Analysis Overview
SHA256
4f2c2ef2322bcd000adbe76493e88c4a384ecb304f47eb31821525dff22e82c4
Threat Level: Known bad
The file 99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DcRat
Process spawned unexpected child process
UAC bypass
DCRat payload
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Checks whether UAC is enabled
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 03:12
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 03:12
Reported
2024-06-03 03:15
Platform
win7-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| N/A | N/A | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "99705eb27001df0a8bfcf918e6f76900NeikiAnalytics9" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "99705eb27001df0a8bfcf918e6f76900NeikiAnalytics" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "99705eb27001df0a8bfcf918e6f76900NeikiAnalytics9" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b0b1734-2ffd-4277-9a15-e8a7488533ca.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07babd9e-62a3-4430-a89b-73b16e5e4280.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d904b484-5694-4102-abdd-d2fb00c9316d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4a92727-fa7b-458f-8e05-0d31c5f822e5.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f474e8e-6df1-443f-af1a-68c39df98da8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4198b71-4b80-4dd7-a182-f0047679e068.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\100bfd3f-8d20-4b4b-8c31-aab45e4fd68a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7eb7adb-ffc5-462c-9429-f274720ee68e.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc08a59a-425a-43ac-845f-275ad5d571e4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3fc8c41-3fc8-4afc-9da3-28488c7f596f.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90c4df9e-43e9-4c06-89a9-7b44636ec961.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5a0900-b0ab-45e1-9682-3e4eac77217e.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\596d874c-d294-4891-84a3-d34d2c1ccc6b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e715d5d-e0f4-4cd2-9108-6f500ca27f5e.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3064b682-78f4-4022-8373-a8472b9c939f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06ac621e-6fc3-440f-9d2c-0f321194b362.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b08db6e5-058c-4bcf-b1b7-4b3296f1ccd7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aaac4d4-dd8e-409e-ae4e-0ee2d36aba82.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2789348-2e78-4ea8-97bd-049de6659572.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fa24e5e-12e5-42e6-8ba9-0d40fc363c94.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9735e382-699b-4a2e-9dbe-3b5015eeee34.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ed29e10-e8da-4b59-8b26-8f8a3f42faea.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c035a009-3dcb-475c-8936-9bcb39a7d5dd.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a459db8b-1674-49ea-a373-10b3fe65c1c2.vbs"
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6abea48-a26a-46ed-b601-a529ef896316.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa453a8c-6d65-4ad6-89a2-0f0c7871dabb.vbs"
Network
