Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-qctdyaee48
Target dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics
SHA256 a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c

Threat Level: Known bad

The file dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

UAC bypass

DCRat payload

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 13:07

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 13:07

Reported

2024-05-16 13:10

Platform

win7-20240221-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SchCache\csrss.exe N/A
N/A N/A C:\Windows\SchCache\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC8A5.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\lsass.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCXD59B.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXBC2D.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC8B5.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\RCXB4C7.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\lsass.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\RCXB06F.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\RCXB080.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXBC1D.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXD26D.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXD2FA.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCXD50D.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\RCXB4D7.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Downloaded Program Files\RCXAE2D.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Windows\SchCache\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SchCache\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\RCXCDC8.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Windows\CSC\v2.0.6\services.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCXAE1C.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SchCache\RCXC624.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Windows\Downloaded Program Files\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Windows\Downloaded Program Files\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SchCache\RCXC613.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\RCXCD5A.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Windows\SchCache\csrss.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2988 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2988 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2988 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2988 wrote to memory of 432 N/A C:\Windows\System32\cmd.exe C:\Windows\SchCache\csrss.exe
PID 2988 wrote to memory of 432 N/A C:\Windows\System32\cmd.exe C:\Windows\SchCache\csrss.exe
PID 2988 wrote to memory of 432 N/A C:\Windows\System32\cmd.exe C:\Windows\SchCache\csrss.exe
PID 432 wrote to memory of 2072 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 2072 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 2072 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 840 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 840 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 840 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 2072 wrote to memory of 2044 N/A C:\Windows\System32\WScript.exe C:\Windows\SchCache\csrss.exe
PID 2072 wrote to memory of 2044 N/A C:\Windows\System32\WScript.exe C:\Windows\SchCache\csrss.exe
PID 2072 wrote to memory of 2044 N/A C:\Windows\System32\WScript.exe C:\Windows\SchCache\csrss.exe
PID 2044 wrote to memory of 2808 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 2044 wrote to memory of 2808 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 2044 wrote to memory of 2808 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 2044 wrote to memory of 1896 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 2044 wrote to memory of 1896 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe
PID 2044 wrote to memory of 1896 N/A C:\Windows\SchCache\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TKtqFLH7pF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SchCache\csrss.exe

"C:\Windows\SchCache\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70065346-a271-4ee1-9a08-92feaef7df7d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a53ab0e8-09e9-4882-8c3c-114bf9f971da.vbs"

C:\Windows\SchCache\csrss.exe

C:\Windows\SchCache\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0f1fa0d-ab13-47b1-8f17-d75dd077fe08.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdbd9ccf-67d6-495f-990e-74297931c3d3.vbs"

C:\Windows\SchCache\csrss.exe

C:\Windows\SchCache\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/2184-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

memory/2184-1-0x00000000012F0000-0x000000000162C000-memory.dmp

memory/2184-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/2184-3-0x00000000005B0000-0x00000000005BE000-memory.dmp

memory/2184-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

memory/2184-5-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/2184-6-0x00000000005E0000-0x00000000005FC000-memory.dmp

memory/2184-7-0x0000000000600000-0x0000000000608000-memory.dmp

memory/2184-8-0x0000000000620000-0x0000000000630000-memory.dmp

memory/2184-9-0x0000000000630000-0x0000000000646000-memory.dmp

memory/2184-10-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2184-11-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/2184-12-0x0000000000A90000-0x0000000000A9A000-memory.dmp

memory/2184-13-0x0000000000AB0000-0x0000000000B06000-memory.dmp

memory/2184-14-0x0000000000B80000-0x0000000000B8C000-memory.dmp

memory/2184-15-0x0000000000B90000-0x0000000000B98000-memory.dmp

memory/2184-16-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

memory/2184-17-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

memory/2184-18-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

memory/2184-19-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/2184-20-0x0000000000D90000-0x0000000000D9C000-memory.dmp

