Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-c5r5pagd5t
Target 988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe
SHA256 7d67326ac6bb6f62195faaadab29c08d0a4d13575cac6a767b52142f7f833c85
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d67326ac6bb6f62195faaadab29c08d0a4d13575cac6a767b52142f7f833c85

Threat Level: Known bad

The file 988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

Dcrat family

Process spawned unexpected child process

UAC bypass

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

System policy modification

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 02:39

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 02:39

Reported

2024-06-03 02:42

Platform

win7-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXEFA0.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\RCXF93A.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\services.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\RCXFFA6.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCXDE3.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\services.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\RCXF94A.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCXDC3.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\explorer.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\RCXEFB1.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\RCXFFB6.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\explorer.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\schemas\winlogon.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\Logs\HomeGroup\audiodg.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\Logs\HomeGroup\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\schemas\winlogon.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\schemas\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Logs\HomeGroup\RCXF3E8.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Logs\HomeGroup\RCXF409.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Logs\HomeGroup\audiodg.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\schemas\RCXFF7.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\schemas\RCX1084.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2140 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2140 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2536 wrote to memory of 2364 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2536 wrote to memory of 2364 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2536 wrote to memory of 2364 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2536 wrote to memory of 1132 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2536 wrote to memory of 1132 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2536 wrote to memory of 1132 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2080 wrote to memory of 2768 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2080 wrote to memory of 2768 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2080 wrote to memory of 2768 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2080 wrote to memory of 2908 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2080 wrote to memory of 2908 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2080 wrote to memory of 2908 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 2768 wrote to memory of 1216 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2768 wrote to memory of 1216 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 2768 wrote to memory of 1216 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe
PID 1216 wrote to memory of 3004 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 1216 wrote to memory of 3004 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 1216 wrote to memory of 3004 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 1216 wrote to memory of 1752 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 1216 wrote to memory of 1752 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 1216 wrote to memory of 1752 N/A C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 972 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\HomeGroup\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\HomeGroup\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics9" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics9" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Links\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\schemas\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2ade2e9-43ce-4169-ab2c-4a507fd16ba0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ef3a26a-ab56-4099-944a-67e8cfaf20b7.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e11faf37-7fe2-4a22-9246-1bca99f33ac5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fd85f70-700f-4cd5-a52a-a252d3aa8ddf.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2bc8825-634c-425c-88c0-a679825fd0b8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f61fb039-56a7-47b9-8424-5e2a495c90f0.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a1ee80-b6d0-43c3-8286-dc47964a36e5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50ed50ad-cd32-4059-bff5-1ad5e10734c6.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5846a691-ff0f-404e-8c65-cf6b12e4505b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\677967c3-3d01-4c8d-96d2-a7c1928de2e8.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d542bcb-af19-411c-9b8f-ad06da793d92.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2ee14d-7480-4cae-b6f4-51d171f1cfd3.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4b60281-13f1-469c-acad-0b125e7afcbd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a202cbfd-bee9-4adc-bd8d-5522dda6aa5d.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f165d7a-2be6-486b-9c52-b9abc3253436.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\478332ca-3138-4a6f-ba02-4e04d23fbf2a.vbs"

C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d26482f-ea97-4aa5-b612-2623b59904b6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df13ac92-ec03-4bcf-ae68-eca6c9e3b96a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.111:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.111:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.111:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.111:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.111:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.205:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.205:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.205:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.205:80 self-lighting-subpr.000webhostapp.com tcp