| Country | Destination | Domain | Proto |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
Files
memory/2108-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp
memory/2108-1-0x0000000000910000-0x0000000000BF6000-memory.dmp
memory/2108-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp
memory/2108-3-0x00000000001C0000-0x00000000001DC000-memory.dmp
memory/2108-4-0x00000000001E0000-0x00000000001E8000-memory.dmp
memory/2108-5-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/2108-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2108-9-0x00000000007F0000-0x0000000000800000-memory.dmp
memory/2108-8-0x00000000005C0000-0x00000000005C8000-memory.dmp
memory/2108-7-0x0000000000420000-0x0000000000428000-memory.dmp
memory/2108-10-0x00000000007E0000-0x00000000007EA000-memory.dmp
memory/2108-11-0x000000001A9F0000-0x000000001AA46000-memory.dmp
memory/2108-12-0x0000000002190000-0x000000000219C000-memory.dmp
memory/2108-13-0x00000000021A0000-0x00000000021A8000-memory.dmp
memory/2108-14-0x00000000021B0000-0x00000000021BC000-memory.dmp
memory/2108-15-0x00000000023C0000-0x00000000023D2000-memory.dmp
memory/2108-16-0x0000000002550000-0x0000000002558000-memory.dmp
memory/2108-17-0x0000000002560000-0x0000000002568000-memory.dmp
memory/2108-18-0x000000001AA40000-0x000000001AA4A000-memory.dmp
memory/2108-19-0x000000001AA50000-0x000000001AA5E000-memory.dmp
memory/2108-20-0x000000001AE30000-0x000000001AE38000-memory.dmp
memory/2108-21-0x000000001AE40000-0x000000001AE4E000-memory.dmp
memory/2108-22-0x000000001AE50000-0x000000001AE5C000-memory.dmp
memory/2108-23-0x000000001AE60000-0x000000001AE68000-memory.dmp
memory/2108-24-0x000000001AE70000-0x000000001AE7A000-memory.dmp
memory/2108-25-0x000000001AE80000-0x000000001AE8C000-memory.dmp
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe
| MD5 | 99705eb27001df0a8bfcf918e6f76900 |
| SHA1 | 6bd5ddce6113cd36732bdf05b0a34712282dad4a |
| SHA256 | 4f2c2ef2322bcd000adbe76493e88c4a384ecb304f47eb31821525dff22e82c4 |
| SHA512 | c71bfbfa002992f15a48d2c5ae046cb40967ccaeb0ca8e6f410d0cbc29349c723ee29811ee6a61c71ec06f21531a8a3cf74146b422002ac990d873bbf25bfb40 |
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe
| MD5 | f7cfe5650ef306a6798916b1ce297d0e |
| SHA1 | 43b2e58c560a1edc023465016eb8ba41872eebbf |
| SHA256 | 1dc9932bde1054a500414055584d91ed9e0af683ab0a4e302d9845d6953b7b85 |
| SHA512 | 64c58db2a933b7b124735680468c20037380bdd8277dfb55cb06045b7146c2adac1a533b389f1e2e4c6b8fc6203324b6daaa40177203b90df9a9d6261f3412a0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ee989be38fc0a0b5dae1a9ad12b8b859 |
| SHA1 | c7aaf106c2503456994479e13459e66d6a2d6f8e |
| SHA256 | 27c034c373cba0fa63c7275e55001ff5bb4ac34d280bdb6ddeefd40ce9eaeea5 |
| SHA512 | 1279959ea6c9e85054bdf026f072dd47a48bd78d4e3004db8ac0a45e21cdefb60e59f9e94af6a24281e7e37f4ad0445c61cd5e4598bb57af6acc4082a00abda8 |
memory/1604-125-0x000000001B430000-0x000000001B712000-memory.dmp
memory/1864-126-0x0000000001F40000-0x0000000001F48000-memory.dmp
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
| MD5 | 12a05775e8f0ee686aa05c8a6a042e01 |
| SHA1 | 1e9f73d67a619bc654a88a7c2d03499bdb0f2d9a |
| SHA256 | 9c4b7e4d982eaa1fb5e250f9ab7ec70813a67eefb08e67ecc97c00243bf215e6 |
