C:\Program Files (x86)\Common Files\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2806871b-da50-4591-8606-0f40d0514b19.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f99d70-9aba-4b1e-b817-b45033e35577.vbs"
C:\Program Files (x86)\Common Files\csrss.exe
"C:\Program Files (x86)\Common Files\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea2db112-e23a-4cfd-8dc5-ef0f6d680cf3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f5c2e7-8ca2-4962-8867-f7ee5a4881e3.vbs"
C:\Program Files (x86)\Common Files\csrss.exe
"C:\Program Files (x86)\Common Files\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80cac005-5464-42b3-b6f7-ccbdff9ac61b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa4c0b3-9bfd-42d3-bb6a-6770e6ebd2a6.vbs"
C:\Program Files (x86)\Common Files\csrss.exe
"C:\Program Files (x86)\Common Files\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\082872b8-b9c9-47a1-8c4a-4c00cc176239.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55417941-8078-47bf-abab-99b63f05c350.vbs"
C:\Program Files (x86)\Common Files\csrss.exe
"C:\Program Files (x86)\Common Files\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b23422f-d73b-43d3-9f6a-dca94ed7879f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45959d14-2b03-4732-9893-d5a2da94bc29.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0887556.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
Files
memory/1860-0-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp
memory/1860-1-0x00000000008D0000-0x0000000000C0C000-memory.dmp
memory/1860-2-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp
memory/1860-3-0x00000000002B0000-0x00000000002BE000-memory.dmp
memory/1860-4-0x00000000002C0000-0x00000000002CE000-memory.dmp
memory/1860-5-0x00000000002D0000-0x00000000002D8000-memory.dmp
memory/1860-6-0x0000000000360000-0x000000000037C000-memory.dmp
memory/1860-7-0x0000000000380000-0x0000000000388000-memory.dmp
memory/1860-8-0x0000000000660000-0x0000000000670000-memory.dmp
memory/1860-9-0x0000000000670000-0x0000000000686000-memory.dmp
memory/1860-10-0x0000000000690000-0x0000000000698000-memory.dmp
memory/1860-11-0x00000000006C0000-0x00000000006D0000-memory.dmp
memory/1860-12-0x00000000006A0000-0x00000000006AA000-memory.dmp
memory/1860-13-0x00000000006D0000-0x0000000000726000-memory.dmp
memory/1860-14-0x00000000006B0000-0x00000000006BC000-memory.dmp
memory/1860-15-0x0000000000720000-0x0000000000728000-memory.dmp
memory/1860-16-0x00000000022A0000-0x00000000022AC000-memory.dmp
memory/1860-17-0x00000000022B0000-0x00000000022B8000-memory.dmp
memory/1860-18-0x00000000022C0000-0x00000000022D2000-memory.dmp
memory/1860-19-0x00000000022F0000-0x00000000022FC000-memory.dmp
memory/1860-20-0x0000000002400000-0x000000000240C000-memory.dmp
memory/1860-21-0x0000000002410000-0x000000000241C000-memory.dmp
memory/1860-22-0x0000000002420000-0x000000000242C000-memory.dmp
memory/1860-24-0x00000000025C0000-0x00000000025CA000-memory.dmp