memory/2184-21-0x0000000001220000-0x000000000122C000-memory.dmp

memory/2184-22-0x0000000001230000-0x000000000123C000-memory.dmp

memory/2184-25-0x0000000001260000-0x000000000126E000-memory.dmp

memory/2184-24-0x0000000001250000-0x000000000125A000-memory.dmp

memory/2184-23-0x0000000001240000-0x0000000001248000-memory.dmp

memory/2184-26-0x0000000001270000-0x0000000001278000-memory.dmp

memory/2184-27-0x0000000001280000-0x000000000128E000-memory.dmp

memory/2184-28-0x0000000001290000-0x000000000129C000-memory.dmp

memory/2184-29-0x00000000012A0000-0x00000000012A8000-memory.dmp

memory/2184-30-0x00000000012B0000-0x00000000012BA000-memory.dmp

memory/2184-32-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/2184-31-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/2184-37-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe

MD5 dfe2a7d1e80181a3fcf84a7c0b0c44c0
SHA1 6bde52ed399d07d43a24c4a03d0abb25dea6df96
SHA256 a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c
SHA512 fa9e812e795218f05cf158c0d13a50b485439afa9ba5ec3780e3b820c3d793cdbbe24bdadc9048eff33fa70948d0129c070c2e29fc8cc79adf5cbdca89509c66

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

MD5 0f0932cc83a88d529c97ea16a944c529
SHA1 066a197a26039b912eac8822ef6e43a49d14f934
SHA256 adf0c84724c5736d6f09ad45eec08665395f0d7e423af0866ef275b29ff5690a
SHA512 ae6ec7bb1355d54cb0b8e38ec2cefffdd0bdb37a53ca5d66bcbd436f933b0f4db397cf1ae139f171898c4f44fbf96e0e881754eb95d678d585dbc9e8784e1bc6

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe

MD5 254965aec9e293ef890482ddc1263c09
SHA1 75b11eeca2fd136611c2ef740696292d8ab7dd0b
SHA256 8a677dfc059baafa7918a416092a3ce73e0bca483575b440ae5164981740ad56
SHA512 523c4a3bc3457d6bcc349aaa8cf415569f6c170bcacf3a49f36b912f051be7f4cd2520c21dbabfe442efbd82be9a5962fc2ea5688b10e0b4b09df044e1c7d9c5

C:\Users\Admin\audiodg.exe

MD5 2f56320196b3797aebbd020e68c8ae52
SHA1 2487c0309624aa78f2f49987a080cdbe01b634e3
SHA256 34e35366f01e70ace6f226c00880fda031fb712adcb51a8c9c36d12c00e96b5d
SHA512 c501cf99123c85985de2107ce6896c7e5aa5974a0e4e875eb7ee2e362385e5f6874179cd5cbbaaa020cb246ab6731c70b137f4c3e39fe3029eefa1f8ae3b02de

C:\Windows\ShellNew\spoolsv.exe

MD5 42c05ec9ea2e024d335bf5c524ac1ad0
SHA1 d36904f19cd84db1e934536546ae1e09c5711134
SHA256 1ba6dc66c1806d6381a98057c77aa89dff23c6e4d532b7eb9f155f8aacc65c0e
SHA512 50859215d120343ce02a1add25567e5908471f444a6a68db9a9f314c194d9cfa92fa2ced781ccbbfb121b15c97675ef09786d279445cb3423cd80f26267dca43

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe

MD5 ec3c8529f53de3016d96ba3b39d566d5
SHA1 50a406c0fda9507ca6a1863772cedd5980637028
SHA256 438e28ae477e5e8cea0d10f973c122da9f1a40107986d0c6fe580ae2993422b2
SHA512 344b42018c9484f1edff0bc32c97a708e54afda6235d739f462a63f7b370873ffe0a96d71ba890a6949767b457d3e8b758a49c9799be782091073b2c339cfd87

C:\Program Files (x86)\Windows Mail\lsass.exe

MD5 e65c49d1409478ab2a2f876935676d1c
SHA1 5299a2ca1b1684e3412660ea5e2c617a6db64b7d
SHA256 c6278e9b20c2d92901c9f499f6a4b26df0d044f3a14278e958968e239c818a12
SHA512 9995f3b50c7f38013413397a1f2c149ff10a64dd82ec77927241b98952f88fb827ebfca9d1e066746dedb579dc9f65adbfb3153523345274d1989815ffb5f0f1