Files

memory/2140-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

memory/2140-1-0x0000000000910000-0x0000000000C4C000-memory.dmp

memory/2140-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

memory/2140-3-0x0000000000240000-0x000000000024E000-memory.dmp

memory/2140-4-0x0000000000250000-0x000000000025E000-memory.dmp

memory/2140-7-0x0000000000570000-0x0000000000578000-memory.dmp

memory/2140-6-0x0000000000550000-0x000000000056C000-memory.dmp

memory/2140-8-0x0000000000580000-0x0000000000590000-memory.dmp

memory/2140-5-0x0000000000540000-0x0000000000548000-memory.dmp

memory/2140-10-0x0000000000730000-0x0000000000738000-memory.dmp

memory/2140-9-0x0000000000710000-0x0000000000726000-memory.dmp

memory/2140-11-0x0000000000740000-0x0000000000750000-memory.dmp

memory/2140-12-0x0000000000750000-0x000000000075A000-memory.dmp

memory/2140-13-0x0000000000760000-0x00000000007B6000-memory.dmp

memory/2140-14-0x00000000008C0000-0x00000000008CC000-memory.dmp

memory/2140-15-0x00000000008D0000-0x00000000008D8000-memory.dmp

memory/2140-16-0x00000000008E0000-0x00000000008EC000-memory.dmp

memory/2140-17-0x00000000008F0000-0x00000000008F8000-memory.dmp

memory/2140-18-0x0000000000900000-0x0000000000912000-memory.dmp

memory/2140-19-0x0000000002390000-0x000000000239C000-memory.dmp

memory/2140-20-0x00000000023A0000-0x00000000023AC000-memory.dmp

memory/2140-21-0x00000000023B0000-0x00000000023BC000-memory.dmp

memory/2140-22-0x00000000023C0000-0x00000000023CC000-memory.dmp

memory/2140-23-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/2140-24-0x00000000025B0000-0x00000000025BA000-memory.dmp

memory/2140-25-0x00000000023D0000-0x00000000023DE000-memory.dmp

memory/2140-27-0x0000000002590000-0x000000000259E000-memory.dmp

memory/2140-26-0x0000000002580000-0x0000000002588000-memory.dmp

memory/2140-28-0x00000000025A0000-0x00000000025AC000-memory.dmp

memory/2140-29-0x00000000025C0000-0x00000000025C8000-memory.dmp

memory/2140-30-0x00000000025D0000-0x00000000025DA000-memory.dmp

memory/2140-31-0x00000000025E0000-0x00000000025EC000-memory.dmp

memory/2140-32-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe

MD5 988b3b242b8eb031a2a97c2f096becf0
SHA1 6374240fe3c00cf836d9b9e8732b6732d09e9e34
SHA256 7d67326ac6bb6f62195faaadab29c08d0a4d13575cac6a767b52142f7f833c85
SHA512 938cbe83467b5b960fae7c9cb7bde59fe36eb28c8261b37c9b876cc1f259ed466cbce01b6e0fd1a78e0dd974697146a73b9106dcaca0bbc0bb028eb161c0aa6b

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe

MD5 67a93a9acc04992f2387630aaa8043b5
SHA1 ebec73815a016577aa96e7da9df60f0da5633c99
SHA256 4b77a40676898884839ee6e5da66e1b885728cbd5b81fa43ac6b4e75153d6f5d
SHA512 52ee1f2a44a6a561a6d927e4bee334e89a04eed8b7d65fad450e3694c4b075737aed2eb796eb6c7a0f810081c9cccb6dc9ed7f0855471ec359a8c8815e30889c

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsm.exe

MD5 7172a5b8ed518d7200c599050fa1cf4b
SHA1 4fd49529131b6f8a9f6d75231859db6406f334b4
SHA256 60f9380d4b7fde50a9493d9e38f05fdff52711b2c6a520dc4ac54107ff36138c
SHA512 36e4b104ad595d04e5e15c8ff803f46b430e20a733136f214230605824d0460898795a7b7600367c95ea5f857a26d2f36b9066a2bd4292ed7cc87c5c964da517

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RCX46A.tmp

MD5 62ee205119f56339df1a2ee898d6d85a
SHA1 b5d75415ea6d2e482a36d4495a1fa60afca4dcd1
SHA256 14d7fdded0b7bfc58832aba1742c3e6a631e14b071394bbd43ac3ba2668d3983
SHA512 9a2560797126e189e85a46aeff250f4f006ed7d423fcfcb96cccaf1e7d1cc13f0eb02b18be153c722ed167a849debdaadd991fa4d9405ce812e0f0056662c15b

C:\Users\Admin\Links\dwm.exe

MD5 cb713197d74c42c8017a5cb1ce91bd44
SHA1 43dec6695ee481357d0a64b39e21d5afbb842e84
SHA256 b899db6db9f89f4de9249aa8eaeb8ccd700c554c25ec52ff758a91b80d6b74f5
SHA512 022d9bfc025cccff72c5a8c997d4bf8b93e18859367a0e0d1269c4a4021e301d49f568ae8fb11c1893688a69096db410ec7754fecf9a6da96817e06b0ef05eb0