memory/1860-23-0x00000000025D0000-0x00000000025D8000-memory.dmp
memory/1860-25-0x00000000025E0000-0x00000000025EE000-memory.dmp
memory/1860-26-0x00000000025F0000-0x00000000025F8000-memory.dmp
memory/1860-27-0x000000001AA00000-0x000000001AA0E000-memory.dmp
memory/1860-28-0x000000001AA10000-0x000000001AA1C000-memory.dmp
memory/1860-29-0x000000001ADF0000-0x000000001ADF8000-memory.dmp
memory/1860-30-0x000000001AE00000-0x000000001AE0A000-memory.dmp
memory/1860-31-0x000000001AE10000-0x000000001AE1C000-memory.dmp
memory/1860-32-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp
C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe
| MD5 | dc4a687b17405db35530af6aa40cd2b0 |
| SHA1 | acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88 |
| SHA256 | 3f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44 |
| SHA512 | 620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487 |
C:\Program Files (x86)\Common Files\csrss.exe
| MD5 | 8619675d9facaebcdb15ac1ca117b1a9 |
| SHA1 | 3c0548be4af55784db8a1eff6137e05098cf11af |
| SHA256 | 80046fb86243ebcbc22711ab5ef87b0155c21be7c48c4d6dd85b76d7961df4d3 |
| SHA512 | 56ec4ca27854e0ac7743584cfcdd31dc9f41e2d0b726d31746d8f682f66531f0049c9fed7329492978498ab5c8a25229b79a4e2a29fcae5d14dcaaad4d5d936d |
C:\ProgramData\Microsoft\Windows\Templates\audiodg.exe
| MD5 | 846567f7be74008c7943ac705f408edf |
| SHA1 | 684c2d7abe5cc500d658216fa2007a1deb06543b |
| SHA256 | 8e758eddac1ab550835c9388cea160de727f8aa185e642717e5fe96dfd6aadbd |
| SHA512 | 694de66c3e0909496ac512c57e02352073174c8939a16fe85e44392e857a972138c17ee014704cf5fc25d060027518a90ab550daa9aa6846f777bdc45fadbc5d |
C:\ProgramData\Microsoft\csrss.exe
| MD5 | 7515fec42a8153473337c1507e8273d7 |
| SHA1 | 0e0f88724607103c79837382edc842ac21f520f7 |
| SHA256 | f1c3aec53ff4ea63a13f4ff740231e0cc8c849633b52a382d9f5e16cc2f4a8c7 |
| SHA512 | 7f42221192ea5b9ac8ba0b2fe7232a3c9c7ad727728a038d79bc488097854cca8433724cd3e96bf29db8d84810af5f7291c10229d5277d1994ae65b45e532f06 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c609982eb0d748e330ead233ca27aa1b |
| SHA1 | 3afc9753b9d7aecb3579016c9fd7d6a46d1d9b78 |
| SHA256 | 44bc50c8c368ee7902f1e482da71266e7adf36ee6ac87cfe81e62c0e3383b06c |
| SHA512 | 52035c2a7eb033eebb489fb925451a35c644a5cb77e0bd69c90259b89cb19136a09bede6ec63d0218a2f5aa7983523184d741df18a18b3a1985da862cee3e7e0 |
memory/2736-197-0x0000000001EE0000-0x0000000001EE8000-memory.dmp
memory/1860-191-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp
memory/1532-186-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C6ojzqIZqD.bat
| MD5 | 8623ca35055e8eecafb3bbeed719b775 |
| SHA1 | 716ae42d2bd86aa799d1ab6776f1881f1df260c4 |
| SHA256 | fbaaa99e83c4757fc1107baf75ca7a4d4b548f06b0e16e1e3ed5b910b361729a |
| SHA512 | 8b19435ce1685f22262b4084c9a891a08f8ee0f0e6452460de29795f2523bbe11645edc4f755fa4b8c0701645f11d0a5c15a9dc636739dc6e7d9762581907148 |
