Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-dqg7lshb61
Target 99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe
SHA256 4f2c2ef2322bcd000adbe76493e88c4a384ecb304f47eb31821525dff22e82c4
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f2c2ef2322bcd000adbe76493e88c4a384ecb304f47eb31821525dff22e82c4

Threat Level: Known bad

The file 99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

Dcrat family

DcRat

Process spawned unexpected child process

UAC bypass

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:12

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:12

Reported

2024-06-03 03:15

Platform

win7-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\RCX2F5D.tmp C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\RCX3D29.tmp C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\csrss.exe C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre7\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre7\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\csrss.exe C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 2108 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 2108 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 2576 wrote to memory of 792 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 792 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 792 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2116 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2116 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2116 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 792 wrote to memory of 880 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 792 wrote to memory of 880 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 792 wrote to memory of 880 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 880 wrote to memory of 1796 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 880 wrote to memory of 1796 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 880 wrote to memory of 1796 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 880 wrote to memory of 2916 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 880 wrote to memory of 2916 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 880 wrote to memory of 2916 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 1796 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 1796 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 1796 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 2424 wrote to memory of 2720 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 2720 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 2720 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 1660 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 1660 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 1660 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe C:\Windows\System32\WScript.exe
PID 2720 wrote to memory of 1664 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "99705eb27001df0a8bfcf918e6f76900NeikiAnalytics9" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "99705eb27001df0a8bfcf918e6f76900NeikiAnalytics" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "99705eb27001df0a8bfcf918e6f76900NeikiAnalytics9" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b0b1734-2ffd-4277-9a15-e8a7488533ca.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07babd9e-62a3-4430-a89b-73b16e5e4280.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d904b484-5694-4102-abdd-d2fb00c9316d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4a92727-fa7b-458f-8e05-0d31c5f822e5.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f474e8e-6df1-443f-af1a-68c39df98da8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4198b71-4b80-4dd7-a182-f0047679e068.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\100bfd3f-8d20-4b4b-8c31-aab45e4fd68a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7eb7adb-ffc5-462c-9429-f274720ee68e.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc08a59a-425a-43ac-845f-275ad5d571e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3fc8c41-3fc8-4afc-9da3-28488c7f596f.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90c4df9e-43e9-4c06-89a9-7b44636ec961.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5a0900-b0ab-45e1-9682-3e4eac77217e.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\596d874c-d294-4891-84a3-d34d2c1ccc6b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e715d5d-e0f4-4cd2-9108-6f500ca27f5e.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3064b682-78f4-4022-8373-a8472b9c939f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06ac621e-6fc3-440f-9d2c-0f321194b362.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b08db6e5-058c-4bcf-b1b7-4b3296f1ccd7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aaac4d4-dd8e-409e-ae4e-0ee2d36aba82.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2789348-2e78-4ea8-97bd-049de6659572.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fa24e5e-12e5-42e6-8ba9-0d40fc363c94.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9735e382-699b-4a2e-9dbe-3b5015eeee34.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ed29e10-e8da-4b59-8b26-8f8a3f42faea.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c035a009-3dcb-475c-8936-9bcb39a7d5dd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a459db8b-1674-49ea-a373-10b3fe65c1c2.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6abea48-a26a-46ed-b601-a529ef896316.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa453a8c-6d65-4ad6-89a2-0f0c7871dabb.vbs"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/2108-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

memory/2108-1-0x0000000000910000-0x0000000000BF6000-memory.dmp

memory/2108-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

memory/2108-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

memory/2108-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/2108-5-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2108-6-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2108-9-0x00000000007F0000-0x0000000000800000-memory.dmp

memory/2108-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2108-7-0x0000000000420000-0x0000000000428000-memory.dmp

memory/2108-10-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/2108-11-0x000000001A9F0000-0x000000001AA46000-memory.dmp

memory/2108-12-0x0000000002190000-0x000000000219C000-memory.dmp

memory/2108-13-0x00000000021A0000-0x00000000021A8000-memory.dmp

memory/2108-14-0x00000000021B0000-0x00000000021BC000-memory.dmp

memory/2108-15-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/2108-16-0x0000000002550000-0x0000000002558000-memory.dmp