| SHA512 | ba8b9139fc9e49ba5e788ba14a8ce08119681b1a5ac9eff0e1ab4f7188f7c43985fd1ba50b660114fcfc481679c0b94659599be1b2e6ee5c77859385f42de058 |
memory/2576-157-0x0000000000170000-0x0000000000456000-memory.dmp
memory/2108-168-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3b0b1734-2ffd-4277-9a15-e8a7488533ca.vbs
| MD5 | c6269dc7930178c1560e9b177568f510 |
| SHA1 | 49dfc33bbc50699d0a5f1c81235e7d0baa3c5d2c |
| SHA256 | 959a033d8711e8bbeab3491db779d1bbc58717727229a755005f7d5b323f21a0 |
| SHA512 | 8f85216dfac95efdd5e466077c4726fb060a3009b55a04fa74f9aea74ea2d3ccd34c3cfa705d50343146317b76beb13fb78974aedd7b642a247ded7ef2812f09 |
C:\Users\Admin\AppData\Local\Temp\07babd9e-62a3-4430-a89b-73b16e5e4280.vbs
| MD5 | 1752bd850eadb8eb156a269129fa3496 |
| SHA1 | d84d9c5df0245e469aeb049c8569714920e6eb98 |
| SHA256 | 2674f0b53760316d12e71c75f184affdc75a0ce75248163295a42b2bfb254af8 |
| SHA512 | 434d4820b407db87e8b7503a1d4e4aaa1ea4148badc007ef19f86cc0e5432742334534bec4158cca1173705136b4c8106cfa68384bf33ee6fda4731f0c51cd00 |
memory/880-179-0x0000000000D00000-0x0000000000FE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d904b484-5694-4102-abdd-d2fb00c9316d.vbs
| MD5 | 19b31b49bc7fd8cfdea8871a23f78765 |
| SHA1 | 9d23feaf98c04572ce5c9b389a86d6df0006ef81 |
| SHA256 | 42394ffaf0181a562fc67a8803971d1294df19403a36fcc7139ce4da3360842a |
| SHA512 | 53727b1ca7bc0ebaf3aaa61a621ddf52922e7468239080d16e3b78ceeb1d47defc7cf271ce9bfe6e48511fc9a8539c262fb2a48de90033c3d5aaed75bea0592e |
memory/2424-191-0x0000000000020000-0x0000000000306000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9f474e8e-6df1-443f-af1a-68c39df98da8.vbs
| MD5 | 09bd4d4eef561382196eef4fab6ba673 |
| SHA1 | 98ab29f53b586d35daefd2bdb5a3295810353082 |
| SHA256 | 788da5a47041b6bdb3432fd7df7162b9d34cffb91fdbf98e670633f59277369b |
| SHA512 | 323282718e38dd61f450f164f9df5ae392a8a5ee2b864ce0368151de835cae580ab28c36e165a83829c166231d9cc360e859b18f05add3068beb6bdc005a01d2 |
memory/1664-203-0x0000000000090000-0x0000000000376000-memory.dmp
memory/1664-204-0x0000000002280000-0x0000000002292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\100bfd3f-8d20-4b4b-8c31-aab45e4fd68a.vbs
| MD5 | 8900799f3fe0cebb0510f11389c6c12f |
| SHA1 | ea07444ad3f831ff7604b6cc1063154982515211 |
| SHA256 | e8eb79ac3e06baef802e86cc7dfd3be6e24d0438b878341255ef079170fd206f |
| SHA512 | 08f8a400fb1cefcae95941b89bc29e8b693e530dfced4e45bae727c13f2819c899caf5408cd7729e07c1ebad9afbc541655b846ab5a15f0883f5c30692718c38 |
memory/3000-216-0x0000000001390000-0x0000000001676000-memory.dmp
memory/3000-217-0x0000000000B30000-0x0000000000B86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dc08a59a-425a-43ac-845f-275ad5d571e4.vbs
| MD5 | e6022240f047b99ce2f509b17d717ae8 |
| SHA1 | 0b14dca5ce6170190ed0057edfb5d60ab96191c6 |
| SHA256 | 09d7636b6b6cad237a6bc085c3001f325d1bdac3dc3e177c3c2c4c25f46ba3dd |
| SHA512 | ae1c7f6ca007fc5984e8764b343397b8b080d13c4c81818bbc68cee26ed3edab4384f1e37dd1aec27b199b5a9493a2330bcab618fb6ea9af2ba60567fd5c2f4c |
C:\Users\Admin\AppData\Local\Temp\90c4df9e-43e9-4c06-89a9-7b44636ec961.vbs
| MD5 | 662e14a5258050a24f117b7a30944fae |
| SHA1 | 236b4de7536985487cec4d35b05f969ed2ca0535 |
| SHA256 | c581a7452bff9023a8f2cab7757f36ea832c64cebfeb08988ee1d81548c98446 |