memory/748-241-0x0000000001270000-0x00000000015AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6a6f3677-dbcc-4b3c-a7be-3a88cfb5c71d.vbs
| MD5 | bea91e081473ea29f997ef171b40ff2c |
| SHA1 | 32c379cf76d387266f618306bde41094ec6d9720 |
| SHA256 | 7b61eab4c0f3b51e7491aa974cb2a99a6995b0d7aac65e2596d6e299dbcb2ae3 |
| SHA512 | d06fbdd35db09dbcd890650352a251bfb18f702b052cfe3bc3330b3baf03fb49a4d2fde222a48171f85467091be1ce85c5349fc3d7b53e05ce3789dcd58bc6ce |
C:\Users\Admin\AppData\Local\Temp\5a7010f0-a0bf-46bb-9996-bde873b688d7.vbs
| MD5 | 52b7a4e80fd6da781c2da3d84544d252 |
| SHA1 | ea871d5e58ca2494fddb770c5076ad67bb36ae9c |
| SHA256 | e3d63a11320cccebee50c08c6276351207da6248ca19918c201bca4058c892a3 |
| SHA512 | f7e684e01d72024f3a62edfcea2182d26dffab9414473213059910fecd19bc11b513b343b0a6dddf011b17f1a6c5efa96d0dc67ffc153758d94ce8c179b2425d |
memory/2572-252-0x0000000001260000-0x0000000001272000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2806871b-da50-4591-8606-0f40d0514b19.vbs
| MD5 | b00d712201b9ecc070af45733defdf27 |
| SHA1 | d42f7a8090553b29f0ccdafa1a181672d7170007 |
| SHA256 | 0444c3c8977c837ff64b352550dddbe8643b9a5a388455fb01e9b63dd9e456c1 |
| SHA512 | 17b46f81c443b9fd2b753e4db8f17b33dc0128ff16365ae13b0df45bd0701a5922b6330d77630d772734d3a4a102a194d4872976c2c873d1796dd41d9ab30e34 |
memory/2344-264-0x0000000000380000-0x00000000006BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ea2db112-e23a-4cfd-8dc5-ef0f6d680cf3.vbs
| MD5 | 13f00e77e0fffd18038123841ef4bcb3 |
| SHA1 | 266466f4ddfb8c2edeb1af52409f78026c66755a |
| SHA256 | f76b124101124cacd0bc2d8b55483817f7bf6f2b288fa49e5a004be4c432b27a |
| SHA512 | aa63e9042ca83170f03a59190ef91ccc32ea9d77b08778e1e3d14ed48497f2d34665808efcd632dd1e8dd3cae9b1388058f6030099fb16f689f565acd0ecd3a9 |
memory/1508-276-0x0000000000EA0000-0x00000000011DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\80cac005-5464-42b3-b6f7-ccbdff9ac61b.vbs
| MD5 | c7c634c3c2e44e37115f0509f7b29bd3 |
| SHA1 | 13565058a292ad0373e634704857aa4cd921531a |
| SHA256 | c10c95e0d626751694a2ee69230a0a36e24227e0483296e5f00042611e549c6d |
| SHA512 | cd4ee4139f6e9baeb7799dc2ff24167234c8d4b381b1c38ac75cd4c88923aee51cdca2479cb64a4bf8cc16f5e3d93f053bb4d535276a201f18bb778197e399c9 |
memory/1144-288-0x0000000001360000-0x000000000169C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\082872b8-b9c9-47a1-8c4a-4c00cc176239.vbs
| MD5 | 8003664e5b32a5cafe0c7d8b699c9351 |
| SHA1 | acbe1bb6dd686166c1c6d0f0a84ddcaee0b658a2 |
| SHA256 | b0535ad65a2da1f04d0a40095ba2a08bf02db8a209f8c03fefc02cf1be7a2e99 |
| SHA512 | 4d7aa6851701fd267e67a523532c9e702112f0e0b9a474869d89ab94833b9a68cd80a2515b54b93ba56b03137947c20549cadb0a727c2b18c604cc056710b9cb |
C:\Users\Admin\AppData\Local\Temp\3b23422f-d73b-43d3-9f6a-dca94ed7879f.vbs
| MD5 | b33c089fb1d7cf43c98cc9660bd32d2a |
| SHA1 | d4a91d2f25fa76cb8369d529a410666de8357521 |
| SHA256 | 536ac86e434e703e239571061c6252d84940965ca07285a53d1960894166efc0 |