memory/2108-17-0x0000000002560000-0x0000000002568000-memory.dmp

memory/2108-18-0x000000001AA40000-0x000000001AA4A000-memory.dmp

memory/2108-19-0x000000001AA50000-0x000000001AA5E000-memory.dmp

memory/2108-20-0x000000001AE30000-0x000000001AE38000-memory.dmp

memory/2108-21-0x000000001AE40000-0x000000001AE4E000-memory.dmp

memory/2108-22-0x000000001AE50000-0x000000001AE5C000-memory.dmp

memory/2108-23-0x000000001AE60000-0x000000001AE68000-memory.dmp

memory/2108-24-0x000000001AE70000-0x000000001AE7A000-memory.dmp

memory/2108-25-0x000000001AE80000-0x000000001AE8C000-memory.dmp

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe

MD5 99705eb27001df0a8bfcf918e6f76900
SHA1 6bd5ddce6113cd36732bdf05b0a34712282dad4a
SHA256 4f2c2ef2322bcd000adbe76493e88c4a384ecb304f47eb31821525dff22e82c4
SHA512 c71bfbfa002992f15a48d2c5ae046cb40967ccaeb0ca8e6f410d0cbc29349c723ee29811ee6a61c71ec06f21531a8a3cf74146b422002ac990d873bbf25bfb40

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe

MD5 f7cfe5650ef306a6798916b1ce297d0e
SHA1 43b2e58c560a1edc023465016eb8ba41872eebbf
SHA256 1dc9932bde1054a500414055584d91ed9e0af683ab0a4e302d9845d6953b7b85
SHA512 64c58db2a933b7b124735680468c20037380bdd8277dfb55cb06045b7146c2adac1a533b389f1e2e4c6b8fc6203324b6daaa40177203b90df9a9d6261f3412a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ee989be38fc0a0b5dae1a9ad12b8b859
SHA1 c7aaf106c2503456994479e13459e66d6a2d6f8e
SHA256 27c034c373cba0fa63c7275e55001ff5bb4ac34d280bdb6ddeefd40ce9eaeea5
SHA512 1279959ea6c9e85054bdf026f072dd47a48bd78d4e3004db8ac0a45e21cdefb60e59f9e94af6a24281e7e37f4ad0445c61cd5e4598bb57af6acc4082a00abda8

memory/1604-125-0x000000001B430000-0x000000001B712000-memory.dmp

memory/1864-126-0x0000000001F40000-0x0000000001F48000-memory.dmp

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

MD5 12a05775e8f0ee686aa05c8a6a042e01
SHA1 1e9f73d67a619bc654a88a7c2d03499bdb0f2d9a
SHA256 9c4b7e4d982eaa1fb5e250f9ab7ec70813a67eefb08e67ecc97c00243bf215e6
SHA512 ba8b9139fc9e49ba5e788ba14a8ce08119681b1a5ac9eff0e1ab4f7188f7c43985fd1ba50b660114fcfc481679c0b94659599be1b2e6ee5c77859385f42de058

memory/2576-157-0x0000000000170000-0x0000000000456000-memory.dmp

memory/2108-168-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3b0b1734-2ffd-4277-9a15-e8a7488533ca.vbs

MD5 c6269dc7930178c1560e9b177568f510
SHA1 49dfc33bbc50699d0a5f1c81235e7d0baa3c5d2c
SHA256 959a033d8711e8bbeab3491db779d1bbc58717727229a755005f7d5b323f21a0
SHA512 8f85216dfac95efdd5e466077c4726fb060a3009b55a04fa74f9aea74ea2d3ccd34c3cfa705d50343146317b76beb13fb78974aedd7b642a247ded7ef2812f09