C:\Windows\schemas\winlogon.exe

MD5 78ce00be21a5b4eaa3352fb2c1b3df48
SHA1 f2f3f0d8b552ead99a9bf902de8260e960958c2c
SHA256 236966c67a5ec29c1b4b4c98dd8f31cc717736d8b8a336d09f5939e4abc9fdc4
SHA512 0646b5122366e05c6f99c7810df8d5d3c1540ce2e40a6181b63cefff1f4a8956b039b733792dd583fd54ecd8557b8253cc7ca157a67fce8648ea180eb2e5d00d

memory/2536-252-0x0000000001380000-0x00000000016BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 72a8b212e821d6b6f9298ca585aab1a5
SHA1 9fbe7cf76230f02e2fbdb109e8ecfefc5832395b
SHA256 54449cb179f26252a2911dd3f58779be24949991020cbeea467502dcd5f05d09
SHA512 c7fece6235456819863de54abd175347602d4b2314aa984cbf6d37bee8c4fd0be4e272fef42b1f37ff39c13de60ac000c89c9f93e7e58a2862a0c82a83db52f4

memory/2408-273-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2348-272-0x000000001B260000-0x000000001B542000-memory.dmp

memory/2140-274-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

memory/2536-315-0x0000000000510000-0x0000000000566000-memory.dmp

memory/2536-316-0x00000000005A0000-0x00000000005B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ef3a26a-ab56-4099-944a-67e8cfaf20b7.vbs

MD5 b343627586c448b353f34c975030c78b
SHA1 98283ecd45f662c44de1bd81e38b5af61928640f
SHA256 5d04aad261012dc8f47cf11ef323d13db5f919976e36e88d244cc15815a74305
SHA512 230404fa5b64858e7e2b6287affc9c52b30cda4271c8bf45f4a8af1aa53967ac3e5629751b73e06ca45faf3e6d94c870fd55ac876af099ee6574227d87489d52

C:\Users\Admin\AppData\Local\Temp\f2ade2e9-43ce-4169-ab2c-4a507fd16ba0.vbs

MD5 19ca19c782145df17807af5aa2c8de40
SHA1 8e53aea2a22d10d19c38775839196b3654ca7b9e
SHA256 b192d6590b3f05deb0c5ffcf009a43f694d21d8c878347ab96722cf062f7e19d
SHA512 b6000b0dd37fce84c0cb93cea798981a396c0e7d68d447bc377800f914e5d87e5465bad9856ae863a82037269374a4ccd3a488cbcd1e87a639ba35dbc46fbd18

memory/2080-327-0x0000000000C90000-0x0000000000CE6000-memory.dmp

memory/2080-328-0x0000000000E90000-0x0000000000EA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e11faf37-7fe2-4a22-9246-1bca99f33ac5.vbs

MD5 79f1c82121953a2c916b065856f00ccc
SHA1 ec6ab473f2eb222608a11f371b8d0f74ee1b2d89
SHA256 edf47f1ab1a4db3bc4275ddf0d10d0fc42c24dc09cf1de8fb9bd408334777189
SHA512 534e80b67934fab02ce9b511d346fe8bde638466addcb18b4772affc53b451fe112ee2eeb7a35d644bf7b0edf35dcc1ccc80d93e4df79bd846df88a623d9911f

memory/1216-340-0x0000000000C00000-0x0000000000C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c2bc8825-634c-425c-88c0-a679825fd0b8.vbs

MD5 3c09f90da4944d998bcff179f2819c5e
SHA1 e595fc26a9c436ee4b43abb8d8498b903971b998
SHA256 436c646b8120a9557f4f5004df824d61bc52cbf88d68c536f7031e297096cc14
SHA512 a97ba7472ee78abd4d69b415ca145cd2086d3a81962d78e64f3ae3bd55d7f17fdb68114fae76f29c45014244216b584c1ddc3577a36b96c52e1ab455f9cddb66

memory/972-352-0x0000000000200000-0x000000000053C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25a1ee80-b6d0-43c3-8286-dc47964a36e5.vbs

MD5 f8ec65a717f3761b89a4c35341e12d1d
SHA1 d7ecb1c2c968a07ba1487d765f913a47030a94d1
SHA256 b632b2b44a9d4c57f3d9c76e0fa2835b705f1293f095a95cf776aab4a3769af2
SHA512 c2f2c93ce70af97ce1fac9277c6027a86f9589df8e0c52d41f0f937fc00d7b7ba20f45eb0a35f8f1c7ba46d6f5c519f1826288b5f1e515c8f4671ef7feebf284

memory/2320-364-0x0000000000B50000-0x0000000000E8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5846a691-ff0f-404e-8c65-cf6b12e4505b.vbs

MD5 5aa3a2c22690a81ada301e0168e09085
SHA1 d94c6393496e7e45aac935619dc47dc9107133bd
SHA256 2455d8dd25aa4e0a8031534389b18a2234ffaa2e4f7ac8c286d042eaabb2be3f
SHA512 18738ece6cdedd0c612d7ed900d5e3b43fe1a015a23fdd4d45f6e254a89a15c8a78f6a4bffa10285a184b23cf42572c6a6dd3760ebb069b2723988cdba4c77c7

memory/924-376-0x0000000000CD0000-0x000000000100C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3d542bcb-af19-411c-9b8f-ad06da793d92.vbs