| SHA512 | 9734334017fd38b8f1db341ecaba2a2ce9247ff7d0727f167a31b2cf43ad66fe5662b80ff2916eb72f58d0a52d2d72ab5acbd3e478b91a0a9f8a38535dab2b11 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 11:17
Reported
2024-05-16 11:19
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Internet Explorer\upfc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zykW3pHScp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\upfc.exe
"C:\Program Files (x86)\Internet Explorer\upfc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255d9068-70d2-40f3-9a99-93ad93e39233.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ead0d72-525f-4cd9-a0a9-0ea53a76bcf7.vbs"
C:\Program Files (x86)\Internet Explorer\upfc.exe
"C:\Program Files (x86)\Internet Explorer\upfc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d938be9e-9a23-4781-bd04-9d2bd8fee025.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66b850a-da61-4dde-873d-c2dc15b374fb.vbs"
C:\Program Files (x86)\Internet Explorer\upfc.exe
"C:\Program Files (x86)\Internet Explorer\upfc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d2cf553-a91b-4371-aaf3-7b7ca7c21b03.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70f16270-7112-414d-87d4-db8b7f59f74d.vbs"
C:\Program Files (x86)\Internet Explorer\upfc.exe
"C:\Program Files (x86)\Internet Explorer\upfc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5072ec9-2f7b-4adc-9fc6-3cd7ead42005.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0a2b5b-d5ef-4a29-882a-97a15be03006.vbs"
C:\Program Files (x86)\Internet Explorer\upfc.exe
"C:\Program Files (x86)\Internet Explorer\upfc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45960fe3-391c-4124-bc68-5b2f5b1b7138.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61aef406-5b5b-4b14-be3b-2a1121a47ea3.vbs"
C:\Program Files (x86)\Internet Explorer\upfc.exe
"C:\Program Files (x86)\Internet Explorer\upfc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e11c9075-b288-439e-80b4-1e44ca325786.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5968698-4680-4123-9cc7-b62c43abb054.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 2.17.196.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0887556.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0887556.xsph.ru | tcp |
Files
memory/3344-0-0x00007FF917AA3000-0x00007FF917AA5000-memory.dmp
memory/3344-1-0x0000000000DA0000-0x00000000010DC000-memory.dmp
memory/3344-2-0x00007FF917AA0000-0x00007FF918561000-memory.dmp
memory/3344-3-0x0000000003260000-0x000000000326E000-memory.dmp
memory/3344-4-0x000000001BCC0000-0x000000001BCCE000-memory.dmp
memory/3344-5-0x000000001C320000-0x000000001C328000-memory.dmp
memory/3344-6-0x000000001C330000-0x000000001C34C000-memory.dmp
memory/3344-9-0x000000001C360000-0x000000001C370000-memory.dmp
memory/3344-10-0x000000001C370000-0x000000001C386000-memory.dmp
memory/3344-8-0x000000001C350000-0x000000001C358000-memory.dmp
memory/3344-7-0x000000001C3A0000-0x000000001C3F0000-memory.dmp
memory/3344-11-0x000000001C390000-0x000000001C398000-memory.dmp
