Malware Analysis Report

2024-10-10 12:54

Sample ID 240531-jkl69scd34
Target 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
SHA256 8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6
Tags
dcrat evasion execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6

Threat Level: Known bad

The file 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

System policy modification

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 07:43

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 07:43

Reported

2024-05-31 07:46

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office16\9b2dce32fb4010 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\explorer.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX7837.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCX75F3.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCX7613.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCX5E51.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCX6E9B.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\explorer.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCX6E4C.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCX5E21.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\RCX6075.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX7857.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\RCX6095.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCX653C.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Windows\security\ApplicationId\PolicyManagement\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX58CD.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX591D.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCX651C.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 1480 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 6028 wrote to memory of 5608 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 6028 wrote to memory of 5608 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 6028 wrote to memory of 1104 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 6028 wrote to memory of 1104 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5608 wrote to memory of 5432 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 5608 wrote to memory of 5432 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 5432 wrote to memory of 2392 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5432 wrote to memory of 2392 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5432 wrote to memory of 4332 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5432 wrote to memory of 4332 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2392 wrote to memory of 6024 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2392 wrote to memory of 6024 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 6024 wrote to memory of 2836 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 6024 wrote to memory of 2836 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 6024 wrote to memory of 3312 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 6024 wrote to memory of 3312 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2836 wrote to memory of 5300 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2836 wrote to memory of 5300 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 5300 wrote to memory of 5648 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5300 wrote to memory of 5648 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5300 wrote to memory of 5332 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5300 wrote to memory of 5332 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 5648 wrote to memory of 3368 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 5648 wrote to memory of 3368 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 3368 wrote to memory of 4744 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 3368 wrote to memory of 4744 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 3368 wrote to memory of 6048 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 3368 wrote to memory of 6048 N/A C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 8 /tr "'C:\odt\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\odt\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 5 /tr "'C:\odt\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\SendTo\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\odt\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\odt\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47204879-fadd-4fde-88db-1d22272b9a8a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a06106c-2ed8-4b6b-954d-40dabbc06730.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\656fe7b8-4505-4982-8588-1c27d08f5021.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e3db69-7272-46e5-aa5f-ec7da81518d1.vbs"

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1634add0-aaee-40bc-92fc-87151904a770.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e37b3c2-f373-4f0b-950f-a46702fff52e.vbs"

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b8036b9-0dd6-4be4-b642-7644d186b43c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d066a01e-846c-4a54-b65d-66394f8e4178.vbs"

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b33a83c-039f-4c55-9259-5bf6dc74b60f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a0caa2d-179e-4d08-abbe-237c180726f7.vbs"

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/1480-0-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

memory/1480-1-0x0000000000AD0000-0x0000000000E0C000-memory.dmp

memory/1480-2-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/1480-3-0x00000000017E0000-0x00000000017EE000-memory.dmp