MD5 bfe07c34ac70327457062f1322dde2db
SHA1 b94b19146ea8179d33a51684c8ed07a61850d78e
SHA256 26208244597f22e8908badb456a00ad86fad3e9c0951d557e5d5f4fada1612b4
SHA512 d8ac39001171a3fd3c1c0d134ec69f24bc4e9e752cee32d59dd99abd27f9d870a1d0afcb42519da4fa793f8eacbbedb18f8315a5146269fdc7482147e9e83180

memory/2996-388-0x0000000000FA0000-0x00000000012DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d4b60281-13f1-469c-acad-0b125e7afcbd.vbs

MD5 d35786de0ee31b61c04f8d3a7bacb04d
SHA1 784f91e16d406ee202baee8f9b837f27c60f1503
SHA256 fb64757e239c6ce6b4123b9b5b274c9f25252d83947427e5a21fd91f29c75fc2
SHA512 df2cfe3fd2a02d3f0fe43ee8ea9147f044e8c9d0246120a2644e3d0f43fede864068765b9cab9de1cb96ed27dcdc128300c17040dcd654f73b1d9a5663e392b6

C:\Users\Admin\AppData\Local\Temp\3f165d7a-2be6-486b-9c52-b9abc3253436.vbs

MD5 5b2a6d19773cd0aa4b755dbabf541397
SHA1 dc1fd86294b7b0f8d01c633dc29d2e5c0c92eb12
SHA256 1e504b33f326e54d9afa76787196d91c147e5f8cf01232f3b6d1c10840840e3b
SHA512 e48f3b8c72e909b25a1b47e2e34e06138491556c3fce18eb28d4e13c538e2c58f5171d485acb98216b04312804e0c66e0a9120c2a8a1bb6f76a62aeb5b796e5f

memory/2648-411-0x0000000001120000-0x000000000145C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6d26482f-ea97-4aa5-b612-2623b59904b6.vbs

MD5 a6a65880fb9ef03985a820f893510364
SHA1 3fd263fa35e0df82797ee73adb18b02732e864c4
SHA256 57d9e132d3319c7c3aed907585a6b0339ef0652ec93c04e5ca2f569f9b56f1e2
SHA512 95bad289c105acb384f5978ad47fe7161abe68777d88a90857e658f450e9a3c31d99a643a95092c246df835f7ac2ee73d5b0a88a2b0f63afea1e231b31c63707

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 02:39

Reported

2024-06-03 02:42

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Videos\upfc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Videos\upfc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\RCX6DEF.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX7072.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\RCX7604.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\uk-UA\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsPowerShell\Registry.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\uk-UA\RCX6171.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX68BC.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\uk-UA\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX5F5C.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX68BB.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Registry.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsPowerShell\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\RCX6472.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX5F5D.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\RCX6DF0.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX7071.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\uk-UA\RCX61EF.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\RCX63F4.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\Accessories\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\RCX7586.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\Accessories\63775a7e2302ec C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\uk-UA\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\es-ES\RCX781A.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RCX7AAC.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\RCX7819.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\es-ES\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File created C:\Windows\es-ES\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RCX7A2E.tmp C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\Videos\upfc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\upfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Users\Admin\Videos\upfc.exe
PID 4648 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe C:\Users\Admin\Videos\upfc.exe
PID 2684 wrote to memory of 3548 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 2684 wrote to memory of 3548 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 2684 wrote to memory of 3692 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 2684 wrote to memory of 3692 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 512 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 3548 wrote to memory of 512 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 512 wrote to memory of 3560 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 512 wrote to memory of 3560 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 512 wrote to memory of 1280 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 512 wrote to memory of 1280 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 3560 wrote to memory of 4584 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 3560 wrote to memory of 4584 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 4584 wrote to memory of 4844 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4584 wrote to memory of 4844 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4584 wrote to memory of 1456 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4584 wrote to memory of 1456 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4844 wrote to memory of 3996 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 4844 wrote to memory of 3996 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 3996 wrote to memory of 2680 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 3996 wrote to memory of 2680 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 3996 wrote to memory of 2300 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 3996 wrote to memory of 2300 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 2680 wrote to memory of 2344 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 2680 wrote to memory of 2344 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 2344 wrote to memory of 4092 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 4092 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 4032 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 4032 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4092 wrote to memory of 4512 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 4092 wrote to memory of 4512 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 4512 wrote to memory of 4888 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4512 wrote to memory of 4888 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4512 wrote to memory of 3132 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4512 wrote to memory of 3132 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 4888 wrote to memory of 5108 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 4888 wrote to memory of 5108 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Videos\upfc.exe
PID 5108 wrote to memory of 3732 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 5108 wrote to memory of 3732 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 5108 wrote to memory of 4124 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe
PID 5108 wrote to memory of 4124 N/A C:\Users\Admin\Videos\upfc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Videos\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Videos\upfc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Default User\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Videos\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\Videos\upfc.exe