| SHA512 | aa0d5fe5f6969c26f5512388c97a1bb70e0a204e991338731eea78ede98283a6ad6a39bbc66e7014643a1bf6a351dcbdd7b7752516ffb76c1d90e9400fe58908 |
memory/1780-240-0x00000000001D0000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\596d874c-d294-4891-84a3-d34d2c1ccc6b.vbs
| MD5 | 6587e0ffd3cc9f4ccaeb75fd3ab12c73 |
| SHA1 | 238f365fe663c222105ae59007117ae9529e9483 |
| SHA256 | ea11d007f389d0442ae23786ae40fb50bca79de15aceaeec2eecbaf2b71cde52 |
| SHA512 | f8b3e7992d6aac95aab5ddd3732523d105dce7f2fe9888c6e5caa9586ba4238dd4bbf50305f0f5e8b91bb89d898c01e21ce0792e9461b4c2d2806a080247d36d |
memory/2296-252-0x00000000008E0000-0x0000000000BC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3064b682-78f4-4022-8373-a8472b9c939f.vbs
| MD5 | 03d4bf393959b91c20f9ce525a3d36f2 |
| SHA1 | 160e3c889a50b1b951e4ec8ea8f6577b892b0786 |
| SHA256 | 3ee92017e73a0fbdf37874c6dd7c02d0f684776d38d1af8b5d6b7c34d8e42d94 |
| SHA512 | 27e13987c34c261084c352e6127141d4d00d482cb8509552b2033fecbf70989411d220caf32385dfdb275ec5e2510042755fc822a54a03693aab40e325b3317b |
memory/556-264-0x0000000001190000-0x0000000001476000-memory.dmp
memory/556-265-0x000000001A9E0000-0x000000001A9F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b08db6e5-058c-4bcf-b1b7-4b3296f1ccd7.vbs
| MD5 | 4bc9058d30796c27f73a7427de971bc5 |
| SHA1 | 7ac1f295376e1808aa7c6a4273784b44a3319d63 |
| SHA256 | af018f604dde6327b2b5ba76b5e32a75d61e6d80bb3a5f6f3038ad2898780661 |
| SHA512 | 895ba80921c8594e40a95f4cb4c4a6b897c70e442e638268954b38ce69eea681dec5909232a186a556670b4b4d4d98ea186056b24bee92cc185522a9406cf3b8 |
C:\Users\Admin\AppData\Local\Temp\c2789348-2e78-4ea8-97bd-049de6659572.vbs
| MD5 | 703a9a7f03a6fb5686576c417cb8eb79 |
| SHA1 | 32bc601c9acb54959fb22ab11889989cf1895427 |
| SHA256 | e86f007308cb26ac270e7ed997b97ab1fef315f0b35b67f05596817a676568aa |
| SHA512 | 87104d4638da7ae067a41e1c23ae0194635105258c7035f38d2d61079c74f90fc37857c6d6bccbe4369c3f3f6569637e7144ffbfd7e8e637137728d32f6ac935 |
C:\Users\Admin\AppData\Local\Temp\9735e382-699b-4a2e-9dbe-3b5015eeee34.vbs
| MD5 | bae258935886fc724eb0739c1bf63313 |
| SHA1 | 14f9af6f78b825cf3cfcfdb8a4995799ed8ecdb6 |
| SHA256 | c8517750255e8ba7e751f82bf860307005b1cac28bac001d8684b799acbf0691 |
| SHA512 | 2d273473a3759ff1ae2ac4818ab9bd207ec982b7a59979fb7a9100135f7da00610027438513670accd9f75f46a93a7b70d12192003d44a2035d7be620a3f3fd7 |
C:\Users\Admin\AppData\Local\Temp\c035a009-3dcb-475c-8936-9bcb39a7d5dd.vbs
| MD5 | c518c7188118cddcb77f1b6d5172f5d6 |
| SHA1 | 17f42805ee9103bea5d7d3c5b62eb1593b5d4a16 |
| SHA256 | e29aed1e9f1a7ce2debdbd9ef844665ff727e27e5462334a6bb5296128932011 |
| SHA512 | 68caac46ceb6f80e6fa792195a611ca0b0b893f790770615c515a82689691fe119c96242c7c1cdbfac2b2ee8b88edb234aef11efbd0da9ed94847ec57b9defcb |
C:\Users\Admin\AppData\Local\Temp\f6abea48-a26a-46ed-b601-a529ef896316.vbs
| MD5 | 2ce9d9e954680655f7bcbfc7af8217a3 |
| SHA1 | 1a7410acb296c1e0ff75a98f477bb5e5aa5eb76d |
| SHA256 | 8e6b95d37e7bb46805f801b59b4a5a466390b9fd107048d7b178405cdb67ca3c |
| SHA512 | 617713dafae8a7f936444aa9a8dffdd142416a21dcc9c6f3522a38fd7a5f6e66e334420f159226afd785c914f9c637fc8b2b1200abae856918036566e22e82b6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 03:12
Reported
2024-06-03 03:15