C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe

MD5 ac3b711d26ab5d47339ba56a3f2ca8b0
SHA1 000daecd8c71bde7ced451aa6503151c0c4b742b
SHA256 7b26c5ee0bba3268e878e184e457f118e491ccd150d199722f5734ebade710e8
SHA512 2329f8f1b8ffa450512d9171f76c556744405ce32489407f5c6774f033ea516ab9a77493e4a118ebd7b3200641d21d1b7fde29c69e3109c23831e54fa10d44b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9be6a88a0068976c359b3092a784a433
SHA1 c157cc1dcd3e55410bff94f3b65802f8d8d766a6
SHA256 6ba09d33d95b597d83db23f43e2738596c040a5223774d3ccf76ede7e0ce7947
SHA512 b1fa15866c3a7cfc7d2443357b1e1145a28596a4cb43fd03bd6ce3d556c4c81ceb34cabf390b11bae5e0294c7da88d592ab3655f434964c1074c4c6dfdfec09e

memory/1728-280-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

memory/1752-281-0x0000000002410000-0x0000000002418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TKtqFLH7pF.bat

MD5 a5fc9e9eeefa069166a3a00921d194ce
SHA1 ff993e20e901174e650c4a292de076c583a39084
SHA256 47f82225f39ca3494011dd602cf5337184e7a1abe7a2b82ac9d240eeef15e69a
SHA512 c842528919dbd44d3a7fc4dbe7c50cfc78cfb5ee12ec040074a4b0c7250188830899a0665d7464f0a8a583ce2e9d7422a76ba7cabea8d7f5b6c27d9801ac88f1

memory/2184-333-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/432-336-0x00000000011F0000-0x000000000152C000-memory.dmp

memory/432-337-0x0000000000BC0000-0x0000000000C16000-memory.dmp

memory/432-338-0x0000000000B30000-0x0000000000B42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70065346-a271-4ee1-9a08-92feaef7df7d.vbs

MD5 078b0fe2ee198ad7f8fcff6dbdffa8f4
SHA1 bd451fbebf6464ed0ee28125bd4a2ce1267a7a76
SHA256 1528be5c5d29bad8d31a12f3dffc4fd9d999e766dec23a2231fabbb3658317f6
SHA512 45dff2be3402d380264a2b63259d6a6d32644dfb570def2dad4ee91b68a77df0c59f24f074ab325b143406ded641d80926dbe1deae582ff2b2dac3b5efce1474

C:\Users\Admin\AppData\Local\Temp\a53ab0e8-09e9-4882-8c3c-114bf9f971da.vbs

MD5 df3fb3269f892af7750e21be4466c729
SHA1 7d64dc005f5a8314a222c66158d1106655cddb7f
SHA256 6d8f527f976983b44a10219b18c9dba8df66fe4ac9e5f5e64ec85b5f6afae0a4
SHA512 e1e23f9b4923ed9abcfb83ffa9636faa9a009732dc89ec65320e74ea6bbd089b6870ea72b8e920e42d7c7076116e3fd716d92c5e3283b8c03fbdd9b92cbc612e

memory/2044-349-0x0000000000200000-0x000000000053C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0f1fa0d-ab13-47b1-8f17-d75dd077fe08.vbs

MD5 bcb708f940352d0ce1c84f5f9a841f48
SHA1 0d9578f02dab4115a00d748497deddc7ac8958b2
SHA256 11ac33004bc6613e858054574d8882f7c98342d732e07b496bf267803b03d805
SHA512 27ff46ede3713119dcfc144f5cc8bcb64acc9bf9ac7e747f9355c3e6ce1d770884fc1ab28103d51d364482ed63061bb2ff2771a11d82033c5f6bee18800e1a8b