"C:\Users\Admin\Videos\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d75676d-ba9f-41be-93d1-3718f30272fa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af50c9a6-d2d1-4dde-b0bc-32b2689b05f7.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdf899ec-09d6-427d-930a-706ac3a18de8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb58c564-4b7b-42e4-81ed-9e47532768ef.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9a12a38-a723-4c32-ab11-162f6de65982.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\350c66a2-82bd-48da-855d-0517af8fb0be.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\609d5f6b-5e74-4e8e-a4cc-404dde7e18aa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff998279-a36c-4d3a-8a18-014398dddc6d.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f29f82b7-34f0-48dd-b6bf-f929aaa4b23d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\342e52db-adae-4a55-bb02-d6a7f7f0d34d.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c946a887-a76e-450f-9bc6-ae7a29c8077f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0560b30b-a560-4ab4-af5b-aa0d55e1abfc.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb08f07f-cb8d-4893-8c4c-8014c9ce05e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\849e488d-d2da-43b9-8259-ae7e37fc3a4e.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f729550e-f251-4e7e-adb1-5943f72ae2b1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51ec37a2-a920-4b8a-a031-95a30a4e6a2e.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a61f06f9-697a-4969-b274-599c333c9a9b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\348fd6c6-dfe5-4b60-b5fa-0ebc45b55f37.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b1ada1-b8cd-4c53-8da6-9373681e51a9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39d61a7b-90d2-4bd8-b570-1738773f373d.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0afe46f9-d368-46c7-ae84-2b1f143e6e72.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e90687aa-8e07-4421-bde0-1d82471bc69c.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee6b67ae-8fe7-4e44-a247-f2b8577d0807.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b465ee29-4d0f-4c00-a6fb-7e0c2ea2d934.vbs"

C:\Users\Admin\Videos\upfc.exe

C:\Users\Admin\Videos\upfc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.42:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 42.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 145.14.144.42:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.42:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.42:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.42:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.42:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.42:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.114:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 114.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 145.14.144.114:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.114:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.114:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.114:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

memory/4648-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

memory/4648-1-0x0000000000F30000-0x000000000126C000-memory.dmp

memory/4648-2-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/4648-3-0x0000000003470000-0x000000000347E000-memory.dmp