memory/3344-12-0x000000001C3F0000-0x000000001C400000-memory.dmp
memory/3344-13-0x000000001C400000-0x000000001C40A000-memory.dmp
memory/3344-14-0x000000001C410000-0x000000001C466000-memory.dmp
memory/3344-15-0x000000001C460000-0x000000001C46C000-memory.dmp
memory/3344-16-0x000000001C470000-0x000000001C478000-memory.dmp
memory/3344-17-0x000000001C480000-0x000000001C48C000-memory.dmp
memory/3344-18-0x000000001C490000-0x000000001C498000-memory.dmp
memory/3344-19-0x000000001C4A0000-0x000000001C4B2000-memory.dmp
memory/3344-20-0x000000001CA00000-0x000000001CF28000-memory.dmp
memory/3344-21-0x000000001C4D0000-0x000000001C4DC000-memory.dmp
memory/3344-22-0x000000001C4E0000-0x000000001C4EC000-memory.dmp
memory/3344-23-0x000000001C4F0000-0x000000001C4FC000-memory.dmp
memory/3344-24-0x000000001C500000-0x000000001C50C000-memory.dmp
memory/3344-26-0x000000001C610000-0x000000001C61A000-memory.dmp
memory/3344-30-0x000000001C740000-0x000000001C74C000-memory.dmp
memory/3344-31-0x000000001C750000-0x000000001C758000-memory.dmp
memory/3344-33-0x000000001C770000-0x000000001C77C000-memory.dmp
memory/3344-32-0x000000001C760000-0x000000001C76A000-memory.dmp
memory/3344-34-0x00007FF917AA0000-0x00007FF918561000-memory.dmp
memory/3344-29-0x000000001C790000-0x000000001C79E000-memory.dmp
memory/3344-28-0x000000001C630000-0x000000001C638000-memory.dmp
memory/3344-27-0x000000001C620000-0x000000001C62E000-memory.dmp
memory/3344-25-0x000000001C780000-0x000000001C788000-memory.dmp
memory/3344-37-0x00007FF917AA0000-0x00007FF918561000-memory.dmp
C:\Recovery\WindowsRE\sihost.exe
| MD5 | dc4a687b17405db35530af6aa40cd2b0 |
| SHA1 | acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88 |
| SHA256 | 3f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44 |
| SHA512 | 620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487 |
C:\Recovery\WindowsRE\taskhostw.exe
| MD5 | fe9ee3c44523dd6fe54b10d25c68fc66 |
| SHA1 | 9eab35b1848a539dfbb401813dfbafc0425a143d |
| SHA256 | bd63fd6aa42c243807a498ac348d2cb8cfc7b9e70a399bcfe4be8155f97b82b6 |
| SHA512 | c241928514e3fd2825d313192cd283ee7e9e47836242736dcdb0ca0d52b1d298cf17051171157e085c4587e03b6eacdbac734072b0641a4ccf7d8039e7886eed |
memory/3344-129-0x00007FF917AA0000-0x00007FF918561000-memory.dmp
memory/4272-132-0x000001B629C90000-0x000001B629CB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4fs2hbz.ovj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\zykW3pHScp.bat
| MD5 | dc8fbe195ae298022e70b09271319aa4 |
| SHA1 | fd6e9fc43ce862cb7561db778abc7288c0732f7d |
| SHA256 | 296f2b88d5ba7b3e731183244be81deea2ca63da67f207ba9ea721aaa46d4d19 |
| SHA512 | c94a76d2ab2d3c6a1a6e74ea7ad3b604c9bf17d04cf2b343c95d0942e0ea75214680f18ce9f2ae78af65741cdacd8fdb4581b6a9053c1a39a1f748bd4c718c42 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/3052-257-0x000000001B3E0000-0x000000001B3F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\255d9068-70d2-40f3-9a99-93ad93e39233.vbs