C:\Users\Admin\AppData\Local\Temp\07babd9e-62a3-4430-a89b-73b16e5e4280.vbs

MD5 1752bd850eadb8eb156a269129fa3496
SHA1 d84d9c5df0245e469aeb049c8569714920e6eb98
SHA256 2674f0b53760316d12e71c75f184affdc75a0ce75248163295a42b2bfb254af8
SHA512 434d4820b407db87e8b7503a1d4e4aaa1ea4148badc007ef19f86cc0e5432742334534bec4158cca1173705136b4c8106cfa68384bf33ee6fda4731f0c51cd00

memory/880-179-0x0000000000D00000-0x0000000000FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d904b484-5694-4102-abdd-d2fb00c9316d.vbs

MD5 19b31b49bc7fd8cfdea8871a23f78765
SHA1 9d23feaf98c04572ce5c9b389a86d6df0006ef81
SHA256 42394ffaf0181a562fc67a8803971d1294df19403a36fcc7139ce4da3360842a
SHA512 53727b1ca7bc0ebaf3aaa61a621ddf52922e7468239080d16e3b78ceeb1d47defc7cf271ce9bfe6e48511fc9a8539c262fb2a48de90033c3d5aaed75bea0592e

memory/2424-191-0x0000000000020000-0x0000000000306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9f474e8e-6df1-443f-af1a-68c39df98da8.vbs

MD5 09bd4d4eef561382196eef4fab6ba673
SHA1 98ab29f53b586d35daefd2bdb5a3295810353082
SHA256 788da5a47041b6bdb3432fd7df7162b9d34cffb91fdbf98e670633f59277369b
SHA512 323282718e38dd61f450f164f9df5ae392a8a5ee2b864ce0368151de835cae580ab28c36e165a83829c166231d9cc360e859b18f05add3068beb6bdc005a01d2

memory/1664-203-0x0000000000090000-0x0000000000376000-memory.dmp

memory/1664-204-0x0000000002280000-0x0000000002292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\100bfd3f-8d20-4b4b-8c31-aab45e4fd68a.vbs

MD5 8900799f3fe0cebb0510f11389c6c12f
SHA1 ea07444ad3f831ff7604b6cc1063154982515211
SHA256 e8eb79ac3e06baef802e86cc7dfd3be6e24d0438b878341255ef079170fd206f
SHA512 08f8a400fb1cefcae95941b89bc29e8b693e530dfced4e45bae727c13f2819c899caf5408cd7729e07c1ebad9afbc541655b846ab5a15f0883f5c30692718c38

memory/3000-216-0x0000000001390000-0x0000000001676000-memory.dmp

memory/3000-217-0x0000000000B30000-0x0000000000B86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dc08a59a-425a-43ac-845f-275ad5d571e4.vbs

MD5 e6022240f047b99ce2f509b17d717ae8
SHA1 0b14dca5ce6170190ed0057edfb5d60ab96191c6
SHA256 09d7636b6b6cad237a6bc085c3001f325d1bdac3dc3e177c3c2c4c25f46ba3dd
SHA512 ae1c7f6ca007fc5984e8764b343397b8b080d13c4c81818bbc68cee26ed3edab4384f1e37dd1aec27b199b5a9493a2330bcab618fb6ea9af2ba60567fd5c2f4c

C:\Users\Admin\AppData\Local\Temp\90c4df9e-43e9-4c06-89a9-7b44636ec961.vbs

MD5 662e14a5258050a24f117b7a30944fae
SHA1 236b4de7536985487cec4d35b05f969ed2ca0535
SHA256 c581a7452bff9023a8f2cab7757f36ea832c64cebfeb08988ee1d81548c98446
SHA512 aa0d5fe5f6969c26f5512388c97a1bb70e0a204e991338731eea78ede98283a6ad6a39bbc66e7014643a1bf6a351dcbdd7b7752516ffb76c1d90e9400fe58908

memory/1780-240-0x00000000001D0000-0x00000000004B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\596d874c-d294-4891-84a3-d34d2c1ccc6b.vbs