memory/1480-4-0x00000000017F0000-0x00000000017FE000-memory.dmp

memory/1480-5-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

memory/1480-6-0x000000001B8F0000-0x000000001B90C000-memory.dmp

memory/1480-7-0x000000001C0D0000-0x000000001C120000-memory.dmp

memory/1480-8-0x000000001B910000-0x000000001B918000-memory.dmp

memory/1480-9-0x000000001B920000-0x000000001B930000-memory.dmp

memory/1480-10-0x000000001BA40000-0x000000001BA56000-memory.dmp

memory/1480-11-0x000000001BA60000-0x000000001BA68000-memory.dmp

memory/1480-12-0x000000001BA70000-0x000000001BA80000-memory.dmp

memory/1480-13-0x000000001BA80000-0x000000001BA8A000-memory.dmp

memory/1480-14-0x000000001C120000-0x000000001C176000-memory.dmp

memory/1480-15-0x000000001BA90000-0x000000001BA9C000-memory.dmp

memory/1480-16-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

memory/1480-17-0x000000001BAB0000-0x000000001BABC000-memory.dmp

memory/1480-18-0x000000001C170000-0x000000001C178000-memory.dmp

memory/1480-19-0x000000001C180000-0x000000001C192000-memory.dmp

memory/1480-20-0x000000001C6E0000-0x000000001CC08000-memory.dmp

memory/1480-22-0x000000001C1C0000-0x000000001C1CC000-memory.dmp

memory/1480-21-0x000000001C1B0000-0x000000001C1BC000-memory.dmp

memory/1480-23-0x000000001C1D0000-0x000000001C1DC000-memory.dmp

memory/1480-24-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

memory/1480-25-0x000000001C3F0000-0x000000001C3F8000-memory.dmp

memory/1480-29-0x000000001C430000-0x000000001C43E000-memory.dmp

memory/1480-28-0x000000001C420000-0x000000001C428000-memory.dmp

memory/1480-27-0x000000001C410000-0x000000001C41E000-memory.dmp

memory/1480-26-0x000000001C400000-0x000000001C40A000-memory.dmp

memory/1480-30-0x000000001C440000-0x000000001C44C000-memory.dmp

memory/1480-33-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

memory/1480-32-0x000000001C4A0000-0x000000001C4AA000-memory.dmp

memory/1480-31-0x000000001C490000-0x000000001C498000-memory.dmp

memory/1480-34-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/1480-35-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/1480-38-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

memory/1480-39-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe

MD5 7d51904b084c1d1037f17ed8aaa57a70
SHA1 d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d
SHA256 8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6
SHA512 cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582

memory/1480-71-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

memory/1480-122-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCX6E4C.tmp

MD5 023b14174d128993a34ea4610fabcb82
SHA1 6d93f2c4765099b6bf2604b5db8aefd4bb3f2552
SHA256 197747fdfcdc7f5df03e7766ae3d662ff0719f892c6cf9dc015cf4d9e54d8063
SHA512 2effd49532ebae93967b7e5dd90cea9ff3aa2e08ea59f131e804b469bc9bd403082e15fa92f14c6a782602abdcc5903c24ac76b9981cb7233409b77a58763ff4

C:\odt\RCX7313.tmp

MD5 469e539e018aa80cf820d336e78acc56
SHA1 746ca0b86e815fed3c6887de306c49dd75041259
SHA256 e102b4a97971d33cd5d47ece9ca266aff502dcf4fb6ed6ef24c3fd29f7c1cfed
SHA512 4051f62a5cba1428c45fe28b15f8c96a7cbfb0daa6e908d525052f660d7f7f584031a80455f11962a6b5b121036e5481c8eb7b3faf64267a2df63fceaf433ccf

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mppsndcc.fll.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1600-313-0x0000024B7D810000-0x0000024B7D832000-memory.dmp

memory/1480-424-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\47204879-fadd-4fde-88db-1d22272b9a8a.vbs

MD5 76594c969f1f6d9d371a0d7db46dae29
SHA1 d28d26998be3f7843aff44c4c529715d0c147823
SHA256 0e8977969796274621ad2f713e1ec1a42dc6fd0e0383a8cbca416b7c004e2492
SHA512 84f95ccbe2bf8d4ebfc305a52f7a3b88c657924323f6225fac1751d55e7b667dd09276a3a290385ec2403c6fd724b790cd3d14a2c040e6b1a8626e7649faa803

C:\Users\Admin\AppData\Local\Temp\5a06106c-2ed8-4b6b-954d-40dabbc06730.vbs

MD5 76b1fa5a098ee0679b890f15cd2a49c0
SHA1 deb6167e986185e9c5b6ba316d79316392550a09
SHA256 e0d74042a93465919b3259c7b41bbb1663bc325f5c1637e45730395673244a0f
SHA512 e92de47635b178e26802927f278f070c9ee351d231c9b853826fc22ce00ad4e5231824251627a63375522e0238285cde5f5b99c96d79efa20e270298625fc6ba

