Malware Analysis Report

2024-10-10 12:53

Sample ID 240601-dta8gaga3t
Target 8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe
SHA256 39e9eb95baba36457a2d52c1172cd4b7135d3d3405b8f87899af5aab19774fdf
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39e9eb95baba36457a2d52c1172cd4b7135d3d3405b8f87899af5aab19774fdf

Threat Level: Known bad

The file 8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

Modifies WinLogon for persistence

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

DCRat payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:17

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:17

Reported

2024-06-01 03:20

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\", \"C:\\Users\\All Users\\Documents\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\", \"C:\\Users\\All Users\\Documents\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Admin\\Favorites\\spoolsv.exe\", \"C:\\Windows\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\", \"C:\\Users\\All Users\\Documents\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Admin\\Favorites\\spoolsv.exe\", \"C:\\Windows\\en-US\\audiodg.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\", \"C:\\Users\\All Users\\Documents\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\", \"C:\\Users\\All Users\\Documents\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Admin\\Favorites\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\", \"C:\\Users\\All Users\\Documents\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Admin\\Favorites\\spoolsv.exe\", \"C:\\Windows\\en-US\\audiodg.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Default\\Templates\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\", \"C:\\Users\\All Users\\Documents\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Users\\Admin\\Favorites\\spoolsv.exe\", \"C:\\Windows\\en-US\\audiodg.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\en-US\wininit.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Templates\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Documents\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Favorites\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b7315310f64f655192f76ee38be0f60NeikiAnalytics = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Documents\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Favorites\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b7315310f64f655192f76ee38be0f60NeikiAnalytics = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Templates\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Internet Explorer\\en-US\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX3213.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\en-US\wininit.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\en-US\56085415360792 C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\RCX2D7C.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX3212.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\RCX2D7D.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\wininit.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\en-US\audiodg.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Windows\en-US\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Windows\en-US\RCX363B.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Windows\en-US\RCX363C.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Windows\en-US\audiodg.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Internet Explorer\en-US\wininit.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Templates\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Documents\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8b7315310f64f655192f76ee38be0f60NeikiAnalytics8" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8b7315310f64f655192f76ee38be0f60NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8b7315310f64f655192f76ee38be0f60NeikiAnalytics8" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Program Files\Internet Explorer\en-US\wininit.exe

"C:\Program Files\Internet Explorer\en-US\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 jorikbz3.beget.tech udp

Files

memory/2428-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

memory/2428-1-0x00000000009B0000-0x0000000000BBC000-memory.dmp

memory/2428-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

memory/2428-3-0x0000000000150000-0x000000000016C000-memory.dmp

memory/2428-4-0x0000000000170000-0x0000000000178000-memory.dmp

memory/2428-5-0x0000000000180000-0x0000000000190000-memory.dmp

memory/2428-6-0x0000000000570000-0x0000000000586000-memory.dmp

memory/2428-7-0x0000000000780000-0x00000000007D6000-memory.dmp

memory/2428-8-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/2428-9-0x0000000000590000-0x000000000059C000-memory.dmp

memory/2428-10-0x00000000005A0000-0x00000000005AC000-memory.dmp

memory/2428-11-0x0000000000730000-0x000000000073E000-memory.dmp

memory/2428-12-0x00000000007D0000-0x00000000007DE000-memory.dmp

memory/2428-13-0x00000000007E0000-0x00000000007EA000-memory.dmp

C:\Program Files (x86)\Windows Portable Devices\csrss.exe

MD5 8b7315310f64f655192f76ee38be0f60
SHA1 ead7c51d67763184aaeb479fb04f514a112f93da
SHA256 39e9eb95baba36457a2d52c1172cd4b7135d3d3405b8f87899af5aab19774fdf
SHA512 a9f2d642484714d5e32b482a53d127e9deb7e6f0ec3b4451b3bd8f658742e903b93da076fddcc8c70b6380fba5e28003b8b8afaa443452dbe6a06ad55b7308f7

C:\Users\Public\Documents\sppsvc.exe

MD5 bc14713542868521a8a926bcd5069249
SHA1 e4216f46ec412242c5ac42de31fca05a4bb39e65
SHA256 c44e3631c8fad8e11944c25f6e2f7ae99c1c8955f6e9adbe8177d29e2dc163a5
SHA512 9c8882c18e779162fd202520fe343941d2c7a79e13570777764a18af57620719d30cfbde8e86302d5a2dff909774569c924218e31a74b4f7eacd0ced6bcb9ba6

C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe

MD5 f1e7b17199b52a61c555d9fbf4e35846
SHA1 124beeb1f519c2afb28b09c2f54037549ac0c767
SHA256 7b3fa05c409204a13d5fa01fd47f4d350880b397680709641d965c232742a6f6
SHA512 003356b5a8496c128b79b5df13fc09fcedd9cc44412a4340513ac441fe3072f0a8043a9bf2ba2af242a89e3a3a49b6dad314f7b4d81670afea92da8867aed20d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCX3C58.tmp