MD5 6587e0ffd3cc9f4ccaeb75fd3ab12c73
SHA1 238f365fe663c222105ae59007117ae9529e9483
SHA256 ea11d007f389d0442ae23786ae40fb50bca79de15aceaeec2eecbaf2b71cde52
SHA512 f8b3e7992d6aac95aab5ddd3732523d105dce7f2fe9888c6e5caa9586ba4238dd4bbf50305f0f5e8b91bb89d898c01e21ce0792e9461b4c2d2806a080247d36d

memory/2296-252-0x00000000008E0000-0x0000000000BC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3064b682-78f4-4022-8373-a8472b9c939f.vbs

MD5 03d4bf393959b91c20f9ce525a3d36f2
SHA1 160e3c889a50b1b951e4ec8ea8f6577b892b0786
SHA256 3ee92017e73a0fbdf37874c6dd7c02d0f684776d38d1af8b5d6b7c34d8e42d94
SHA512 27e13987c34c261084c352e6127141d4d00d482cb8509552b2033fecbf70989411d220caf32385dfdb275ec5e2510042755fc822a54a03693aab40e325b3317b

memory/556-264-0x0000000001190000-0x0000000001476000-memory.dmp

memory/556-265-0x000000001A9E0000-0x000000001A9F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b08db6e5-058c-4bcf-b1b7-4b3296f1ccd7.vbs

MD5 4bc9058d30796c27f73a7427de971bc5
SHA1 7ac1f295376e1808aa7c6a4273784b44a3319d63
SHA256 af018f604dde6327b2b5ba76b5e32a75d61e6d80bb3a5f6f3038ad2898780661
SHA512 895ba80921c8594e40a95f4cb4c4a6b897c70e442e638268954b38ce69eea681dec5909232a186a556670b4b4d4d98ea186056b24bee92cc185522a9406cf3b8

C:\Users\Admin\AppData\Local\Temp\c2789348-2e78-4ea8-97bd-049de6659572.vbs

MD5 703a9a7f03a6fb5686576c417cb8eb79
SHA1 32bc601c9acb54959fb22ab11889989cf1895427
SHA256 e86f007308cb26ac270e7ed997b97ab1fef315f0b35b67f05596817a676568aa
SHA512 87104d4638da7ae067a41e1c23ae0194635105258c7035f38d2d61079c74f90fc37857c6d6bccbe4369c3f3f6569637e7144ffbfd7e8e637137728d32f6ac935

C:\Users\Admin\AppData\Local\Temp\9735e382-699b-4a2e-9dbe-3b5015eeee34.vbs

MD5 bae258935886fc724eb0739c1bf63313
SHA1 14f9af6f78b825cf3cfcfdb8a4995799ed8ecdb6
SHA256 c8517750255e8ba7e751f82bf860307005b1cac28bac001d8684b799acbf0691
SHA512 2d273473a3759ff1ae2ac4818ab9bd207ec982b7a59979fb7a9100135f7da00610027438513670accd9f75f46a93a7b70d12192003d44a2035d7be620a3f3fd7

C:\Users\Admin\AppData\Local\Temp\c035a009-3dcb-475c-8936-9bcb39a7d5dd.vbs

MD5 c518c7188118cddcb77f1b6d5172f5d6
SHA1 17f42805ee9103bea5d7d3c5b62eb1593b5d4a16
SHA256 e29aed1e9f1a7ce2debdbd9ef844665ff727e27e5462334a6bb5296128932011
SHA512 68caac46ceb6f80e6fa792195a611ca0b0b893f790770615c515a82689691fe119c96242c7c1cdbfac2b2ee8b88edb234aef11efbd0da9ed94847ec57b9defcb

C:\Users\Admin\AppData\Local\Temp\f6abea48-a26a-46ed-b601-a529ef896316.vbs

MD5 2ce9d9e954680655f7bcbfc7af8217a3
SHA1 1a7410acb296c1e0ff75a98f477bb5e5aa5eb76d
SHA256 8e6b95d37e7bb46805f801b59b4a5a466390b9fd107048d7b178405cdb67ca3c
SHA512 617713dafae8a7f936444aa9a8dffdd142416a21dcc9c6f3522a38fd7a5f6e66e334420f159226afd785c914f9c637fc8b2b1200abae856918036566e22e82b6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:12