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe.log

MD5 655010c15ea0ca05a6e5ddcd84986b98
SHA1 120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA256 2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512 e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

C:\Users\Admin\AppData\Local\Temp\656fe7b8-4505-4982-8588-1c27d08f5021.vbs

MD5 d8db568b5335a79e8556263973aa2ec9
SHA1 af613a72974b7c5ab989c04fa8d9861b978c0803
SHA256 542fa4363cf6dfa118069691749120db648731f60349982ce7e8598db2441d62
SHA512 e12d68b835a480f0aa9431ecba555513e7167008b33535db958e264920c41a4c02ecba3500aae61debd680058ff9518cd2169cd157e55188a02aa5a415640aac

C:\Users\Admin\AppData\Local\Temp\1634add0-aaee-40bc-92fc-87151904a770.vbs

MD5 8c2a3b393c599bd5f1805dec53b2ee48
SHA1 381c0a7cdf780fd07a881d513474d99ac944a838
SHA256 bd06529600d439456dc9ef2bb8a1c764e273b9e5c38e35b1fa765cd55c459893
SHA512 c9e6297ffeeebb9ce884de043047b649c2e4bcc4b4816a2f78ffbc0b46833b3634a4ad3e6f3553da3fd082a0121c6996dee37aecd031f750f1e136026f80ff56

memory/5300-483-0x00000000011C0000-0x00000000011D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1b8036b9-0dd6-4be4-b642-7644d186b43c.vbs

MD5 40b1d99dd9ab0c8a06e233a5207e7d1d
SHA1 3608906c17105664b1bd1ed00ebdc4c5baa6b764
SHA256 35f82fbe31a53c4cd46054da89bf0330819f4025cf4634c85d5fdd850d7b014e
SHA512 c9da7ffe8886257497356e181872788a4a2e0b272f3169ebca88cc4b0b8cc1fbfbbedbe49e90c0556d861efbd53bcc5a032f078605b416a51afb83d2f2878d86

C:\Users\Admin\AppData\Local\Temp\5b33a83c-039f-4c55-9259-5bf6dc74b60f.vbs

MD5 981b05075a9cd19b641d9b25f24fefdd
SHA1 f3cb554411b7fa213d9e9f18cbae28c0be438a58
SHA256 0fb79023ff07945710360b12467e833fe5ac58a46d1938c1755ba8d80de760e5
SHA512 d3be0341abefbdb2518fc3707b14ccdddd37e0af9678d843f3f9a34cef7998a926675f3bfe31f4e2827e10f0e9f889ba7455cdcdf861c60d8252f66fbd97d9c7

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 07:43

Reported

2024-05-31 07:46

Platform

win7-20240221-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\wininit.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX3002.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX3003.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\RCX44EB.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCX2BF9.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\56085415360792 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCX2B8B.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\dwm.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\RCX4559.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\wininit.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\9b2dce32fb4010 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX426A.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX42D8.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\Writers\RCX24F1.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Windows\Vss\Writers\lsm.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Vss\Writers\lsm.exe C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File created C:\Windows\Vss\Writers\101b941d020240 C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Vss\Writers\RCX24F0.tmp C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2340 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2340 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 1676 wrote to memory of 2696 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 2696 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 2696 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 784 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 784 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 784 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 1788 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2696 wrote to memory of 1788 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2696 wrote to memory of 1788 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 1788 wrote to memory of 2004 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1788 wrote to memory of 2004 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1788 wrote to memory of 2004 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1788 wrote to memory of 2016 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1788 wrote to memory of 2016 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 1788 wrote to memory of 2016 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2004 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2004 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2004 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
PID 2856 wrote to memory of 708 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 708 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 708 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 1584 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 1584 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 1584 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe C:\Windows\System32\WScript.exe
PID 708 wrote to memory of 2144 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\048bf34c-d2d9-43b1-b4fc-a1beab3e12e5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fba3d8c5-ca61-488f-a15e-706e4e898e62.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc55f815-c192-4012-afed-ec2050c9fd00.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9904c07-e2d8-41b6-a7cc-b0954845aa34.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5bf4987-de4f-48fe-b8c4-1175fc34a508.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa4b9a3-4bfc-46d0-8660-2d39514c157a.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b821b74-d73a-4888-852c-373a3656384c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f463f9aa-8cbd-4d81-a2da-97788419d389.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255e8bea-5310-4886-91c8-d55f9434765e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7566dec5-e549-4af3-85e6-b06a2bf69a93.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5aedc89-e535-4572-aaad-2ebe8198bb80.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cf08891-b2d3-40fc-b803-00a980a49643.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba23441d-9b88-47af-8863-69160435d031.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f11a8482-f74a-4e0a-b357-b15678f1ee9b.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/2340-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