memory/4648-4-0x0000000003480000-0x000000000348E000-memory.dmp

memory/4648-5-0x0000000003490000-0x0000000003498000-memory.dmp

memory/4648-6-0x00000000035D0000-0x00000000035EC000-memory.dmp

memory/4648-7-0x0000000003640000-0x0000000003690000-memory.dmp

memory/4648-8-0x00000000034A0000-0x00000000034A8000-memory.dmp

memory/4648-9-0x00000000035F0000-0x0000000003600000-memory.dmp

memory/4648-10-0x0000000003600000-0x0000000003616000-memory.dmp

memory/4648-11-0x0000000003620000-0x0000000003628000-memory.dmp

memory/4648-12-0x000000001BF70000-0x000000001BF80000-memory.dmp

memory/4648-13-0x0000000003630000-0x000000000363A000-memory.dmp

memory/4648-14-0x000000001BFA0000-0x000000001BFF6000-memory.dmp

memory/4648-15-0x000000001BF60000-0x000000001BF6C000-memory.dmp

memory/4648-16-0x000000001BF80000-0x000000001BF88000-memory.dmp

memory/4648-17-0x000000001C600000-0x000000001C60C000-memory.dmp

memory/4648-18-0x000000001C610000-0x000000001C618000-memory.dmp

memory/4648-19-0x000000001C620000-0x000000001C632000-memory.dmp

memory/4648-20-0x000000001CB80000-0x000000001D0A8000-memory.dmp

memory/4648-21-0x000000001C650000-0x000000001C65C000-memory.dmp

memory/4648-22-0x000000001C660000-0x000000001C66C000-memory.dmp

memory/4648-23-0x000000001C670000-0x000000001C67C000-memory.dmp

memory/4648-25-0x000000001C790000-0x000000001C798000-memory.dmp

memory/4648-24-0x000000001C680000-0x000000001C68C000-memory.dmp

memory/4648-32-0x000000001C930000-0x000000001C938000-memory.dmp

memory/4648-31-0x000000001C920000-0x000000001C92C000-memory.dmp

memory/4648-30-0x000000001C910000-0x000000001C91E000-memory.dmp

memory/4648-29-0x000000001C900000-0x000000001C908000-memory.dmp

memory/4648-28-0x000000001C7B0000-0x000000001C7BE000-memory.dmp

memory/4648-34-0x000000001C940000-0x000000001C94C000-memory.dmp

memory/4648-35-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/4648-33-0x000000001CA40000-0x000000001CA4A000-memory.dmp

memory/4648-27-0x000000001C7A0000-0x000000001C7AA000-memory.dmp

memory/4648-26-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

C:\Program Files\Windows NT\Accessories\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe

MD5 988b3b242b8eb031a2a97c2f096becf0
SHA1 6374240fe3c00cf836d9b9e8732b6732d09e9e34
SHA256 7d67326ac6bb6f62195faaadab29c08d0a4d13575cac6a767b52142f7f833c85
SHA512 938cbe83467b5b960fae7c9cb7bde59fe36eb28c8261b37c9b876cc1f259ed466cbce01b6e0fd1a78e0dd974697146a73b9106dcaca0bbc0bb028eb161c0aa6b

C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe

MD5 e61956e140f2849b7308c48966d6c88b
SHA1 bd836703e805c3eb7458604aa4591fab18ce9dc9
SHA256 cf487ed9686ec3b6570ecabb50d94f6d3c6fd58f937bb3fb44003345ae4049bc
SHA512 9afb098ecc3be1d57107fdfce19cc14e8c29e48252679fbd86c538186075689f3c3b1f1174d287cf85e479c326758a6a831cc81149556b6c52c985ee730a6601

C:\Program Files\Windows NT\Accessories\988b3b242b8eb031a2a97c2f096becf0NeikiAnalytics.exe

MD5 57bd03bdcf642dac78120b21fd40bd5e
SHA1 ee5c0c35c54e451bf5d9d99a1ac670790a845468
SHA256 0bb7f7f75247b16e770a7c56455330897f921ddf0de924f8539cb825d4ca748e
SHA512 8dd0e9092a628d7e85df8b55da053a048f8d4c0f3e88d45236acf1aef1c5e107eac7267ad43d6b18c858911be379560f2ae84829cc8b3dd4b3cca510815c48ed

C:\Recovery\WindowsRE\csrss.exe

MD5 f9e0f609fc4e7d4571d76f757bada3b2
SHA1 ecfc7a474d69c5a1a40281a6a14dc092b94e0bce
SHA256 0ed9fc5dfe97b6492a5f56131a77c3cccf6c81254b3b7ff3189a58b32813bb29
SHA512 9793594cb74eaa7db14081b82f17a8c6b921e40ec1739cca88b0dc215a37c84c4c305d17344157c22010d982c17931c336f6d8a75bc986c074f6203eb0526439

C:\Program Files\Windows Photo Viewer\uk-UA\unsecapp.exe

MD5 747094de1540a53fa6ddcc2dec487b27
SHA1 952b44aba632fe5dac61bb67a9c7ef86f32a718c
SHA256 df3ea3714466536dc2baf9ceb932fd026dc001db9652375738fbc2b78c5ea32c
SHA512 b1fab9a42bd088bae1f853d88de3ea2f08a39146e07d5359691ea1c9f891a973b38f60b0459837d5896cce339c759a5ff86b227b389e276fbac3a199d4239c1b

C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\RuntimeBroker.exe

MD5 e92677d2a1a06793ee31d8dec663d575
SHA1 0d82b3f96ee61c7e66897ce440d7d89c8e72cd3d
SHA256 177c58be76fa57942f93bd70fb52c3763bd8ca68b64c7863e9a43b9a8f33e4e1
SHA512 524ca81432c32930348febbd6ff9d3173217a1453281f69856a89c82d2416ca28b83554f3cebe9adb8904b9c2ccb5639de8a6cf4f4549916e3f323066fdb0b89

memory/3080-277-0x000001C948860000-0x000001C948882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkd344vx.kqg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\Videos\upfc.exe