Reported

2024-06-03 03:15

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Public\Documents\My Videos\services.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\RCX5816.tmp C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
File created C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Public\Documents\My Videos\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A
N/A N/A C:\Users\Public\Documents\My Videos\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Videos\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Users\Public\Documents\My Videos\services.exe
PID 1872 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe C:\Users\Public\Documents\My Videos\services.exe
PID 2776 wrote to memory of 2148 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 2148 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 3976 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 3976 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2148 wrote to memory of 1316 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 2148 wrote to memory of 1316 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 1316 wrote to memory of 3164 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 3164 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 3756 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 3756 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 3164 wrote to memory of 3228 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 3164 wrote to memory of 3228 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 3228 wrote to memory of 4664 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 3228 wrote to memory of 4664 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 3228 wrote to memory of 2184 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 3228 wrote to memory of 2184 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 4664 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 4664 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 2424 wrote to memory of 968 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 968 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 4596 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 4596 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 968 wrote to memory of 3664 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 968 wrote to memory of 3664 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 3664 wrote to memory of 1236 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 3664 wrote to memory of 1236 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 3664 wrote to memory of 1572 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 3664 wrote to memory of 1572 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 1236 wrote to memory of 2884 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 1236 wrote to memory of 2884 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 2884 wrote to memory of 4592 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 4592 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 4532 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 4532 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 4592 wrote to memory of 4968 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 4592 wrote to memory of 4968 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Documents\My Videos\services.exe
PID 4968 wrote to memory of 2856 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 4968 wrote to memory of 2856 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 4968 wrote to memory of 4536 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe
PID 4968 wrote to memory of 4536 N/A C:\Users\Public\Documents\My Videos\services.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Documents\My Videos\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Documents\My Videos\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1b2a60f-19db-4815-81bf-1e217b0aa6f1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c10f95-8f20-40f4-a4dd-9afe3cc8daa3.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe7b49e6-81bd-4006-bed1-f962d3c201a3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdbe52c2-7b5a-4925-9b14-74a4d61a92cf.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b06cdc0-9d5b-4a60-9e19-5c102eb09dfa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5c5c7b7-abe4-4d3c-ba9a-95626eb5ead1.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\496ff9d1-e9ea-40a6-82f7-8bf71d185f25.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9ec92f3-a5cc-4752-b0e4-a7f92bda8e12.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\705d1c57-73e2-4c20-a650-eb532c8c8878.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060ba259-a1af-4d40-ae06-c2668c4e4c92.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\309099dc-0e94-42a6-9af6-7c001f61cc93.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8ed6f63-2088-4822-8ae7-07b4dcc037ff.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4df434a-1610-4e8e-952b-66cd2a4ca0de.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c51b26-71fe-43f9-981b-eb310f063432.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f78a9e8-2eac-4a54-bf7d-76153fd72212.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d055bf75-873f-4a7a-8b9b-76d49b94c5be.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\066c61ef-310f-4778-8e25-821cb6057d63.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acd4efbc-cfc1-4639-a2cc-0a7a7afa91e4.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b913f4f3-d9ae-493d-9dd5-994be7e7a00b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56efb5e-d101-4b91-9c1c-244d6d1a6adb.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c19728d-3781-4b01-b28a-e2c64c11afe3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1619077f-5987-4f54-861b-d2fdab0c8f98.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b391ce-dad4-456b-bbfd-87d7539b532f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\857168cc-108b-407a-ad61-c570ce28bfd5.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444ba6fd-a1ad-4f2e-ad86-e16c6c76ae97.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\983f6479-be6c-40c4-8ced-b24a1d18d265.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd33feb5-b93d-4291-bcd5-bf07962ca556.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c5c092e-a2d3-4696-be9b-4415be4244f7.vbs"