memory/2340-1-0x0000000000280000-0x00000000005BC000-memory.dmp

memory/2340-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2340-3-0x0000000000240000-0x000000000024E000-memory.dmp

memory/2340-4-0x0000000000250000-0x000000000025E000-memory.dmp

memory/2340-5-0x0000000000260000-0x0000000000268000-memory.dmp

memory/2340-6-0x0000000000600000-0x000000000061C000-memory.dmp

memory/2340-7-0x0000000000270000-0x0000000000278000-memory.dmp

memory/2340-8-0x00000000006B0000-0x00000000006C0000-memory.dmp

memory/2340-9-0x00000000009B0000-0x00000000009C6000-memory.dmp

memory/2340-11-0x000000001AAA0000-0x000000001AAB0000-memory.dmp

memory/2340-10-0x00000000006C0000-0x00000000006C8000-memory.dmp

memory/2340-12-0x0000000002500000-0x000000000250A000-memory.dmp

memory/2340-13-0x000000001AAB0000-0x000000001AB06000-memory.dmp

memory/2340-14-0x0000000002510000-0x000000000251C000-memory.dmp

memory/2340-15-0x000000001AB00000-0x000000001AB08000-memory.dmp

memory/2340-16-0x000000001AB10000-0x000000001AB1C000-memory.dmp

memory/2340-17-0x000000001AB20000-0x000000001AB28000-memory.dmp

memory/2340-18-0x000000001ABB0000-0x000000001ABC2000-memory.dmp

memory/2340-19-0x000000001ABE0000-0x000000001ABEC000-memory.dmp

memory/2340-20-0x000000001ABF0000-0x000000001ABFC000-memory.dmp

memory/2340-21-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

memory/2340-22-0x000000001AFE0000-0x000000001AFEC000-memory.dmp

memory/2340-23-0x000000001B020000-0x000000001B028000-memory.dmp

memory/2340-25-0x000000001B000000-0x000000001B00E000-memory.dmp

memory/2340-24-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

memory/2340-27-0x000000001B130000-0x000000001B13E000-memory.dmp

memory/2340-26-0x000000001B010000-0x000000001B018000-memory.dmp

memory/2340-28-0x000000001B1C0000-0x000000001B1CC000-memory.dmp

memory/2340-29-0x000000001B1D0000-0x000000001B1D8000-memory.dmp

memory/2340-30-0x000000001B1E0000-0x000000001B1EA000-memory.dmp

memory/2340-31-0x000000001B1F0000-0x000000001B1FC000-memory.dmp

memory/2340-33-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe

MD5 7d51904b084c1d1037f17ed8aaa57a70
SHA1 d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d
SHA256 8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6
SHA512 cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe

MD5 6f4257068187524fd1ee8c16e4c30051
SHA1 0ff6842342e227d660a6e99d3ceb7cb225f86a34
SHA256 f4188b8d6a49c212b5a15a2b04f2da9216aef4f504b644552e9dc3e74a17dec7
SHA512 984f92e344919019a9ce8b9beae3bd44990ff42edc686ecaa44ba4c68c7157f1721bd2df62f6255cb87da7703f6987c325e2ec46603ac96fa72c4799e17179cc