C:\Windows\SchCache\csrss.exe

MD5 42caa506b4038361a7edb49b03aefa65
SHA1 85e5b80faeb469ef93a59760f0f9eec281afa07a
SHA256 ee64b21ea6ae3425382934df8b352da664bb7ba64784591cca7b037d55812624
SHA512 d6d5b9c01dbb1a2c7eddc49a9d926e83df9e87d5adf49b2310edbbad6fa87249b39f81321da76c873d0a0d83c03e4f2aab5b164f4305a9441a5247d2dc6a65f7

memory/2068-361-0x0000000000380000-0x00000000006BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 13:07

Reported

2024-05-16 13:09

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Portable Devices\sppsvc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX4679.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX468A.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\RCX489F.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCX3D98.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX3FAD.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Multimedia Platform\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\RCX488E.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCX3D88.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\RCX4454.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX3FAE.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\RCX4455.tmp C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files\Windows Portable Devices\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2708 wrote to memory of 5016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2708 wrote to memory of 5016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2708 wrote to memory of 4372 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Portable Devices\sppsvc.exe
PID 2708 wrote to memory of 4372 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Portable Devices\sppsvc.exe
PID 4372 wrote to memory of 3324 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4372 wrote to memory of 3324 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4372 wrote to memory of 4620 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4372 wrote to memory of 4620 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3324 wrote to memory of 4336 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\sppsvc.exe
PID 3324 wrote to memory of 4336 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\sppsvc.exe
PID 4336 wrote to memory of 4708 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4336 wrote to memory of 4708 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4336 wrote to memory of 2960 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4336 wrote to memory of 2960 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4708 wrote to memory of 3284 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\sppsvc.exe
PID 4708 wrote to memory of 3284 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\sppsvc.exe
PID 3284 wrote to memory of 4396 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3284 wrote to memory of 4396 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3284 wrote to memory of 4484 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3284 wrote to memory of 4484 N/A C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YVIyGntNMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Portable Devices\sppsvc.exe

"C:\Program Files\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6769dd69-3d11-49c8-a791-5fac21dcc4e9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3264e96e-dae6-445c-bcb8-c19028231c07.vbs"

C:\Program Files\Windows Portable Devices\sppsvc.exe

"C:\Program Files\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8811cf8e-0cd1-464f-9ed7-877befe3f1ed.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82fddced-bc7f-469d-90e5-41eaae4ac359.vbs"

C:\Program Files\Windows Portable Devices\sppsvc.exe

"C:\Program Files\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98a86f6f-26fa-48d7-a415-6151ffb2c728.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18d963a3-f8f0-42da-8d6f-456d460bb8c6.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/1720-1-0x0000000000500000-0x000000000083C000-memory.dmp

memory/1720-0-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp

memory/1720-2-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/1720-3-0x0000000001100000-0x000000000110E000-memory.dmp

memory/1720-4-0x0000000001120000-0x000000000112E000-memory.dmp

memory/1720-9-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

memory/1720-13-0x000000001BAF0000-0x000000001BAFA000-memory.dmp

memory/1720-14-0x000000001BB80000-0x000000001BBD6000-memory.dmp

memory/1720-15-0x000000001BB10000-0x000000001BB1C000-memory.dmp

memory/1720-19-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

memory/1720-21-0x000000001BC10000-0x000000001BC1C000-memory.dmp

memory/1720-22-0x000000001BC20000-0x000000001BC2C000-memory.dmp

memory/1720-26-0x000000001BC50000-0x000000001BC5A000-memory.dmp

memory/1720-29-0x000000001BC80000-0x000000001BC8E000-memory.dmp

memory/1720-31-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

memory/1720-34-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/1720-33-0x000000001BF20000-0x000000001BF2C000-memory.dmp

C:\Program Files\Windows Portable Devices\sppsvc.exe

MD5 dfe2a7d1e80181a3fcf84a7c0b0c44c0
SHA1 6bde52ed399d07d43a24c4a03d0abb25dea6df96
SHA256 a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c
SHA512 fa9e812e795218f05cf158c0d13a50b485439afa9ba5ec3780e3b820c3d793cdbbe24bdadc9048eff33fa70948d0129c070c2e29fc8cc79adf5cbdca89509c66

memory/1720-37-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/1720-32-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