MD5 36efa1207ee58aa3b00613b740fb2b68
SHA1 aa735af6588a26e61ed8fb5aa6da83af547bcf92
SHA256 e5ad58dc98d51b7faa26b32a3e54ee3dac50b46887f0e43b3e363e3a806df894
SHA512 3ca9ac3090faabbaed05b395e03636f964d07ec73dd6c255b92331f23f889be01787cbcc34aa9b0a63a8f4adc8d27bfbcb6f40752bfb006d454d8f00921f8340

memory/4648-388-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/2684-389-0x0000000000260000-0x000000000059C000-memory.dmp

memory/2684-390-0x000000001B2F0000-0x000000001B346000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Temp\7d75676d-ba9f-41be-93d1-3718f30272fa.vbs

MD5 cda8a5a5950914fb1da0e67ac2d7a97b
SHA1 6768f27e8e24847e75734a3c0cb0204dc8b88b0e
SHA256 5fa332704a007d6405ac0790267554c11fb9de2646456f350c32197d69576e1e
SHA512 0b68f8ba0519fb3cc926d03f1b26b0f7a67f7fe64d2a56d81af470300b39314cd18ca86f89d509bb1ac5703ea6e57d842f8a0acc05cae6c7e412924bb10f2a63

C:\Users\Admin\AppData\Local\Temp\af50c9a6-d2d1-4dde-b0bc-32b2689b05f7.vbs

MD5 ad96c7c11a545fc20808ef17492efe06
SHA1 08d5c2807708e6d6da17657396c2817e34f69b78
SHA256 d3eb15133c23d16a8ba6efab3a0bf738c1917c333da9371a77d3173c44c3d6b0
SHA512 1b5c2a545e963d38e2c45756daee89634eaf237125a139cae3a37c5a40babe011b9aa6c41716197768c2f98cf5df3100747e1a348b5329c56a193da28a8912ba

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\cdf899ec-09d6-427d-930a-706ac3a18de8.vbs

MD5 7f0b728321fbd35e866f97b6a6888eb3
SHA1 52f085a88a274cd06b37af9afe3a67e8fe84bc29
SHA256 96d75723007e1d07eee1fad942232d6305eac3a9229b5c094e13be354ab38aef
SHA512 648f75a775e713680e9ca76960789be2211e0105f5aa79f3879c6fee964afb0828c7adc211cbdad6c820bed8ae112f27dbd9fc19bc0b03ef542ca367ac66b9bf

C:\Users\Admin\AppData\Local\Temp\d9a12a38-a723-4c32-ab11-162f6de65982.vbs

MD5 5f4ca302490c6457766f42740a191aca
SHA1 77701ec2e6e0bc0088e9adc8ec2afbf81682b355
SHA256 017fa76381fcb69e3eea38377c7bd03571b33d9d2e61569de13c5ba3d83727f7
SHA512 94c7ca90e868090dd5688125c9d6a13b8582982d4645422cad4781947e14b3f3f2c20e7c7e57653bb7615c10ba91b5c172357a1f09269e875f46b18e8beffa99

memory/3996-448-0x000000001BC30000-0x000000001BC42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\609d5f6b-5e74-4e8e-a4cc-404dde7e18aa.vbs

MD5 aae3436bc7eabb9fc4d57ec60c4fc5a3
SHA1 95ff43a00ad878996fb53e4ad5e76b6c6b1f1bac
SHA256 dfe9a5e42416be0c7f7e329a8b1b498d8323f8cc5f1f34e9f8257bf5e3df93d3
SHA512 ca7edbed621cb02bb500b6db44403837341ca2a759daff004cc6d343b3ac8f2284040633a89c3e8056353da4493df579566555458efd02ad3aafa0fc50ac0a42

C:\Users\Admin\AppData\Local\Temp\f29f82b7-34f0-48dd-b6bf-f929aaa4b23d.vbs

MD5 315756213bdad94ce31e986a474f8abd
SHA1 8e9f4be00f83c33258d67f1d5d313a9cc722533f
SHA256 cfa98a1b7337792deeba8618c86c4b3942fe927f4e184d644ab5b66953007cc9
SHA512 3e0f53c37d386359ca93e0ddefb3f23c5f6b2c41b17ac352d6d5ddd8e545ff00441171df58bbfc404b2a89fee8c963752b6b5c22c80322fba9dc3d9433b3aca5

C:\Users\Admin\AppData\Local\Temp\c946a887-a76e-450f-9bc6-ae7a29c8077f.vbs

MD5 287239cc22c0c8f05773826a9843ce23
SHA1 358b4ce50e570dce067a07210b3e17f0ab6ce63a
SHA256 17cab04a9317d6cc4f31fb5bbd881348d361b37ff59bf711cb1b8194415036c1
SHA512 e92d44b6f5ed3e4ad175e42b23d39c41865a601c9b6cde8686a9915ebba6bd0cb927cbc109296e4214b6b63eb1827a7a22a4d75e4f3fe023975d4d1d7995862c

C:\Users\Admin\AppData\Local\Temp\fb08f07f-cb8d-4893-8c4c-8014c9ce05e4.vbs

MD5 4465cc47f08a70ef0a359cf3a75dd673
SHA1 8a0980c0bdd7c75fa343bb3539b54edbcf570db9
SHA256 77ddb6d7defb814daed12b2f2f25863d1422bc00e8ddd1271a915dd55f1495fd
SHA512 dddc31a75338a844d89e9a9a7b71d9b9167f98581d1757e133c1a36eb5659aefb642d8649b5f21e9a9d902653bf29825d5625008e3f40aa2e6050ea9605f54fb

C:\Users\Admin\AppData\Local\Temp\f729550e-f251-4e7e-adb1-5943f72ae2b1.vbs

MD5 ef256fb8734babb605f7a85b44ec0af2
SHA1 cfdc4ac1d298d317b6d042ae6e06d8616c119440
SHA256 131807e3709ecf7a20c33992017e16982f47440a28b5247e45977528c676dc3c
SHA512 6cc65165e4db0243253dcac8eab54b20f5dd59066d61c2318071fab3d3ea47946caf5702837e85c79f7aa0566917105e259e3b672e0719e9226810836cd4b24a

memory/4460-504-0x0000000003350000-0x0000000003362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a61f06f9-697a-4969-b274-599c333c9a9b.vbs

MD5 cec85f96cdc402f8dd287d678d8d0b3b
SHA1 d96151a9685c523c62ad364faa467c3a8abdfc6b
SHA256 125139ac26ecabcbb2e1f28706573ea18e5fb76fd133d67ac70b756b9dc3a609
SHA512 1084090850217c46cc0e8d6659b88ab2f1461f65fd487d2253f4a51a259d382eafb240157729a2226433c6ba35be2b51e692d4ff78ea1b5c2cd14c363fea4fab

memory/4528-516-0x000000001B380000-0x000000001B392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53b1ada1-b8cd-4c53-8da6-9373681e51a9.vbs

MD5 80ce6fef4c82e338c92a80fc120ecf91
SHA1 b61ed9b9c214632db6c636660a2ab25cccdd90c7
SHA256 d7c3e7cb5318de5ea180c7d005928c668d6a5c8c62eabd43919e9b210a8fcb41
SHA512 b962accf20febfd76257a1b52ecf118c7191b0c547843f4abdd1300892c7823b33759b353acd918d02a8ff78c2b4aac64ee37b0a29d141a858e1f050645e0fd7

C:\Users\Admin\AppData\Local\Temp\0afe46f9-d368-46c7-ae84-2b1f143e6e72.vbs

MD5 961bac8be2c0038d7e3dc8dd153ad6ec
SHA1 6d2c7193c3199989ec5e7816e1d780983eacabcb
SHA256 251039d7ce38ddfff8e29c5caf050ea2cfc2ae07ed55bad25354a760e90e1692
SHA512 825408d405b5bab972c05868a0f65b066e10fc69ecd3832490d1fe7149e86b92ff21eec16548b4256ebf0dacdfd137a2f4fa598b329beb26f7c950c68e1c7e67

C:\Users\Admin\AppData\Local\Temp\ee6b67ae-8fe7-4e44-a247-f2b8577d0807.vbs

MD5 9889f696f3f224ce302409145acf8d99
SHA1 cee4ad28deb1107f4fbc491fbe44d94e8f9421ce
SHA256 976c280171e2c96c355d88a788e2e4987bd38aedeb8f2fdaccb7b161cfba47d0
SHA512 9754cb2b6321739230a5c7ce67d84974ec172bd59bd0d0b011411dfbd98e44e4b163b75ae7fd024d0213c7f314e03f10b272f06ce23af626ce57d7ceda8e04d9

C:\Users\Admin\Videos\upfc.exe

MD5 e7b12d8d8bbfead512a9a320f8ae7ce2
SHA1 203ec696062d63a3cdc11ee0df582a54d228cf6d
SHA256 9b7a40a398bd89dad24a848a47438d743fe6d88cc95bb48f78edb6d6026381f1
SHA512 74d3336ebfdd432817b1d2ce6e2da54bb183bcf74e9cbe9b99d57a1342db63eade92e2223437a2fe40845f5537b1aef19f737e7525fb038b1053ad3f2c9ce1c7