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe

MD5 ba648fa71f9cbdb85fa39a1d93ac46e0
SHA1 d7a558b740b8d357b5cb07521b829e2d652d27ce
SHA256 4040c52d2d8fa26bda4fb27966df06d22b6464e6469e13ef27acec12f910ef6e
SHA512 31f947b68daf5970f1da2b2a7662ae1d2dd6d2c7343fd637fbdf20183cf3dd221d774ce0acadf727d6e12b0569de7107bee0eb6f35998108e2ec0a780128921c

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

MD5 9a2cbfc7864b6b50bf38eda58b3ab2ee
SHA1 7b7223521f787d072988e855845405be1c8b34ab
SHA256 b5560c76b04fbe092bde21e33fc8aca79960a1a5ea931c499ed2b240586a66dc
SHA512 58a538d72b01768d26dc11fd2be8ceb7cc90676d7013fe7a4a4e320240cbf7a47665f729ec191534a61c40a7bb357eaed49a0bdcd53751a63139203806e47202

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

MD5 def5cc475b4ddbb74591090a003800a0
SHA1 999536842aa5dded92fbe349e7615371e8af88e7
SHA256 8e63ade21b522337c0c5f002328e2e736aa1c495a0782e45dbbfec99f9a61e77
SHA512 700765c73628e38ca224acaf916eab03f0c355754c84b30da6d86fe1400f56984642bf6696d51bf78ee9b4ed14678c658925d183a6c4dc658cc24e3a144c65aa

C:\Program Files\Windows Mail\ja-JP\wininit.exe

MD5 c89375a74a9fe882f2ef549f733a937a
SHA1 27aa7189430dd79de73e017b3d1c598235038363
SHA256 b067184b0042fb8a8046d0aa6f19cfd47548f39793f232a243c68f38b3b210ac
SHA512 e2f64e3a78489d3ef2477839ad922ebf0c7726f8f1132c315db16c34d2bc52d097937fcb54930780b46711b4c79517404d48b1f3cc30e36fb6c8124d12918c27

memory/1416-261-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/556-256-0x000000001B690000-0x000000001B972000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 86033fc6ce1eb4bd3294a05064ec5e46
SHA1 a28587c91c172588142676b3c4b6eccde738442c
SHA256 42bd54913436eeeb2d8204465a1d83cdad1e7bbc91ee8d977fd5af36d2ace1d4
SHA512 f6b38b4e69eb7aac954f6cf784e09a9954576eaadd6fb4f4c308955019288a8631265566cbb8f37022d300307c8935eb6e28aa561aa130280e8be3e2da052776

memory/2340-308-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/1676-307-0x0000000000800000-0x0000000000B3C000-memory.dmp

memory/1676-309-0x0000000002220000-0x0000000002232000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\048bf34c-d2d9-43b1-b4fc-a1beab3e12e5.vbs

MD5 eec05329a4489e1168914c89ba939573
SHA1 a954d18b320e74474c534336f05a57ab2fb186ce
SHA256 df3b5aabee4ef9df365d97fdea914b1e9feb1fbfe49133564616af5eca25dcbf
SHA512 6de010275d201d2260731247a9fb3fdf89161153f8fcde774f2b7839c9714d23cdbe23f6a3df409c663747e890764aa97bbcdbbf14231e1cf3a9f4f92896df08

C:\Users\Admin\AppData\Local\Temp\fba3d8c5-ca61-488f-a15e-706e4e898e62.vbs

MD5 bc816ae6a30d34acd6e670e137a9dfae
SHA1 a613ba0dae52aca2f7cf227594a502d0d8a062af
SHA256 3179094968692e22c32a27334edd9dee1fff09017e1fa058f4e1711eede0a003
SHA512 b5fda4fab2cadfa51decbbda6dc97d4aae1026676d0a97abfccf43d7121cb791d7c3fd638a05321298c166b654cb618b45e8e7100e3ec1af3d001c709c9cd605

memory/1788-320-0x0000000001380000-0x00000000016BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dc55f815-c192-4012-afed-ec2050c9fd00.vbs