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Documents\My Videos\services.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Videos\services.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\uk-UA\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\uk-UA\RCX5816.tmp | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Public\Documents\My Videos\services.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Documents\My Videos\services.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\99705eb27001df0a8bfcf918e6f76900NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1b2a60f-19db-4815-81bf-1e217b0aa6f1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c10f95-8f20-40f4-a4dd-9afe3cc8daa3.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe7b49e6-81bd-4006-bed1-f962d3c201a3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdbe52c2-7b5a-4925-9b14-74a4d61a92cf.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b06cdc0-9d5b-4a60-9e19-5c102eb09dfa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5c5c7b7-abe4-4d3c-ba9a-95626eb5ead1.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\496ff9d1-e9ea-40a6-82f7-8bf71d185f25.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9ec92f3-a5cc-4752-b0e4-a7f92bda8e12.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\705d1c57-73e2-4c20-a650-eb532c8c8878.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060ba259-a1af-4d40-ae06-c2668c4e4c92.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\309099dc-0e94-42a6-9af6-7c001f61cc93.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8ed6f63-2088-4822-8ae7-07b4dcc037ff.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4df434a-1610-4e8e-952b-66cd2a4ca0de.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c51b26-71fe-43f9-981b-eb310f063432.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f78a9e8-2eac-4a54-bf7d-76153fd72212.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d055bf75-873f-4a7a-8b9b-76d49b94c5be.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\066c61ef-310f-4778-8e25-821cb6057d63.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acd4efbc-cfc1-4639-a2cc-0a7a7afa91e4.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b913f4f3-d9ae-493d-9dd5-994be7e7a00b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56efb5e-d101-4b91-9c1c-244d6d1a6adb.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c19728d-3781-4b01-b28a-e2c64c11afe3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1619077f-5987-4f54-861b-d2fdab0c8f98.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b391ce-dad4-456b-bbfd-87d7539b532f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\857168cc-108b-407a-ad61-c570ce28bfd5.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444ba6fd-a1ad-4f2e-ad86-e16c6c76ae97.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\983f6479-be6c-40c4-8ced-b24a1d18d265.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd33feb5-b93d-4291-bcd5-bf07962ca556.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c5c092e-a2d3-4696-be9b-4415be4244f7.vbs"
C:\Users\Public\Documents\My Videos\services.exe
"C:\Users\Public\Documents\My Videos\services.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0d90767-8492-4a0a-84c2-de3659f80893.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebd51427-7c9e-442b-acae-66ad7c18a624.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| US | 8.8.8.8:53 | 247.68.154.149.in-addr.arpa | udp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| RU | 149.154.68.247:80 | 149.154.68.247 | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/1872-0-0x00007FFECB833000-0x00007FFECB835000-memory.dmp
memory/1872-1-0x0000000000FC0000-0x00000000012A6000-memory.dmp
memory/1872-2-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/1872-3-0x000000001BDE0000-0x000000001BDFC000-memory.dmp
memory/1872-4-0x000000001C5A0000-0x000000001C5F0000-memory.dmp
memory/1872-5-0x0000000003320000-0x0000000003328000-memory.dmp
memory/1872-6-0x0000000003440000-0x0000000003450000-memory.dmp
memory/1872-7-0x000000001BE00000-0x000000001BE16000-memory.dmp
memory/1872-8-0x000000001BD80000-0x000000001BD88000-memory.dmp
memory/1872-9-0x000000001BE20000-0x000000001BE28000-memory.dmp
memory/1872-10-0x000000001BE30000-0x000000001BE40000-memory.dmp
memory/1872-11-0x000000001BE40000-0x000000001BE4A000-memory.dmp
memory/1872-12-0x000000001C5F0000-0x000000001C646000-memory.dmp
memory/1872-13-0x000000001BE50000-0x000000001BE5C000-memory.dmp
memory/1872-14-0x000000001BE60000-0x000000001BE68000-memory.dmp
memory/1872-16-0x000000001BE80000-0x000000001BE92000-memory.dmp
memory/1872-15-0x000000001BE70000-0x000000001BE7C000-memory.dmp
memory/1872-17-0x000000001CB90000-0x000000001D0B8000-memory.dmp
memory/1872-18-0x000000001C660000-0x000000001C668000-memory.dmp
memory/1872-23-0x000000001C6B0000-0x000000001C6BE000-memory.dmp
memory/1872-22-0x000000001C6A0000-0x000000001C6A8000-memory.dmp
memory/1872-21-0x000000001C690000-0x000000001C69E000-memory.dmp
memory/1872-20-0x000000001C680000-0x000000001C68A000-memory.dmp
memory/1872-19-0x000000001C670000-0x000000001C678000-memory.dmp
memory/1872-24-0x000000001C6C0000-0x000000001C6CC000-memory.dmp
memory/1872-25-0x000000001C6D0000-0x000000001C6D8000-memory.dmp
memory/1872-27-0x000000001C6F0000-0x000000001C6FC000-memory.dmp
memory/1872-26-0x000000001C6E0000-0x000000001C6EA000-memory.dmp
C:\Recovery\WindowsRE\RuntimeBroker.exe
| MD5 | 99705eb27001df0a8bfcf918e6f76900 |
| SHA1 | 6bd5ddce6113cd36732bdf05b0a34712282dad4a |
| SHA256 | 4f2c2ef2322bcd000adbe76493e88c4a384ecb304f47eb31821525dff22e82c4 |
| SHA512 | c71bfbfa002992f15a48d2c5ae046cb40967ccaeb0ca8e6f410d0cbc29349c723ee29811ee6a61c71ec06f21531a8a3cf74146b422002ac990d873bbf25bfb40 |
memory/1064-150-0x000001A3F7AB0000-0x000001A3F7AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppxopzen.z02.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1872-247-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/2776-248-0x000000001D190000-0x000000001D1A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaaac7c68d2b7997ed502c26fd9f65c2 |
| SHA1 | 7c5a3731300d672bf53c43e2f9e951c745f7fbdf |
| SHA256 | 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb |
| SHA512 | c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e448fe0d240184c6597a31d3be2ced58 |
| SHA1 | 372b8d8c19246d3e38cd3ba123cc0f56070f03cd |
| SHA256 | c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391 |
| SHA512 | 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28d4235aa2e6d782751f980ceb6e5021 |
| SHA1 | f5d82d56acd642b9fc4b963f684fd6b78f25a140 |