C:\Users\Public\Documents\My Videos\services.exe

"C:\Users\Public\Documents\My Videos\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0d90767-8492-4a0a-84c2-de3659f80893.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebd51427-7c9e-442b-acae-66ad7c18a624.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/1872-0-0x00007FFECB833000-0x00007FFECB835000-memory.dmp

memory/1872-1-0x0000000000FC0000-0x00000000012A6000-memory.dmp

memory/1872-2-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp

memory/1872-3-0x000000001BDE0000-0x000000001BDFC000-memory.dmp

memory/1872-4-0x000000001C5A0000-0x000000001C5F0000-memory.dmp

memory/1872-5-0x0000000003320000-0x0000000003328000-memory.dmp

memory/1872-6-0x0000000003440000-0x0000000003450000-memory.dmp

memory/1872-7-0x000000001BE00000-0x000000001BE16000-memory.dmp

memory/1872-8-0x000000001BD80000-0x000000001BD88000-memory.dmp

memory/1872-9-0x000000001BE20000-0x000000001BE28000-memory.dmp

memory/1872-10-0x000000001BE30000-0x000000001BE40000-memory.dmp

memory/1872-11-0x000000001BE40000-0x000000001BE4A000-memory.dmp

memory/1872-12-0x000000001C5F0000-0x000000001C646000-memory.dmp

memory/1872-13-0x000000001BE50000-0x000000001BE5C000-memory.dmp

memory/1872-14-0x000000001BE60000-0x000000001BE68000-memory.dmp

memory/1872-16-0x000000001BE80000-0x000000001BE92000-memory.dmp

memory/1872-15-0x000000001BE70000-0x000000001BE7C000-memory.dmp

memory/1872-17-0x000000001CB90000-0x000000001D0B8000-memory.dmp

memory/1872-18-0x000000001C660000-0x000000001C668000-memory.dmp

memory/1872-23-0x000000001C6B0000-0x000000001C6BE000-memory.dmp

memory/1872-22-0x000000001C6A0000-0x000000001C6A8000-memory.dmp

memory/1872-21-0x000000001C690000-0x000000001C69E000-memory.dmp

memory/1872-20-0x000000001C680000-0x000000001C68A000-memory.dmp

memory/1872-19-0x000000001C670000-0x000000001C678000-memory.dmp

memory/1872-24-0x000000001C6C0000-0x000000001C6CC000-memory.dmp

memory/1872-25-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

memory/1872-27-0x000000001C6F0000-0x000000001C6FC000-memory.dmp

memory/1872-26-0x000000001C6E0000-0x000000001C6EA000-memory.dmp

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 99705eb27001df0a8bfcf918e6f76900
SHA1 6bd5ddce6113cd36732bdf05b0a34712282dad4a
SHA256 4f2c2ef2322bcd000adbe76493e88c4a384ecb304f47eb31821525dff22e82c4
SHA512 c71bfbfa002992f15a48d2c5ae046cb40967ccaeb0ca8e6f410d0cbc29349c723ee29811ee6a61c71ec06f21531a8a3cf74146b422002ac990d873bbf25bfb40

memory/1064-150-0x000001A3F7AB0000-0x000001A3F7AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppxopzen.z02.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1872-247-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp

memory/2776-248-0x000000001D190000-0x000000001D1A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Temp\e1b2a60f-19db-4815-81bf-1e217b0aa6f1.vbs

MD5 a5edf98a262655a4b9fa40a1f4cda7b0
SHA1 a836473e22a087a65aacb9164cb0d88f4732f86c
SHA256 d6e44c45e487189b5b2808459c070d01d2579e57b55905648baa426070767bc6
SHA512 6fbb79b42dd1063ca25b161ec96bec9561aad376a36b81b4ae0d02bf06ff4b690a35a8d2f3d5358961d38241606323b996538d0738a5bf480399bf245338d686