MD5 8ca0246a7c5f631319c83c7ca00d3681
SHA1 cc058a8273e8fc75972b597d1b3c0924515f60f1
SHA256 773b4a37b31085ac4dca9de41d2cfa80ba5926b88fe53b44a28eff6f755b45be
SHA512 0255fe9d161f3d2b76a6ce94c2a166df7af825ff35887ccc682a4e954dad185cdd362f02da5d4cbf5a1b233e955f0a510961512b0505edf96ec66303c7bd05b2

memory/2856-332-0x0000000000510000-0x0000000000566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c5bf4987-de4f-48fe-b8c4-1175fc34a508.vbs

MD5 c18bc3440e02205862eacf58e170b80a
SHA1 fc5171c630929d4bcd7b770071f1c21b7041d62b
SHA256 e5bd0b02dbaa2daa0ac4b0c454f5191e89c76384985fc97852e77e7191240469
SHA512 7f85e647dc004371ab25fcae1612e0f30e1ccc173a446a9a2b3f700a2556d4b69da5f1f15910c0c4f7784cc56ae67f474c89288c603b6ffad0ed0f3c05fb8344

C:\Users\Admin\AppData\Local\Temp\5b821b74-d73a-4888-852c-373a3656384c.vbs

MD5 77eae0688b1c831b823ce6255d04d726
SHA1 16602f7ee28f45211c4922eb8c5b34f2ce4dcd7a
SHA256 505ce828fbc642a3a9839c33031e1cd7b9354778e0b84f64372f181e1cadd077
SHA512 fec03c237a534275b5ad856ab5ffe791fd1ca641efddceccd86dd34c318b447712e19d79b7dd6b95e9d1c47413cd2522660716705f454f01eda291265ab9c605

C:\Users\Admin\AppData\Local\Temp\255e8bea-5310-4886-91c8-d55f9434765e.vbs

MD5 bf7b7fc7a1258e986f9a33329276e650
SHA1 8003d1cc2ef8a5432d799fa3eaaf218b7b6a5ecb
SHA256 9f7363ba0568b3cf416accb9dc7cb03b6b5cdd5e2776ffc55f1234e8df4abe34
SHA512 f456ed36b7eea4d986f365521ab1066b1bfd07c2dbde31e3e8eaa6c11f32c030a3c49a3e058cd4ba8572ffdd294a0f421ad82d1864b39a16c846e994d10fd154

memory/2092-366-0x0000000001370000-0x0000000001382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a5aedc89-e535-4572-aaad-2ebe8198bb80.vbs

MD5 44d77c7fbcc9698a997da96a581a5f3f
SHA1 80618216f148467a05cfe221941412cdef87330d
SHA256 26a8d7b812cd4894684c86f330425b8669dcc8eff2c0555dcd5e20545f303d65
SHA512 ba46b340dda3333cc0c4ac88d8db579d08143d9825e89723af6fa38642cff3bb12417907a0c44de3fb336aa376644fe64cd0b91f2323a0f7c6846b79f3b03213

memory/1468-378-0x00000000001B0000-0x00000000004EC000-memory.dmp

memory/1468-379-0x00000000008C0000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba23441d-9b88-47af-8863-69160435d031.vbs

MD5 30df9ab87ead37b3435954a97a9e266a
SHA1 6e48d29f69c90226587b5426d0b323bce2454408
SHA256 a06adb2fb35c447c8ca680ea70430184d8939eadf1db44b3ca96e06eec90da8f
SHA512 ac76a87d16979b7ae28f04b665095677790eff147ec93cdc4b7f23ac6c1fecb3ac5e424d3110d54bdb9c11242744820948a0d300e6a46309ba3595ea067c6f06