| MD5 | 2f8d01f40fd5927cdd94d7910bf9e86e |
| SHA1 | b4d7a6e1a9f36ce90bcb8d1c18b7a80973411e6a |
| SHA256 | 550920521353ddf72c1f30ec1db15ee94f0f5bb02944a9a11e33e87ca083c4f0 |
| SHA512 | 4d49361c56609f1896f0016cbc0976537284d0ed1a12415a9b4cb2c6dfda491969222b18614b4a9d4454d86f23510f027c8b86df4a6e4c6c7f8cb77f3215baa7 |
C:\Users\Admin\AppData\Local\Temp\0ead0d72-525f-4cd9-a0a9-0ea53a76bcf7.vbs
| MD5 | 07448be2fd912218adda702602a87b09 |
| SHA1 | 8d2c3d473c5a63e3c42a2d8f6f838f02a1514b19 |
| SHA256 | 7ecd4f10f05197c76d9f15b029874d3662868982525c5f10add528ef2086c97d |
| SHA512 | 5ef54ca24aa078aa3b6c9a28f129822b55606c5ff0debec2d0925ccf63054064c9d39edb57fc746de11f607f24e9f9a654c5f948065e71a4fba5bf41c0242504 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log
| MD5 | 49b64127208271d8f797256057d0b006 |
| SHA1 | b99bd7e2b4e9ed24de47fb3341ea67660b84cca1 |
| SHA256 | 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77 |
| SHA512 | f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e |
C:\Users\Admin\AppData\Local\Temp\d938be9e-9a23-4781-bd04-9d2bd8fee025.vbs
| MD5 | 6c4538ea45854d5f958f99238f88cf28 |
| SHA1 | a76ab9d073b38889364b2a457edab212a64be24e |
| SHA256 | 6424d3354d6714d4e297e11685703a76d82787a5168ed23f26baa38cb8c9839b |
| SHA512 | f03b2a3808534166ffba081be5ce3c905481e75710248d012bc7005472d57813bcb32c6b0141592e10a67577eafce1370d56ccdddf1098a099f6edef3f2f3ce0 |
C:\Users\Admin\AppData\Local\Temp\5d2cf553-a91b-4371-aaf3-7b7ca7c21b03.vbs
| MD5 | 508c367fb633c2ade8d690b66cd816bf |
| SHA1 | 4c3bfe69276279e21d2d75ccc23bbde478e03c9f |
| SHA256 | f3d77b50c1c81d5de86a0d327906dad61987704b6d11644051e18f8f56ac9c89 |
| SHA512 | dbcb7d6006edfc9a88ad51ddbd7446e57003baf98c22bc367ed00829a79c5858eb56323128327a3cbd4498d5412116ef6d7024d033da2e26ab567135f40f307b |
C:\Users\Admin\AppData\Local\Temp\a5072ec9-2f7b-4adc-9fc6-3cd7ead42005.vbs
| MD5 | 593dad81519e2de3ca7afebeb8cad4c5 |
| SHA1 | 67e0482bbf8186287b9c43c12d33e0381d637bf6 |
| SHA256 | aec91fcb501aca66184f02d6bdb1634be00aea2f71ec075bbdc3b98756b5f0c6 |
| SHA512 | 3be1000ef6caff76cf692bff1712cd3e95dacd2d90c87a6a9ee3927f3a287338ff2ae0d9d5a669445f9d73603fa7a2dd96b0977f93ddcad82b117d4156041c21 |
C:\Users\Admin\AppData\Local\Temp\45960fe3-391c-4124-bc68-5b2f5b1b7138.vbs
| MD5 | 75019211fdd1c8e3dcaa1644454df725 |
| SHA1 | 3e2812b7947a33670e0572863f10c621049135a8 |
| SHA256 | 59c38754b4d3f94d1e7af3bfe00975f7fd01edd86b77687f0d2b2c8369a25b52 |
| SHA512 | 04b665f9ec3c0f984aa30d51d6b6c0f50e21a42bdc44b0734085e90273039a6b00a4511192d6f5666f85620ef0dd5a4c27a1ef3c64c4d0368ce5d2b30f1862c5 |
C:\Users\Admin\AppData\Local\Temp\e11c9075-b288-439e-80b4-1e44ca325786.vbs
| MD5 | 6f7ddcf993cd8088521f18dbd931a821 |
| SHA1 | 536dc97983e234918911446c1df5ad5fe7aeef63 |
| SHA256 | c1526f770cd2211f89227452f1e18ced395b7f7e8af03d9080e27e5e848c4045 |
| SHA512 | 92f5679bd2205dfc561a883c6ea93ee3df07aaf4524c53ee119a2438a0055ab07f137a2fbc81bc2eb753434a742ee17ab21d751d5fa7a1530ae696fa34626681 |