memory/1720-28-0x000000001BC70000-0x000000001BC78000-memory.dmp

memory/1720-27-0x000000001BC60000-0x000000001BC6E000-memory.dmp

memory/1720-30-0x000000001BC90000-0x000000001BC9C000-memory.dmp

memory/1720-25-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

memory/1720-24-0x000000001BC40000-0x000000001BC4C000-memory.dmp

memory/1720-23-0x000000001BC30000-0x000000001BC3C000-memory.dmp

memory/1720-20-0x000000001C210000-0x000000001C738000-memory.dmp

memory/1720-18-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

memory/1720-17-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

memory/1720-16-0x000000001BB20000-0x000000001BB28000-memory.dmp

memory/1720-12-0x000000001BB00000-0x000000001BB10000-memory.dmp

memory/1720-11-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

memory/1720-10-0x000000001B3B0000-0x000000001B3C6000-memory.dmp

memory/1720-8-0x000000001B390000-0x000000001B398000-memory.dmp

memory/1720-7-0x000000001BB30000-0x000000001BB80000-memory.dmp

memory/1720-6-0x0000000001150000-0x000000000116C000-memory.dmp

memory/1720-5-0x0000000001130000-0x0000000001138000-memory.dmp

memory/1720-143-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/672-149-0x000001F8B09D0000-0x000001F8B09F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zguxwqnq.nzc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\YVIyGntNMj.bat

MD5 411e92b539a9315b4e4590be2a516188
SHA1 6f9877e0dcecc4608297e31492921fdbb49e5a63
SHA256 ca758462e5033d5681d4f8476e6a0952771b8dc556aadabca16d5e153debab97
SHA512 713c690768c074b7e06835aedd8a0d7980b783a61739e837ba416e3ca037001bdd1657193098e45cc595c6f099d07736dfeb7cfe533c222a38ff35e233a7d4d2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Temp\6769dd69-3d11-49c8-a791-5fac21dcc4e9.vbs

MD5 cd4e3acd2f6d189fe1faa97fd8ff3580
SHA1 b2ba075aa27e4cb0f5087c1d84ecf266aacb50b7
SHA256 6477377adaa7484169e29b56f74f67e4f3ac43edcde1941445418613432e5712
SHA512 f1c15f0a6e566a162e083b2b80bf28364659a3e88aca6f2e168cb33753fc35af926bffb406f04a7edfc63073da5c4cb1137dbab6796c6a2039d491d82f45f943

C:\Users\Admin\AppData\Local\Temp\3264e96e-dae6-445c-bcb8-c19028231c07.vbs

MD5 ec8b9c4adff4fa1cc6dad09bd84d0006
SHA1 5f4a79d1c832b7f98669395c5a220308dd12ece7
SHA256 531cd9c58ac345a40ed67f67f9a0a1e7d5c348e8e4c25f07cff4fd0929124f3e
SHA512 34a6adcd10b55698e4931c821c41ee294095db57a32b22c306044eb92dc273a7fa721eda4a832653820ef08036ce12c77249b876656569e473a3ac8195399f19

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\8811cf8e-0cd1-464f-9ed7-877befe3f1ed.vbs

MD5 932fa27ba03abe55cc1acba484f420e5
SHA1 d16ddd0eb46ae81465a919c89cd810e8ae3faad4
SHA256 03ce7b15ac1959e257a29d1f44ce210fec30de7e0821e2d71022452b614689df
SHA512 af3438e24f6495bbe29cfa4755dbeec13923ba24127264ca43da8a3d18cc3bac492e69b67df2d55d8a1838214042119ed4a324f0c7779e4e413daf428ac63518

C:\Users\Admin\AppData\Local\Temp\98a86f6f-26fa-48d7-a415-6151ffb2c728.vbs

MD5 bd7020508d71dd0dce97a13624214434
SHA1 264474995fb89a59190982bddbc883b4a15eab59
SHA256 2c4dc2c197fab43cad09e1c891eed67d58c00191de3fee087ee963a2c4b6f8f7
SHA512 7ad5ac1adc20737d982523d1540a615de9bcc24dc5c39590ecd2ff78b1dcd0aff6673f4d32b6c1ee05979c626c90450be5c2c785e271b8f29f9cf2ceb2f72f45