Malware Analysis Report

2024-10-10 12:51

Sample ID 240601-fg8djsae3y
Target 8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe
SHA256 cd320c72512e04bf9741ebade33a01d3d8a903dc124ee195c7ee0ba7bbba5e92
Tags
rat dcrat evasion execution infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd320c72512e04bf9741ebade33a01d3d8a903dc124ee195c7ee0ba7bbba5e92

Threat Level: Known bad

The file 8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer persistence trojan

Process spawned unexpected child process

DCRat payload

Modifies WinLogon for persistence

DcRat

Dcrat family

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:51

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:51

Reported

2024-06-01 04:54

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\", \"C:\\Windows\\tracing\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\", \"C:\\Windows\\tracing\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\", \"C:\\Windows\\tracing\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\", \"C:\\Windows\\tracing\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Performance\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\", \"C:\\Windows\\tracing\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\", \"C:\\Windows\\tracing\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Sidebar\\de-DE\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\fr-FR\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Sidebar\\de-DE\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\tracing\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\tracing\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\fr-FR\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Mail\\de-DE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defender\fr-FR\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\de-DE\audiodg.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\RCX3C66.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\audiodg.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\RCX3A63.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\de-DE\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\RCX4272.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\de-DE\RCX487D.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\tracing\RCX3E6A.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\tracing\taskhost.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Performance\RCX4679.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Performance\dwm.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\tracing\taskhost.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\tracing\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Performance\dwm.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Performance\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KWG0zl28sM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

N/A

Files

memory/1684-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

memory/1684-1-0x0000000000880000-0x0000000000B40000-memory.dmp

memory/1684-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/1684-3-0x0000000000840000-0x0000000000848000-memory.dmp

memory/1684-4-0x0000000000850000-0x000000000086C000-memory.dmp

memory/1684-5-0x0000000000870000-0x0000000000878000-memory.dmp

memory/1684-6-0x00000000021D0000-0x00000000021E0000-memory.dmp

memory/1684-7-0x00000000021E0000-0x00000000021F6000-memory.dmp

memory/1684-8-0x0000000002200000-0x0000000002208000-memory.dmp

memory/1684-9-0x0000000002210000-0x0000000002218000-memory.dmp

memory/1684-10-0x0000000002230000-0x0000000002240000-memory.dmp

memory/1684-11-0x0000000002220000-0x000000000222A000-memory.dmp

memory/1684-12-0x0000000002240000-0x0000000002296000-memory.dmp

memory/1684-13-0x0000000002420000-0x0000000002428000-memory.dmp

memory/1684-14-0x0000000002440000-0x0000000002448000-memory.dmp

memory/1684-15-0x0000000002430000-0x000000000243C000-memory.dmp

memory/1684-16-0x0000000002450000-0x0000000002458000-memory.dmp

memory/1684-17-0x0000000002460000-0x000000000246C000-memory.dmp

memory/1684-18-0x0000000002470000-0x000000000247C000-memory.dmp

memory/1684-19-0x0000000002480000-0x0000000002488000-memory.dmp

memory/1684-20-0x0000000002490000-0x0000000002498000-memory.dmp

memory/1684-21-0x00000000024A0000-0x00000000024AC000-memory.dmp

memory/1684-22-0x00000000024B0000-0x00000000024BC000-memory.dmp

memory/1684-23-0x00000000024C0000-0x00000000024C8000-memory.dmp

memory/1684-24-0x0000000002550000-0x000000000255A000-memory.dmp

memory/1684-25-0x000000001AA20000-0x000000001AA2C000-memory.dmp

memory/1684-28-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

C:\Program Files\Windows Defender\fr-FR\Idle.exe

MD5 8e273d9c7be99ef0508fe547b9e4b4d0
SHA1 284985b096a819ca05be358f4e2a5ca491155655
SHA256 cd320c72512e04bf9741ebade33a01d3d8a903dc124ee195c7ee0ba7bbba5e92
SHA512 407e3abddb030df5934fd09d95bbe26cae310c2edafde3729dcb2a8891d856b24798370269f46ab344ce1228cc6c631adb64091b70752b8fee2a16fba37e21b0

memory/1684-106-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KWG0zl28sM.bat

MD5 4448e3638faeacf6dc8dc846186ac18d
SHA1 df5f5ce1cf79a81cee45ed9793e334fa2800ece8
SHA256 50923270191e525564db6ae2a095fa39c7c593bd6612d56db92147d3c182cf71
SHA512 c148700a559c8ce2fb21bd62977a250bf91bf2055c9b794d3cdd3998ce4649938e2e594ed8dafc47adb9d2423c042655ee3eb05e52b49bdc447e35ec2c27f7db

memory/628-113-0x0000000001D80000-0x0000000001D88000-memory.dmp

memory/628-112-0x000000001B810000-0x000000001BAF2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:51