C:\Users\Admin\AppData\Local\Temp\c6c10f95-8f20-40f4-a4dd-9afe3cc8daa3.vbs

MD5 261c316993d6cf5a1bbb143c401f6da2
SHA1 16a47c0f634b955d47bf61115491622fd2569213
SHA256 923f748c530cbfbc1d4fad64dea70f2e5fa6e4b3bc59084bac2e67343d08f994
SHA512 87383f6100f14101a121120fbf3545475ce3b5ac7b75f6b019d67e93b0924fd6ec45539c500ed7f59e4576474fff0c0cfcad4cf5e4301e9635e171a72b808a42

memory/2776-280-0x000000001D650000-0x000000001D752000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\fe7b49e6-81bd-4006-bed1-f962d3c201a3.vbs

MD5 df67bd053ba2417b678d1e35660f3dc7
SHA1 7a45946ef65e3660e1a8c64458b2f51710ced3b4
SHA256 02cc33bfa0cadb0baf9082a72abe1cea97ade4fef833417d02dcd809cc8656a7
SHA512 53774b3ac866591ab4a5570f4e4abef01cf379fbfd8b4e9eb833cc24fc70550f221ed9bf686e753fea63ce71e0939da0c31e4c6548aab909fbadf9540b958725

C:\Users\Admin\AppData\Local\Temp\1b06cdc0-9d5b-4a60-9e19-5c102eb09dfa.vbs

MD5 b5e3b5a0f1d047d9fcc44c957eb94080
SHA1 e867c6a2d59d3aa8be83e493aa9dc1fb57bb331c
SHA256 21b7449c746203b3a54549856cd3b8f9266969162cdd9b1e16815d17dab80cc8
SHA512 f70a2445d26a0f1f2fbaa22afab5cfcbc8904345c27f775155e24edb73fb8f92f9b9cbe9f73382c8b12291c385995a648d9a3493a9811eef9da0b9630b0d393f

C:\Users\Admin\AppData\Local\Temp\496ff9d1-e9ea-40a6-82f7-8bf71d185f25.vbs

MD5 892fb148ed1a30297d8fdf79f177f4d7
SHA1 678afb6329baacd2497b284ad9272b937e7a9d3a
SHA256 7ef794c11b1a0c08aaff430031c52ed2b6f24ce14e6f7836257398b225c1b6ab
SHA512 dffde96c949dd19c5400de4c5304dfed13a35bd1fd0cb429d18d7872db5b114d71caf1c6d369e6b66885b61be8047806f38581b75155c02b304faca077347ae6

C:\Users\Admin\AppData\Local\Temp\705d1c57-73e2-4c20-a650-eb532c8c8878.vbs

MD5 e84f33a909f3bd22632451e24724c0a4
SHA1 459bc2e62cdddf36bf75724ba73e032731771d66
SHA256 73cbc2b77b8edea02149255af7ce26a8e4f212051d461b3fdfd444f251c964b1
SHA512 e70f1d35b961092aaa604b4b278bb6ab86509bdcb90a7effebeb4e19a700faeee4e9a1a5c3ebab252b436eabe366cfd979a3a26c875855a16841726c037b93f3

C:\Users\Admin\AppData\Local\Temp\309099dc-0e94-42a6-9af6-7c001f61cc93.vbs

MD5 d8be50dee93afae5913dc30ca3f7890a
SHA1 0f24f4b4149cadfddd9437eb68ed50996fcab946
SHA256 2c48d96b040fe650bf119fb1ca605651e4749176fbdcf3f52cfe357b10637453
SHA512 c96037062519954addd1a71b1f20b0b7cb9e83d4bb3476216a77201bbbb42a1a6f7a16d88781b293a4a8c5d8433a7f6b87a478cca25bff757626720bf0fe0494

C:\Users\Admin\AppData\Local\Temp\b4df434a-1610-4e8e-952b-66cd2a4ca0de.vbs

MD5 09e3a9dbe37093bf51c903ceb527f783
SHA1 262ca68c6a9249cecc44603522decdf7adb295ca
SHA256 474e7ab2b789258920f1392dbff3e0fd7a20ee1a0eccb0fd9b0912e71d39aa96
SHA512 79f75fafd9eac0f444c105ba69cb516f6b00f969b1724e4cc103487d4cdf38f3576808128e2eb32205d9174b9dbf780d93994869b032dcdcc6d1e6613e5b3a34