| SHA256 | 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638 |
| SHA512 | dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8ce785f8ccc6d202d56fefc59764945 |
| SHA1 | ca032c62ddc5e0f26d84eff9895eb87f14e15960 |
| SHA256 | d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4 |
| SHA512 | 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f |
C:\Users\Admin\AppData\Local\Temp\e1b2a60f-19db-4815-81bf-1e217b0aa6f1.vbs
| MD5 | a5edf98a262655a4b9fa40a1f4cda7b0 |
| SHA1 | a836473e22a087a65aacb9164cb0d88f4732f86c |
| SHA256 | d6e44c45e487189b5b2808459c070d01d2579e57b55905648baa426070767bc6 |
| SHA512 | 6fbb79b42dd1063ca25b161ec96bec9561aad376a36b81b4ae0d02bf06ff4b690a35a8d2f3d5358961d38241606323b996538d0738a5bf480399bf245338d686 |
C:\Users\Admin\AppData\Local\Temp\c6c10f95-8f20-40f4-a4dd-9afe3cc8daa3.vbs
| MD5 | 261c316993d6cf5a1bbb143c401f6da2 |
| SHA1 | 16a47c0f634b955d47bf61115491622fd2569213 |
| SHA256 | 923f748c530cbfbc1d4fad64dea70f2e5fa6e4b3bc59084bac2e67343d08f994 |
| SHA512 | 87383f6100f14101a121120fbf3545475ce3b5ac7b75f6b019d67e93b0924fd6ec45539c500ed7f59e4576474fff0c0cfcad4cf5e4301e9635e171a72b808a42 |
memory/2776-280-0x000000001D650000-0x000000001D752000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log
| MD5 | 4a667f150a4d1d02f53a9f24d89d53d1 |
| SHA1 | 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97 |
| SHA256 | 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd |
| SHA512 | 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8 |
C:\Users\Admin\AppData\Local\Temp\fe7b49e6-81bd-4006-bed1-f962d3c201a3.vbs
| MD5 | df67bd053ba2417b678d1e35660f3dc7 |
| SHA1 | 7a45946ef65e3660e1a8c64458b2f51710ced3b4 |
| SHA256 | 02cc33bfa0cadb0baf9082a72abe1cea97ade4fef833417d02dcd809cc8656a7 |
| SHA512 | 53774b3ac866591ab4a5570f4e4abef01cf379fbfd8b4e9eb833cc24fc70550f221ed9bf686e753fea63ce71e0939da0c31e4c6548aab909fbadf9540b958725 |
C:\Users\Admin\AppData\Local\Temp\1b06cdc0-9d5b-4a60-9e19-5c102eb09dfa.vbs
| MD5 | b5e3b5a0f1d047d9fcc44c957eb94080 |
| SHA1 | e867c6a2d59d3aa8be83e493aa9dc1fb57bb331c |
| SHA256 | 21b7449c746203b3a54549856cd3b8f9266969162cdd9b1e16815d17dab80cc8 |
| SHA512 | f70a2445d26a0f1f2fbaa22afab5cfcbc8904345c27f775155e24edb73fb8f92f9b9cbe9f73382c8b12291c385995a648d9a3493a9811eef9da0b9630b0d393f |
C:\Users\Admin\AppData\Local\Temp\496ff9d1-e9ea-40a6-82f7-8bf71d185f25.vbs
| MD5 | 892fb148ed1a30297d8fdf79f177f4d7 |
| SHA1 | 678afb6329baacd2497b284ad9272b937e7a9d3a |
| SHA256 | 7ef794c11b1a0c08aaff430031c52ed2b6f24ce14e6f7836257398b225c1b6ab |
| SHA512 | dffde96c949dd19c5400de4c5304dfed13a35bd1fd0cb429d18d7872db5b114d71caf1c6d369e6b66885b61be8047806f38581b75155c02b304faca077347ae6 |
C:\Users\Admin\AppData\Local\Temp\705d1c57-73e2-4c20-a650-eb532c8c8878.vbs
| MD5 | e84f33a909f3bd22632451e24724c0a4 |
| SHA1 | 459bc2e62cdddf36bf75724ba73e032731771d66 |
| SHA256 | 73cbc2b77b8edea02149255af7ce26a8e4f212051d461b3fdfd444f251c964b1 |
| SHA512 | e70f1d35b961092aaa604b4b278bb6ab86509bdcb90a7effebeb4e19a700faeee4e9a1a5c3ebab252b436eabe366cfd979a3a26c875855a16841726c037b93f3 |
C:\Users\Admin\AppData\Local\Temp\309099dc-0e94-42a6-9af6-7c001f61cc93.vbs
| MD5 | d8be50dee93afae5913dc30ca3f7890a |
| SHA1 | 0f24f4b4149cadfddd9437eb68ed50996fcab946 |