Reported

2024-06-01 04:54

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\msedge.exe\", \"C:\\Windows\\es-ES\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\msedge.exe\", \"C:\\Windows\\es-ES\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\", \"C:\\Windows\\Branding\\spoolsv.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\", \"C:\\Program Files\\MSBuild\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\es-ES\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\es-ES\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\es-ES\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\es-ES\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\MSBuild\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Branding\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\es-ES\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Mail\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ShellExperiences\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Branding\\Basebrd\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ShellExperiences\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\es-ES\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\MSBuild\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Branding\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\es-ES\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\es-ES\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MSBuild\RCXFC5.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCX18D2.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\RCXFB98.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\upfc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX144C.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\msedge.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\upfc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXF993.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\upfc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\msedge.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\upfc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\61a52ddc9dd915 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\61a52ddc9dd915 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Migration\WTR\RCXB3F.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\ShellExperiences\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Branding\Basebrd\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Migration\WTR\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\es-ES\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellExperiences\RCX437.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Branding\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Migration\WTR\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Branding\Basebrd\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Branding\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Branding\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\Migration\WTR\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\es-ES\services.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Branding\RCX8BD.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\RCX1650.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\services.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File created C:\Windows\ShellExperiences\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellExperiences\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\RCX6B9.tmp C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
N/A N/A C:\Windows\es-ES\services.exe N/A
N/A N/A C:\Windows\es-ES\services.exe N/A
N/A N/A C:\Windows\es-ES\services.exe N/A
N/A N/A C:\Windows\es-ES\services.exe N/A
N/A N/A C:\Windows\es-ES\services.exe N/A
N/A N/A C:\Windows\es-ES\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\es-ES\services.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\es-ES\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\es-ES\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\es-ES\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e273d9c7be99ef0508fe547b9e4b4d0NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\Basebrd\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Branding\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4236,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\es-ES\services.exe

"C:\Windows\es-ES\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp
US 8.8.8.8:53 250.255.250.94.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2140-0-0x00007FFBF90F3000-0x00007FFBF90F5000-memory.dmp

memory/2140-1-0x0000000000CD0000-0x0000000000F90000-memory.dmp

memory/2140-2-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

memory/2140-3-0x0000000003000000-0x0000000003008000-memory.dmp

memory/2140-4-0x000000001BB50000-0x000000001BB6C000-memory.dmp

memory/2140-5-0x000000001C240000-0x000000001C290000-memory.dmp

memory/2140-6-0x000000001BB70000-0x000000001BB78000-memory.dmp

memory/2140-7-0x000000001BCD0000-0x000000001BCE0000-memory.dmp

memory/2140-8-0x000000001BCE0000-0x000000001BCF6000-memory.dmp

memory/2140-9-0x000000001BD00000-0x000000001BD08000-memory.dmp

memory/2140-10-0x000000001BD10000-0x000000001BD18000-memory.dmp

memory/2140-11-0x000000001BD20000-0x000000001BD30000-memory.dmp

memory/2140-12-0x000000001C290000-0x000000001C29A000-memory.dmp

memory/2140-13-0x000000001C2A0000-0x000000001C2F6000-memory.dmp

memory/2140-14-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

memory/2140-15-0x000000001C300000-0x000000001C308000-memory.dmp

memory/2140-17-0x000000001C320000-0x000000001C328000-memory.dmp

memory/2140-16-0x000000001C310000-0x000000001C31C000-memory.dmp

memory/2140-18-0x000000001C330000-0x000000001C33C000-memory.dmp

memory/2140-19-0x000000001C340000-0x000000001C34C000-memory.dmp

memory/2140-20-0x000000001C450000-0x000000001C458000-memory.dmp

memory/2140-24-0x000000001C590000-0x000000001C598000-memory.dmp

memory/2140-23-0x000000001C580000-0x000000001C58C000-memory.dmp

memory/2140-22-0x000000001C470000-0x000000001C47C000-memory.dmp

memory/2140-21-0x000000001C460000-0x000000001C468000-memory.dmp

memory/2140-25-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

memory/2140-27-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

memory/2140-26-0x000000001C5A0000-0x000000001C5AA000-memory.dmp

memory/2140-30-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

memory/2140-33-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

C:\Recovery\WindowsRE\backgroundTaskHost.exe

MD5 8e273d9c7be99ef0508fe547b9e4b4d0
SHA1 284985b096a819ca05be358f4e2a5ca491155655
SHA256 cd320c72512e04bf9741ebade33a01d3d8a903dc124ee195c7ee0ba7bbba5e92
SHA512 407e3abddb030df5934fd09d95bbe26cae310c2edafde3729dcb2a8891d856b24798370269f46ab344ce1228cc6c631adb64091b70752b8fee2a16fba37e21b0

C:\Program Files\MSBuild\RCXFC5.tmp

MD5 52186355b3df7e5e4d4ce05d36a99001
SHA1 0657e961752880dab37cd4024ba345fda0024576
SHA256 c4029bfe0aa44a22f17678553832acf551a34994667849dc6d9317024df483dc
SHA512 255b354da5d02e96c266038dfa49da51588a844067e88a098047fb3a989a5f2baa0bf217ff9e1406b9037d4eea520693f1f7066de10619f50e9dae645dcac9ef

C:\Windows\es-ES\services.exe

MD5 75f153e99ae2837e76c73406efe54d4e
SHA1 a57bec7ed007b0446a1d663b8aa7576112c6f2fb
SHA256 e5c97c971d73c3534bf0a731aae54ed3a7b651f75974c4366991b7ccb56863cc
SHA512 e5efcf1f396303a17a61136be6611df4fb7263fa1be38c34db4781d092453175265d851c46f596c4649e7ea548df908dcea2304ca2950df26b0f8e019cbda51a

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phhxaknw.lnq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3664-219-0x0000025A74200000-0x0000025A74222000-memory.dmp

memory/1368-231-0x00000000007B0000-0x0000000000A70000-memory.dmp

memory/2140-232-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp