Malware Analysis Report

2024-10-10 12:51

Sample ID 240601-jylgwsff55
Target 93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe
SHA256 ea17230cdefb26e83505143a9b7c1975c802e099353ee28bf094aa9df4b43870
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea17230cdefb26e83505143a9b7c1975c802e099353ee28bf094aa9df4b43870

Threat Level: Known bad

The file 93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DcRat

Dcrat family

Process spawned unexpected child process

UAC bypass

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

System policy modification

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 08:04

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 08:04

Reported

2024-06-01 08:07

Platform

win7-20240508-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\services.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\audiodg.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\audiodg.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\RCX39BE.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX3BC2.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\smss.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\services.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX2FAC.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\smss.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Cursors\RCX2914.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\RCX35B6.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\explorer.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\Cursors\lsass.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Cursors\lsass.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\Cursors\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\AppCompat\Programs\explorer.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\AppCompat\Programs\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2420 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2420 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 3052 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3052 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3052 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3052 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 3052 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 3052 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 2928 wrote to memory of 1740 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2928 wrote to memory of 1740 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2928 wrote to memory of 1740 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2928 wrote to memory of 1908 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2928 wrote to memory of 1908 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2928 wrote to memory of 1908 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 2324 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 1740 wrote to memory of 2324 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 1740 wrote to memory of 2324 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 2324 wrote to memory of 1184 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2324 wrote to memory of 1184 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2324 wrote to memory of 1184 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2324 wrote to memory of 1672 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2324 wrote to memory of 1672 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 2324 wrote to memory of 1672 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe
PID 1184 wrote to memory of 2092 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 1184 wrote to memory of 2092 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 1184 wrote to memory of 2092 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
PID 2092 wrote to memory of 280 N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B3gqY1DffW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10700c58-95aa-4604-a87a-09e5047256e3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\936ef3fd-cc3e-4ed4-9901-60e5d92a0c88.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e7c227f-145a-4245-ad65-20a83ee8dfcf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c74b5059-157e-47c7-837d-5120a2a8bfee.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\421e0ccc-e6a8-49f6-8ee9-b39fdb130258.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9139e197-7234-487e-822b-3e84cb4760f0.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21dfcfdb-65f3-48d5-ba1b-99b7298208a0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d9e42f5-7a8d-4ca2-bd7e-e9378b3b7945.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e10feba-c3e9-4b48-84b1-e2a5b84ee4da.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8598a1ae-2ba3-47bb-bd3b-eb97d2121031.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6665aedc-e619-4e74-b727-2f8daae3494b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f8806cc-af7e-4a0e-98e9-a27c4f2dc9be.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f15b1299-5571-4bd9-a073-4f927eb3c9d0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c397a26d-c548-4446-b697-7b8187e2808e.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bbf3213-ed4d-4ea2-8a71-52a3572f9ea5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef63f9b5-7724-493b-9ffb-fdea5b5e9fe9.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ffc1970-168e-4bc8-88da-0aaea750236f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6457a8fc-0819-46c8-acf0-6736cc9f1516.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d7743e2-ed76-42c4-ac94-dffbdee6e839.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed82dff0-2494-4dcd-b597-bece350be751.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97ebafe8-9841-4c60-91dc-6101ee9c24af.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d91c8147-5a1a-4de8-8208-6a37d69c088e.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b326b37-c6ba-41bd-8cb4-7e6dc3ccf7c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\832e851c-3a51-44a1-a0f4-b366e47ca0dd.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5582abfe-594c-402e-a7f0-abb009979346.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157382ca-875b-4701-b4de-2a663f7f9fe6.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253ed022-318c-474f-8f9a-0816f8d77cef.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87ada1fc-3faf-4d0a-b6bf-e03f157f5bed.vbs"

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6189c7be-3a6d-4a8d-bb48-4ae2c6d03cfa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61453144-46f5-4c4b-8a4f-99799bb17611.vbs"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/2420-0-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

memory/2420-1-0x00000000010A0000-0x0000000001386000-memory.dmp

memory/2420-2-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

memory/2420-3-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

memory/2420-4-0x0000000000440000-0x0000000000448000-memory.dmp

memory/2420-5-0x0000000000B00000-0x0000000000B10000-memory.dmp

memory/2420-6-0x0000000000B10000-0x0000000000B26000-memory.dmp

memory/2420-7-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/2420-8-0x0000000000B40000-0x0000000000B48000-memory.dmp

memory/2420-9-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

memory/2420-10-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/2420-11-0x0000000000BF0000-0x0000000000C46000-memory.dmp

memory/2420-12-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/2420-13-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/2420-14-0x0000000000C60000-0x0000000000C6C000-memory.dmp

memory/2420-15-0x0000000000C70000-0x0000000000C82000-memory.dmp

memory/2420-16-0x0000000000C80000-0x0000000000C88000-memory.dmp

memory/2420-17-0x0000000000E40000-0x0000000000E48000-memory.dmp

memory/2420-18-0x0000000000E50000-0x0000000000E5A000-memory.dmp

memory/2420-19-0x0000000000E60000-0x0000000000E6E000-memory.dmp

memory/2420-20-0x0000000000E70000-0x0000000000E78000-memory.dmp

memory/2420-21-0x0000000000E80000-0x0000000000E8E000-memory.dmp

memory/2420-22-0x0000000000E90000-0x0000000000E9C000-memory.dmp

memory/2420-23-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

memory/2420-24-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

memory/2420-25-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe

MD5 93b5c595ff8c92b8f2d840b37df0b780
SHA1 1c6672a4693875e71d0917826cdad93eaed8b33b
SHA256 ea17230cdefb26e83505143a9b7c1975c802e099353ee28bf094aa9df4b43870
SHA512 34bac0b7a770e021afbc0629dce12f56540e2f993f9d03392ce997d1cb1d7b42a5249fb38561c96ee8e98f62317572c4d36d1062da7836d00ecd3f0a29986221

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 08e8e877c82e3be382ce0a0ed9558376
SHA1 30ea17f56fbfa61c1e2496103a6a5ea558ce106b
SHA256 00cd306380c31bcc6d7c4ee2c73f440da8f044b215dd98f43f6c6cd449a92005
SHA512 f1b9fd539346354f4f0e18d07cbb9f6e5fb5d67a5c900db00cacad0705d28af2efe9827179d71c2cb62cdec1e6e558a5c4d126f0c348dd21f037d6d90a7380b4

memory/676-135-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/676-137-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B3gqY1DffW.bat

MD5 09ea8e75cc5b07982f26fe68e4b09f36
SHA1 3ec7eafd351ce45237d0b92f8a4bfd6f37255018
SHA256 6c7680e56426bd3aaed0df1fede67f8a3a9c2ebb06e318487e48b87367c9e0d9
SHA512 048a2df65ba2681ea6ba7a7a28efc96e273c77c624c2664786fd9b385805b58e2cab8feb0a73b4ebc9f22d26df0cf9a453952deb2acb72f720a36d050cd88a6a

memory/2420-156-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

memory/2928-191-0x0000000000A80000-0x0000000000D66000-memory.dmp

memory/2928-192-0x00000000006B0000-0x00000000006C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10700c58-95aa-4604-a87a-09e5047256e3.vbs

MD5 e25ba7f334b2dc53f5973ddf6b859602
SHA1 16d1cafa48fe0520df59b77a92e1074c08070dea
SHA256 6a9fbffcbb799f3f13e7b54c4aef61f2d320983bd2342ff2ed5d8c19eda6c943
SHA512 7227a2f99733736f0f6a9dd63004adaeac97268e097b0fbf72793810b06a78e8b431780f3c5ac354352804659b8f721b5b0bd7d82466c86936894e6a19d185cf

C:\Users\Admin\AppData\Local\Temp\936ef3fd-cc3e-4ed4-9901-60e5d92a0c88.vbs

MD5 3f3237d2fdf77996f699a2344f796518
SHA1 f53e46268059c222ffba39eb9195df8d8b02922a
SHA256 0d8f1d0f2041e1fe015738aba6a6a324916c102956e69dff473d0f41bf656f11
SHA512 4c5aaf646d13b78cbce655b3137b6f1d76b3867310c0fe26078c15514f920e7bf72ebe56d97581a2094574373b2b402efac3355307542b0591b9166cd34d8e89

memory/2324-203-0x0000000000100000-0x00000000003E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e7c227f-145a-4245-ad65-20a83ee8dfcf.vbs

MD5 68c46b74668cbd35f2e355289e5c0c00
SHA1 8d12ab1875c2e294ae72fe9a95961cd38e9e1053
SHA256 24b7cb63f5eaa9aa95ad4b69eea1cd40cb406336a52b9eef06030719de78bbcf
SHA512 e6b3569798aad62707ebffaf8b5a38ab0479d32e8291b0f42936abd10e9d8f63ab9c8886a54741cc5aa4e583de19d8ea79210bfb4c16d18492c1e089af18a9b1

memory/2092-215-0x0000000000110000-0x00000000003F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\421e0ccc-e6a8-49f6-8ee9-b39fdb130258.vbs

MD5 20c9d2e1f1e603b92bd455d8b4a74261
SHA1 6b629903fb97837bf73de46120ba9f4eebd4c9d6
SHA256 c5c701b1c6a361700be3bc3b6b8d5cde812ec4b27f16f124ae1fa5156f15db6b
SHA512 a856a5cccbe9704785ff75f10a8a87b091d286476509a2b540a2b2feb22f2b613483cc3c05501f4815d39f12776b8acb172821ed6c9144ffd1c063b8244cbbc3

memory/2656-227-0x0000000000B80000-0x0000000000E66000-memory.dmp

memory/2656-228-0x0000000000660000-0x00000000006B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21dfcfdb-65f3-48d5-ba1b-99b7298208a0.vbs

MD5 2ee8ea6516fa73aeb90de05aaf43789a
SHA1 905d0bb07821eee8ba24adb66b079d4e0f44f6d5
SHA256 ed85d298bf1baf396827ecd3723263896793da5bd877f63db9514fb15b893b9e
SHA512 cbc6574b3c9d02f06416c05492be006bde90e841b9846af09790d79a8892899a4acb9f0383a239108bf44b0f8d6de8578ae3d0ba3885b66f11849a38bdd7cf16

memory/1616-240-0x0000000000300000-0x00000000005E6000-memory.dmp

memory/1616-241-0x0000000000980000-0x0000000000992000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8e10feba-c3e9-4b48-84b1-e2a5b84ee4da.vbs

MD5 b84a66aaad837fcb15f38d988a10fd29
SHA1 75465d7175e7f8609f1f3446dffa312ab0989d51
SHA256 1bb3d57e334d253cd10e12cdbebe20e9a2eb156114bf3705e62833c0ac10c61e
SHA512 f6d92e729cd34262a92891657971e7948c43ce30f95bfad775d32a6fe9ead659dbe9df0dd4029d4d4f122d532cfb3a9c39aafb6aaa29e7b3b6f1112431455cc2

memory/484-253-0x0000000000BF0000-0x0000000000ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6665aedc-e619-4e74-b727-2f8daae3494b.vbs

MD5 ec2ad9a59148682406c17f9bb5260a0e
SHA1 8dbb3ae19c4e34d16456f28afe9011628c704d8f
SHA256 5fe01bd943e4a0fc3ea2c849532f42e6bbb0d2d443da4bba0c75a0620f74df11
SHA512 cbd1e233b484a6a7e37f9a0cb18d6710068f917ce6eaa3498d64e2c40b734d05d45d65f283f8dabe8e062aebbf2f9a4b32f4c69cf38a70aaed0d32fd3cfc5791

memory/2792-265-0x0000000000DA0000-0x0000000001086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f15b1299-5571-4bd9-a073-4f927eb3c9d0.vbs

MD5 9d2fd445e31d13f51f303b3d892d6d79
SHA1 70ef5f5d86ea0e2b96efb0bdbefcc65ff1e4c20e
SHA256 0ea09dbee39b95622bf7c70b5b953a80ba3357bf239166705f47fc6ed3a9eff5
SHA512 49908807ceefeaa2765337066d1c9b5eef10ff13eb7ce90c2e61e54770aba65659b784c9047d1fd042fb72e5b274ed3924468fe333a9dc53634c68c930aab6ef

memory/2296-277-0x0000000000C50000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0bbf3213-ed4d-4ea2-8a71-52a3572f9ea5.vbs

MD5 4874ee5c4f5479f03f5d9c38e138a050
SHA1 aac9b94ece6077dff74e799484c7e0a269136b3b
SHA256 3e99e4787ff9d6d52e72a19a44f5eb6f57225268841aa52523eb13f971d7868a
SHA512 c229e6b987e928c0762470c41a349c308712b1a904804205e95b8d46bec4926df7e74d86338c2354eb5a0f287a27ae79540ead8a40d03d8706520d87d4a74176

memory/2248-289-0x0000000001100000-0x00000000013E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ffc1970-168e-4bc8-88da-0aaea750236f.vbs

MD5 958203760e942348e60578f41999dccc
SHA1 82ddb3138e705f6b8111f33682c7ce47e052c7db
SHA256 13fd36b673d928e9c845af59a12106d7be1dc0aa06d7723413d807781fe0aaaa
SHA512 55343a33f81ca4ca07facb01f9f77a036eb8acd4a0e313576484d2f3264a55eda9169684096992cb4eb2ee86060ed31700a44e596565bce86a2b6f95296e40a8

memory/492-301-0x0000000000210000-0x00000000004F6000-memory.dmp

memory/492-302-0x0000000000B20000-0x0000000000B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3d7743e2-ed76-42c4-ac94-dffbdee6e839.vbs

MD5 7d8bfec1347b7a86709855bf25fd5fd7
SHA1 923b7f97dfff1ebab3f472a2349de63dd1a067cd
SHA256 3de043565a9fb491a42eb54ef7859dc6747928c388245537a73f28ffecce121b
SHA512 c1d79a6efdc0ae6cba0f058fd56c5b84538fb617ae3da8a0ee42b121ab022710838d894a4ea44cb23656c6193f2e0e7c41d2ec2a463a6b928035d148f7567316

memory/1856-314-0x00000000003C0000-0x00000000006A6000-memory.dmp

memory/1856-315-0x0000000000900000-0x0000000000912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec27b4d7263f1cc9f6204ca93d031a64c8daf25d.exe

MD5 0edc91da9c483a43aa11bfb1f7b255de
SHA1 3ff78d7428bae48a8c52f07561c45f421198d7e7
SHA256 b2f5d88cea5e4c5b229ff2c64d9b3dfe0c7c00de6c68a25198635563923993f0
SHA512 f85a5d3dfcbe0642c49d12499ebac8777191833349822354bfbdc6fac8243ba26c152109d9f055a5179ada6570033d764fb0635e0a2bc03574485053557a0fa9

C:\Users\Admin\AppData\Local\Temp\97ebafe8-9841-4c60-91dc-6101ee9c24af.vbs

MD5 bf4b501bc9eb8503a4ec50e041887fe2
SHA1 f217971105f5e8dee23acc27e8d8be3b79526d45
SHA256 faa26675a33d3f43a3948bcaa929c7f359efe97d5150cb9da6e276e9c7f965b5
SHA512 91b002cdd006f41dc65d0b5e3d8e7d62c20aaa6a6b85edd88672256a80ba0ae36e16deb60467a9b5b0b7ae7efb5e35a77f30dbbbdb8bcddb6e3323e5894c4632

memory/836-327-0x0000000000180000-0x0000000000466000-memory.dmp

memory/836-328-0x00000000022C0000-0x00000000022D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0b326b37-c6ba-41bd-8cb4-7e6dc3ccf7c5.vbs

MD5 9741f26552e71b7f37b987936434bfd8
SHA1 c274b94d6874e0b54af6368e581144f741ee9121
SHA256 5cf4aa5dc1bb1d7f1b6a59ccadee42397217a9bfeb88a216328e0f431d293cea
SHA512 b083fa6cbec89a5a423bc44ff594dda7b107f5499415e0cc4773a7061acf200da87c7a2a10bf17fefe88608291f764d1200f709fdff61cdbe6fb7e93fb4d190e

memory/2204-340-0x0000000000D20000-0x0000000001006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5582abfe-594c-402e-a7f0-abb009979346.vbs

MD5 5585b7082f82a436fc2aa21374a73146
SHA1 249d6568472d918c43acdf319b87fda40ada0b0e
SHA256 7bb449e9f606944c6e092a8fc1f5e23da0e66600311cda8df0c70d8e1486a696
SHA512 1206deb2737a0649a631d3b4d0ec18289df556b5132ad01922c32d3615b0c6756f621898a3463efbc2378529695537b6fc81188377d19f44e03cf1fa606cd0f9

memory/1564-358-0x0000000000E70000-0x0000000001156000-memory.dmp

memory/1564-359-0x0000000000B40000-0x0000000000B52000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 08:04

Reported

2024-06-01 08:07

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\dwm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX43A6.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\lsass.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX506E.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\lsass.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\RCX41A2.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\RCX45BB.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\RCX4DEC.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\Branding\Basebrd\en-US\explorer.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\en-US\RCX52FF.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX38D4.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RCX3F9D.tmp C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\en-US\explorer.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
File created C:\Windows\Branding\Basebrd\en-US\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Recovery\WindowsRE\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A
N/A N/A C:\Recovery\WindowsRE\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 4424 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2152 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2152 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2152 wrote to memory of 2116 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\dwm.exe
PID 2152 wrote to memory of 2116 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\dwm.exe
PID 2116 wrote to memory of 1188 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 2116 wrote to memory of 1188 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 2116 wrote to memory of 3696 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 2116 wrote to memory of 3696 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 1188 wrote to memory of 1780 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 1188 wrote to memory of 1780 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 1780 wrote to memory of 4500 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 1780 wrote to memory of 4500 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 1780 wrote to memory of 3176 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 1780 wrote to memory of 3176 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4500 wrote to memory of 4248 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 4500 wrote to memory of 4248 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 4248 wrote to memory of 3188 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4248 wrote to memory of 3188 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4248 wrote to memory of 1436 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4248 wrote to memory of 1436 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3188 wrote to memory of 4608 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 3188 wrote to memory of 4608 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 4608 wrote to memory of 3956 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 3956 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 1168 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 1168 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3956 wrote to memory of 3984 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 3956 wrote to memory of 3984 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 3984 wrote to memory of 4888 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3984 wrote to memory of 4888 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3984 wrote to memory of 1100 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3984 wrote to memory of 1100 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4888 wrote to memory of 3968 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 4888 wrote to memory of 3968 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 3968 wrote to memory of 4708 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3968 wrote to memory of 4708 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3968 wrote to memory of 4084 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 3968 wrote to memory of 4084 N/A C:\Recovery\WindowsRE\dwm.exe C:\Windows\System32\WScript.exe
PID 4708 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe
PID 4708 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\dwm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\93b5c595ff8c92b8f2d840b37df0b780NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\Basebrd\en-US\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eDdRGZgmMG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\dwm.exe

"C:\Recovery\WindowsRE\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71d046c9-a14e-4155-baa0-62788123540a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1304288f-ceb3-487a-bbf1-d35b48d2a974.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da427baa-be92-4b22-8ad3-e68bda905f37.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53aac47f-47a8-465a-8f0b-0b95d9ce8b01.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb2679e-8d8b-4d05-b5d0-fcc5db54cdfe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa880890-a068-40f3-ac79-ece8109e3c78.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00989216-5c44-4315-94ea-2f3796622465.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7d2cb6b-ecc8-4113-bdc7-49d1cbde49bf.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\282489b6-0415-412a-9d2c-82e0d5f468c8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd31906-1e41-4799-8e3b-a79e2bae7a32.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96222b96-da3d-4530-9121-20b9353cd742.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b319faf3-f129-4c0f-a1c0-c16d068f559a.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66618184-764f-41b2-86f1-9dcaa9366ecc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ecfa4c6-0e22-414d-8ebc-cbf107e6f08d.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f99d4c19-1ccf-4c3d-8716-1f2b3b124cf0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abe11a72-9fc1-49f3-a81d-3a55b05b3b30.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\249d39d3-3d30-42bc-85ca-4103ff072efc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdb4b54a-9142-4faa-9247-70c5d87f6de3.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd99e89-8622-4ce2-89ce-cfb17dffa64b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1982bcc1-e97b-4d97-b282-1268e928472d.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5085d4d9-cf26-489b-8817-1b6b82e69a9d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a1f6fc6-8242-4c06-a450-8d9bb525ea2a.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\352fa7d3-963a-43c9-a516-dfbd774c818b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89db170-6a82-4f95-923d-b6a183166e6b.vbs"

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\215e6fb1-2496-4875-bdec-7773433b5247.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a388c5b7-8f45-4f92-9ccc-a717de02f2e6.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/4424-0-0x00007FFD84233000-0x00007FFD84235000-memory.dmp

memory/4424-1-0x0000000000960000-0x0000000000C46000-memory.dmp

memory/4424-2-0x00007FFD84230000-0x00007FFD84CF1000-memory.dmp

memory/4424-3-0x0000000002D30000-0x0000000002D4C000-memory.dmp

memory/4424-4-0x000000001B910000-0x000000001B960000-memory.dmp

memory/4424-5-0x0000000002D10000-0x0000000002D18000-memory.dmp

memory/4424-6-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/4424-7-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

memory/4424-8-0x0000000002DD0000-0x0000000002DD8000-memory.dmp

memory/4424-9-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

memory/4424-10-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/4424-11-0x0000000002E00000-0x0000000002E0A000-memory.dmp

memory/4424-12-0x000000001B960000-0x000000001B9B6000-memory.dmp

memory/4424-13-0x0000000002E10000-0x0000000002E1C000-memory.dmp

memory/4424-14-0x0000000002E20000-0x0000000002E28000-memory.dmp

memory/4424-15-0x000000001B9B0000-0x000000001B9BC000-memory.dmp

memory/4424-16-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

memory/4424-18-0x000000001C000000-0x000000001C008000-memory.dmp

memory/4424-23-0x000000001C050000-0x000000001C05E000-memory.dmp

memory/4424-22-0x000000001C040000-0x000000001C048000-memory.dmp

memory/4424-21-0x000000001C030000-0x000000001C03E000-memory.dmp

memory/4424-20-0x000000001C020000-0x000000001C02A000-memory.dmp

memory/4424-19-0x000000001C010000-0x000000001C018000-memory.dmp

memory/4424-17-0x000000001C530000-0x000000001CA58000-memory.dmp

memory/4424-25-0x000000001C070000-0x000000001C078000-memory.dmp

memory/4424-24-0x000000001C060000-0x000000001C06C000-memory.dmp

memory/4424-26-0x000000001C080000-0x000000001C08A000-memory.dmp

memory/4424-27-0x000000001C090000-0x000000001C09C000-memory.dmp

C:\Program Files (x86)\WindowsPowerShell\Configuration\TextInputHost.exe

MD5 93b5c595ff8c92b8f2d840b37df0b780
SHA1 1c6672a4693875e71d0917826cdad93eaed8b33b
SHA256 ea17230cdefb26e83505143a9b7c1975c802e099353ee28bf094aa9df4b43870
SHA512 34bac0b7a770e021afbc0629dce12f56540e2f993f9d03392ce997d1cb1d7b42a5249fb38561c96ee8e98f62317572c4d36d1062da7836d00ecd3f0a29986221

C:\Program Files\Google\Chrome\Application\lsass.exe

MD5 19370ff06cefce34bff072d8729a4bd9
SHA1 c9572f7c6026351964e7e6b6ac03db3932b72083
SHA256 f88662c7af67ae8ec09d30b04385fcee2065a5ac554f7bc799be062ed38a069d
SHA512 d085589b7ba2b21b6d8e2c37b374f36cd1a7c07b008f7ee0739bd3f988a07b0971450a1534090e268753e95d7cadcb6cd4748ed385a8aaa3010fc2d7b419bc96

C:\Users\Admin\dllhost.exe

MD5 2a8dab7f78aba95ce978143fc6bb0597
SHA1 a96e8493ee9becedf2082b55ad587cbaa8955ff4
SHA256 1514718fa0870ee313d3f99a560d276d5296a5f5d88d67d8c16486930e46ff69
SHA512 d50eb2a8d239a081bbefcaad24ab74bbad8f1b7a298b3318da0f65ffb93380e18cc862b8008014801291591ce16e8d696e4777819aa12a047f3bf674dd79df96

memory/684-168-0x000001FAEA1C0000-0x000001FAEA1E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlg0wj4m.kzj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4424-177-0x00007FFD84230000-0x00007FFD84CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eDdRGZgmMG.bat

MD5 01143e20e898fb7cc9d10627a5f92cb7
SHA1 546f50135897ab05e2004f90b5931ae501a2b7bf
SHA256 2934425ffc3ddf95d8cbe0ccb10959816a4d2b6e8c55d333759d8cf38a8286b9
SHA512 2ba962bc3e1ffbb16a5d1fca6841201cf0803b3ae405b477cfe48e78b54dab3249f16d335e762185f1b8a7f75d5fba112bcb93f1ac7474cab21c59a0252759d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af5adcf47319367971a7beface1761df
SHA1 5b9a8ec7e99adc338e156c7418ee9baa78106886
SHA256 00f907ebbb49c8330dea708b86491b34e6f3848d8acd1ec5b8397d39da599da0
SHA512 9e83efe028d0dc5a6780d32359ff8da13515392e3e7b043ee2ae3b6ffa585ea66288af3546f191a3a87450db0f5874e81907dd547c4b18612b2ea99035b5c7b3

C:\Recovery\WindowsRE\dwm.exe

MD5 a74cd63c7e812f4d05053795156a669d
SHA1 fa1a7d86eee2513dd7e0427c06aff59bc0757f97
SHA256 d888bd8160707b34e456cdaf908ca0cf3526c9f421d8306ad9a0ce6fbf42eb7e
SHA512 3747e7acdf943610a742396643f4a918618bbc1da405254591b4a3fec858fec1ade4816ad5d173263670898cdc6f4733ea0e41fffb848346f0fdff17b7f6b3f8

memory/2116-290-0x0000000000AA0000-0x0000000000D86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71d046c9-a14e-4155-baa0-62788123540a.vbs

MD5 9e7fdb26697bfe812364923b203be29f
SHA1 65a55c06395e031ceb3ca8e2af513a3e12ab9051
SHA256 d780198989ab49a5ff06ee9fab04707ea1ec888e73787a3258f1b17329119ec9
SHA512 42b8a72903bdd0cd64fd7400262681892c5ecf080b524f16598098f9c13c689b71021a613661b9a815c0b61c9fb8a9af90d11f6b9bcde212c3baadca1b3104a4

C:\Users\Admin\AppData\Local\Temp\1304288f-ceb3-487a-bbf1-d35b48d2a974.vbs

MD5 f7549e527dd461a8686cc89440a103cb
SHA1 d56331dd85850fb9237f6cb4240b671a7afb07cd
SHA256 c2c381f8346521376cbf40089e8af67103317c75627af2e63f4ee1c4b6eb177c
SHA512 d2baeb83cbd6dd3d828a70b309a1acd71f918e7f87141d4216b40828767183abf7d1c0bf7d638b0158329e9e45fe9f166bdf8dbf61e91daff90a188949f5968d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\da427baa-be92-4b22-8ad3-e68bda905f37.vbs

MD5 25102a794b871636070b9f55f1547172
SHA1 6fb8678d7581ff46c725ec67a7255fb3d4510992
SHA256 f7b448ad6989664739c85ca556ff77655b9ece5b5d0b31f3a69fdef6db4630fb
SHA512 2bc2c2e5cee34cbe09516b771862bb0298d31e23c8a53ac6a22b09afde8ba37ecbf97170936b5d3715acf13dad863662603b1298276ac51aed5c79f152181295

C:\Users\Admin\AppData\Local\Temp\7fb2679e-8d8b-4d05-b5d0-fcc5db54cdfe.vbs

MD5 8de87b3c0a3506272c9376a8092194e4
SHA1 452fb900f2c47b182d42e6bb938ef863cfed6cd9
SHA256 febeff2d2e11e494c15a62bcb154880ac589f43baeb7f238553bad545d0c157d
SHA512 271d322887c2fdd3fc35ad184422dda7414831235174b4ab793eee0a09ffbdc71defa82cbb1f8ba89669cde03c49dd4de260698a5314096ac3963594ab830738

C:\Users\Admin\AppData\Local\Temp\00989216-5c44-4315-94ea-2f3796622465.vbs

MD5 d1a9a494b097d8ffe9afeae6959370b0
SHA1 0656aaf4e5368b6ac83863eb3d727b8143120f4a
SHA256 61b772e9d90a6eb38c9bdf1a6a8d99680211f8e1b525dca88aaf4d2cb8a14a98
SHA512 7c5288c307ee6a4e234fec5a8295b79deee87b0c03c725089d4d90c12c5ba1164fac34d8c739a638dbedf73e05e204f0200dd2390b89422e285163dfe6a8127a

C:\Users\Admin\AppData\Local\Temp\282489b6-0415-412a-9d2c-82e0d5f468c8.vbs

MD5 7b556879ce1fd7cfd0fb9b9956eda2eb
SHA1 f6e6dc8923ec3e11825ddf78e4b3e959f7629468
SHA256 5d8307cf0e98a2f453ec28d49a6e85640fc74c82057e3b938788ca887770b5af
SHA512 e3dba4e7f3839eb61a4a373076dc8b094aacc2eb7e36592e0f83da55c6691b45447802f54d97f3e6ab9245d827f36c93edd98a976ca2a45194caa97103312f3d

C:\Users\Admin\AppData\Local\Temp\e214181017f92fa3ce738d250af6c13f28c7217f.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\96222b96-da3d-4530-9121-20b9353cd742.vbs

MD5 0db2b71c9183ab39a993684e4f54615a
SHA1 51c1fbb5026c8687137144bde12175145aefb6dc
SHA256 2acb6ff8016668b62fded465bf013af6f93ac409d497275a7f521760953350d1
SHA512 393da4429b691e4134abeaedace7d15357d1dfe809a7ad7813a3037c4ab91517ee603c7d313768c63941c51da4f390df6c36e2a1654bade19b5f839c009880e4

C:\Users\Admin\AppData\Local\Temp\66618184-764f-41b2-86f1-9dcaa9366ecc.vbs

MD5 a48c8434a2ff3fb255c74a2afebb0e9a
SHA1 c6b4a9c4fc11931ce72977e991ab7bbeed31538d
SHA256 6ea0d8901e373bd039e352f504e990eeec1ceee1907d21bc1df843edea854923
SHA512 14786dd8e353877eab9e379f967de727ed4970d9a092ae8a695fc67f2a8befdb3372117d3578448a9e801e9575de72cafbf9c302c489c5582cf185d6a5f41a12

C:\Users\Admin\AppData\Local\Temp\f99d4c19-1ccf-4c3d-8716-1f2b3b124cf0.vbs

MD5 c42b1bd73b783213b14c68b8b92710d3
SHA1 d1023ea3ff4703ca07c0d242d45ed651a248f500
SHA256 965f34585a29621cf1cfd2dfa847b8788f744af9d73a7fdb436e2fbb751de9dc
SHA512 fe47a8f467a287505bad4d031dfcad2a42cde943ecf00040aeabb4f2a46844dfae534f9e3ec3054fccddac66760a79ea2eeea00641163a50d0fcc44ed5d0461f

C:\Users\Admin\AppData\Local\Temp\249d39d3-3d30-42bc-85ca-4103ff072efc.vbs

MD5 664eb0ee07ccbdbcb78b97747c455a08
SHA1 20bcba5913a4048454299c4f33cf597b13f94685
SHA256 f6e86a389be23c7078cdb252b8aad7f102b6bf085f50d7adf5f68f38528fc55d
SHA512 620b69e858dfa68313b102e24142de6288a5a5192eaa4f2e19c845b9d34601ff1366f13b58966f87bdd17de24e73e90d7f9ee37ab5b2df7c90d3cabbb5a83389

C:\Users\Admin\AppData\Local\Temp\0dd99e89-8622-4ce2-89ce-cfb17dffa64b.vbs

MD5 10008efd0db5b4997e9cc3a69bb60552
SHA1 7a6b92f6c1592adea7033bd9ce684cc336e0e181
SHA256 e2b84f5c6bea7fda3f48ef83e2a1eced5aba3572bb9e54793de726598fb04958
SHA512 9c7f8a76829a6126b7eb462494ec896d2f908e16531528413b0d611e7f660b05ed667d89ab4849965a15d0fb769f1fed67a4de97de50a8de4096a6a2f12d1b3c

C:\Users\Admin\AppData\Local\Temp\5085d4d9-cf26-489b-8817-1b6b82e69a9d.vbs

MD5 8516b84cd3bb2e79ace186231d10e05d
SHA1 017c2aca4dfdab012e89aec5afce299f3066c87e
SHA256 5736976b61d98b07908fe11ea4303fab1d2d1cc49d50e318a64e0aca3ef2be35
SHA512 3d747c8ff2627983dc629fe1a11cda842b1d59e67855f7a66a30782bf8dab43731d37ece1a0c2e735cffe16691b6837fb7d69327e3d32953e11f8b9925adc11d

C:\Users\Admin\AppData\Local\Temp\352fa7d3-963a-43c9-a516-dfbd774c818b.vbs

MD5 135f8fd3680d3ff0d7c8ecd7f3a6be42
SHA1 5c8f9b881350b333a0b8bb10fd72fdf450db1714
SHA256 f2969397aa66da1debf0f09e5026712028f22ae83abb1b086d3e59b1d42b99f7
SHA512 b77e699cd206cbc8be967bf0e04387fa08b294fef576cd4047f4ed4fff400762c3c48cd3dc6fd694ce5e3ded2093efd2948bc965fd3ee66c5f743677e1d68412

C:\Users\Admin\AppData\Local\Temp\215e6fb1-2496-4875-bdec-7773433b5247.vbs

MD5 316999a70a037c389acc3468757b4b62
SHA1 e4fedc1e369703e5d4e50acc31f3da3c259bf876
SHA256 4cff9a558da0c434eb67e9aebe34679a4b0034d5b9ddfd64279ec3220db9cfc9
SHA512 5b67b84571f108f801911374d163a5f27ced7f16c2a901e2b16d583b59fcb45eb064d0eca6981b83dee86dc64d6400ccf84790e25403a0b3b5b81c23525eb1f9