C:\Users\Admin\AppData\Local\Temp\7f78a9e8-2eac-4a54-bf7d-76153fd72212.vbs

MD5 776a97d3f297f1bf8dbd062dbc3fe01d
SHA1 10ad4a5a4813445a3549d32407309c4c2e421741
SHA256 4d3a9ce6edb671e4d663497e6bf16b54f62bfcf1ba9014f9f4af384a0cb18a0c
SHA512 755bdab9c411f80a02a684344766d7898b7755a54c7132ce9b33f7fec92bf73afdb09dd5294701ae10040eab882eff57d246db3041e77b4c423f0ac15b2c1e0d

memory/4864-359-0x000000001D830000-0x000000001D932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\066c61ef-310f-4778-8e25-821cb6057d63.vbs

MD5 e55094cd25b5700f1ccdaa290e9124f0
SHA1 ff1f3acf8ba961fa0969bde94f82f58a40240d48
SHA256 d26f48821efdb2febac3b8f725c4f1266af3877ac2f4d60acbb1ed4c1d70b4b2
SHA512 e999f3d28267afaf054a108fccbe0160abe6faf56b65d243a0125c4e1e2cfe01df17d9ed309b6f79bc1b54d23fc1177ff6b6f2d52e25ded20cbd2a440af6b6a3

memory/3876-371-0x000000001DC50000-0x000000001DD52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b913f4f3-d9ae-493d-9dd5-994be7e7a00b.vbs

MD5 3ec0304fb7e7a0ba62fde9be8581d999
SHA1 8bd030c7fd23d5fbe61a1e20ee472d0386e65bf5
SHA256 c7c17de53b15b3464260c7195d1a3cad330149d8fa41e4fcba85b710d2cb4c3e
SHA512 0eee7f3c0cb6550201a3ba18f4ac35843430400b1298e5c0027939b8af59daf04e066e706e767920336d4eaeb1000ac847b2bb7d6e7a69973dbd8296e191be8f

memory/2140-383-0x000000001CE80000-0x000000001CF82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4c19728d-3781-4b01-b28a-e2c64c11afe3.vbs

MD5 b0359b338ee3e839e6c97c3b375ec8a0
SHA1 bc88651e0d9dfa32b9dd041184f0d3629a365580
SHA256 2f6cff3b9d47ace3d73ed77787fac3e81978f53398e6ce0f72ac7e329965af1e
SHA512 e8ab464b211c703d659752e850723d62ea6312a4e478b0cebf10322a95353473a9798edaf5b179220ec416393ebe4f535b28b672794f8606fe0275e62ff59d1b

C:\Users\Admin\AppData\Local\Temp\a1b391ce-dad4-456b-bbfd-87d7539b532f.vbs

MD5 92d9d36f0fc0ee8c8b7ecf2aa611133e
SHA1 5a6336ac4fac06c12630010296019278c891b1e3
SHA256 89a5abc93521de9f40ba04a837454d9d4d33800faa62a1382652646d2a5652a7
SHA512 72369e185f6ccdf047c06cc2f3bb91ba849589730cdcaea528d413852d480b05e1cdf36c34f9c04f8e0a63faad03bd7a579296eb8243888bd7e1e48c3e29d63e

C:\Users\Admin\AppData\Local\Temp\444ba6fd-a1ad-4f2e-ad86-e16c6c76ae97.vbs

MD5 5f4cb15261a4d0851c633ec00e8ff362
SHA1 ac4d367cba0bfa610a24f199727d820463b8a90a
SHA256 5955f4daf7dd48afc1a79efb32c61c8fcf5194bdb890341bbb5fc8ab6e14242b
SHA512 1e8387da8f69414653f1f8b531b5702cc3f887fe0f38704a72f812055aa3171b6db0ac957bf94f4f9228ce6f01b0ca98d9bdccdcc647833930304a104a7cbb3d

memory/3772-418-0x000000001CBF0000-0x000000001CC02000-memory.dmp