MD5 c9f4a789def1fe66bba35c18ec362c15
SHA1 3963e449bac1b6d18fcb0002d39bca7e98cd3c8e
SHA256 33928535376134c3990156096a14e4d6112c73fa1b417cddb753eff96a4da4e0
SHA512 50c402073c3100509b5ebc62b6caab8444d3885fbdb210844b252a8b7750983ec5d454ae4b11fe14c2529ca7390cbdc49838fd0c15aa980bc0c9055600f3b0f5

memory/1732-162-0x0000000000CB0000-0x0000000000EBC000-memory.dmp

memory/2428-163-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:17

Reported

2024-06-01 03:20

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Windows\\bcastdvr\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\", \"C:\\Users\\Default User\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Local Settings\\sysmon.exe\", \"C:\\Windows\\Media\\unsecapp.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Media\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Media\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\bcastdvr\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Local Settings\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default User\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default User\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Internet Explorer\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\bcastdvr\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Default User\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Internet Explorer\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Uninstall Information\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Default User\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Local Settings\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX53A0.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\dllhost.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\sysmon.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\dllhost.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\WaaSMedicAgent.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX53B1.tmp C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\sysmon.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\WaaSMedicAgent.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\c82b8037eab33d C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Windows\bcastdvr\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Windows\bcastdvr\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Windows\bcastdvr\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File created C:\Windows\Media\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Media\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\sysmon.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Media\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NviAgREO5T.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\RuntimeBroker.exe

"C:\Users\Default\AppData\Roaming\Microsoft\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 jorikbz3.beget.tech udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1580-0-0x00007FFD6EE63000-0x00007FFD6EE65000-memory.dmp

memory/1580-1-0x0000000000540000-0x000000000074C000-memory.dmp

memory/1580-2-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

memory/1580-3-0x0000000002890000-0x00000000028AC000-memory.dmp

memory/1580-4-0x000000001B930000-0x000000001B980000-memory.dmp

memory/1580-7-0x00000000028B0000-0x00000000028C6000-memory.dmp

memory/1580-6-0x0000000002830000-0x0000000002840000-memory.dmp

memory/1580-5-0x00000000027C0000-0x00000000027C8000-memory.dmp

memory/1580-8-0x00000000028D0000-0x0000000002926000-memory.dmp

memory/1580-9-0x000000001B400000-0x000000001B40C000-memory.dmp

memory/1580-13-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

memory/1580-12-0x000000001B990000-0x000000001B99E000-memory.dmp

memory/1580-11-0x000000001B980000-0x000000001B98C000-memory.dmp

memory/1580-10-0x000000001B410000-0x000000001B41C000-memory.dmp

memory/1580-14-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCX519B.tmp

MD5 8b7315310f64f655192f76ee38be0f60
SHA1 ead7c51d67763184aaeb479fb04f514a112f93da
SHA256 39e9eb95baba36457a2d52c1172cd4b7135d3d3405b8f87899af5aab19774fdf
SHA512 a9f2d642484714d5e32b482a53d127e9deb7e6f0ec3b4451b3bd8f658742e903b93da076fddcc8c70b6380fba5e28003b8b8afaa443452dbe6a06ad55b7308f7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8b7315310f64f655192f76ee38be0f60NeikiAnalytics.exe.log

MD5 7800fca2323a4130444c572374a030f4
SHA1 40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA256 29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512 c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

memory/1580-80-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

memory/1468-81-0x000000001B910000-0x000000001B966000-memory.dmp

C:\Recovery\WindowsRE\5940a34987c991

MD5 4b8a72cc9282bb7385343dbc94dab327
SHA1 16b05039b1f4925f574b54f9efdf780cf500b5ef
SHA256 5191b2f9cf0f5b58e04f853dc6e77ce9255d1a7077a88b2155cb8602407b8151
SHA512 90a74a1806e33fb03935239d2f58c7ad2c0099ec8a8dcb13760e8dfb414a114d351f4218fd648760f1e5ef7294345554849b4f7c45e410e487796a229f5cee4e

C:\Users\Admin\AppData\Local\Temp\b074bc8ffcc234df4362f6057ec3843622733a064.5.32glue7625ad793b7c2bb00af9a6f00c14783828810b2c

MD5 add213f118aafccbc930a20166c6d0a9
SHA1 d47ce64a66d7af65c6526eab2c179e2d93f1fe30
SHA256 6f6e2779ca8f7e5f66f8add5fb64cfbb3418b8ed0a43cadce561cfa023d9b025
SHA512 d7bc81e2758f8a44748fe343a6b174a82c5c6bc87796af4a860cf57fed98194b8b2652db25b148026d490ee820441808cfee0a063e91bc086473bbdddae8455e

C:\Users\Admin\AppData\Local\Temp\NviAgREO5T.bat

MD5 9a9ce912050eabe13359d429bfc0fa85
SHA1 4e810dd74d77e4557cb3318bce02d7b548d9b907
SHA256 f8a755a0e3e3d7ff525600a2b7658df6194403a9ec0dc95e4963ea2ab3287a15
SHA512 da2676f1df47571156b989be34304ec2160e24f031b2da567d1ed6b3eb89054798152e79df48dd213e35f62e921a371ff2f3bcae86313bb92e8b7986d8c5093a

memory/2324-162-0x000000001D400000-0x000000001D456000-memory.dmp