| SHA256 | 2c48d96b040fe650bf119fb1ca605651e4749176fbdcf3f52cfe357b10637453 |
| SHA512 | c96037062519954addd1a71b1f20b0b7cb9e83d4bb3476216a77201bbbb42a1a6f7a16d88781b293a4a8c5d8433a7f6b87a478cca25bff757626720bf0fe0494 |
C:\Users\Admin\AppData\Local\Temp\b4df434a-1610-4e8e-952b-66cd2a4ca0de.vbs
| MD5 | 09e3a9dbe37093bf51c903ceb527f783 |
| SHA1 | 262ca68c6a9249cecc44603522decdf7adb295ca |
| SHA256 | 474e7ab2b789258920f1392dbff3e0fd7a20ee1a0eccb0fd9b0912e71d39aa96 |
| SHA512 | 79f75fafd9eac0f444c105ba69cb516f6b00f969b1724e4cc103487d4cdf38f3576808128e2eb32205d9174b9dbf780d93994869b032dcdcc6d1e6613e5b3a34 |
C:\Users\Admin\AppData\Local\Temp\7f78a9e8-2eac-4a54-bf7d-76153fd72212.vbs
| MD5 | 776a97d3f297f1bf8dbd062dbc3fe01d |
| SHA1 | 10ad4a5a4813445a3549d32407309c4c2e421741 |
| SHA256 | 4d3a9ce6edb671e4d663497e6bf16b54f62bfcf1ba9014f9f4af384a0cb18a0c |
| SHA512 | 755bdab9c411f80a02a684344766d7898b7755a54c7132ce9b33f7fec92bf73afdb09dd5294701ae10040eab882eff57d246db3041e77b4c423f0ac15b2c1e0d |
memory/4864-359-0x000000001D830000-0x000000001D932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\066c61ef-310f-4778-8e25-821cb6057d63.vbs
| MD5 | e55094cd25b5700f1ccdaa290e9124f0 |
| SHA1 | ff1f3acf8ba961fa0969bde94f82f58a40240d48 |
| SHA256 | d26f48821efdb2febac3b8f725c4f1266af3877ac2f4d60acbb1ed4c1d70b4b2 |
| SHA512 | e999f3d28267afaf054a108fccbe0160abe6faf56b65d243a0125c4e1e2cfe01df17d9ed309b6f79bc1b54d23fc1177ff6b6f2d52e25ded20cbd2a440af6b6a3 |
memory/3876-371-0x000000001DC50000-0x000000001DD52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b913f4f3-d9ae-493d-9dd5-994be7e7a00b.vbs
| MD5 | 3ec0304fb7e7a0ba62fde9be8581d999 |
| SHA1 | 8bd030c7fd23d5fbe61a1e20ee472d0386e65bf5 |
| SHA256 | c7c17de53b15b3464260c7195d1a3cad330149d8fa41e4fcba85b710d2cb4c3e |
| SHA512 | 0eee7f3c0cb6550201a3ba18f4ac35843430400b1298e5c0027939b8af59daf04e066e706e767920336d4eaeb1000ac847b2bb7d6e7a69973dbd8296e191be8f |
memory/2140-383-0x000000001CE80000-0x000000001CF82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4c19728d-3781-4b01-b28a-e2c64c11afe3.vbs
| MD5 | b0359b338ee3e839e6c97c3b375ec8a0 |
| SHA1 | bc88651e0d9dfa32b9dd041184f0d3629a365580 |
| SHA256 | 2f6cff3b9d47ace3d73ed77787fac3e81978f53398e6ce0f72ac7e329965af1e |
| SHA512 | e8ab464b211c703d659752e850723d62ea6312a4e478b0cebf10322a95353473a9798edaf5b179220ec416393ebe4f535b28b672794f8606fe0275e62ff59d1b |
C:\Users\Admin\AppData\Local\Temp\a1b391ce-dad4-456b-bbfd-87d7539b532f.vbs
| MD5 | 92d9d36f0fc0ee8c8b7ecf2aa611133e |
| SHA1 | 5a6336ac4fac06c12630010296019278c891b1e3 |
| SHA256 | 89a5abc93521de9f40ba04a837454d9d4d33800faa62a1382652646d2a5652a7 |
| SHA512 | 72369e185f6ccdf047c06cc2f3bb91ba849589730cdcaea528d413852d480b05e1cdf36c34f9c04f8e0a63faad03bd7a579296eb8243888bd7e1e48c3e29d63e |
C:\Users\Admin\AppData\Local\Temp\444ba6fd-a1ad-4f2e-ad86-e16c6c76ae97.vbs
| MD5 | 5f4cb15261a4d0851c633ec00e8ff362 |
| SHA1 | ac4d367cba0bfa610a24f199727d820463b8a90a |
| SHA256 | 5955f4daf7dd48afc1a79efb32c61c8fcf5194bdb890341bbb5fc8ab6e14242b |
| SHA512 | 1e8387da8f69414653f1f8b531b5702cc3f887fe0f38704a72f812055aa3171b6db0ac957bf94f4f9228ce6f01b0ca98d9bdccdcc647833930304a104a7cbb3d |
memory/3772-418-0x000000001CBF0000-0x000000001CC02000-memory.dmp