Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-hnsmsage83
Target 9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics
SHA256 e2a1908e50ef159ee1ae5f559b746e1815c81d9d842b9c4107c2e190ec20cbfd
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2a1908e50ef159ee1ae5f559b746e1815c81d9d842b9c4107c2e190ec20cbfd

Threat Level: Known bad

The file 9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:53

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:53

Reported

2024-06-03 06:55

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Default\Recent\dwm.exe N/A
N/A N/A C:\Users\Default\Recent\dwm.exe N/A
N/A N/A C:\Users\Default\Recent\dwm.exe N/A
N/A N/A C:\Users\Default\Recent\dwm.exe N/A
N/A N/A C:\Users\Default\Recent\dwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\taskhost.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Recent\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Recent\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Recent\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Recent\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Recent\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1712 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1712 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 596 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 1984 wrote to memory of 596 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 1984 wrote to memory of 596 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 596 wrote to memory of 3040 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\cmd.exe
PID 596 wrote to memory of 3040 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\cmd.exe
PID 596 wrote to memory of 3040 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\cmd.exe
PID 596 wrote to memory of 3016 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 596 wrote to memory of 3016 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 596 wrote to memory of 3016 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 596 wrote to memory of 1592 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 596 wrote to memory of 1592 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 596 wrote to memory of 1592 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 3040 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 3040 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 3016 wrote to memory of 2100 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Recent\dwm.exe
PID 3016 wrote to memory of 2100 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Recent\dwm.exe
PID 3016 wrote to memory of 2100 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Recent\dwm.exe
PID 752 wrote to memory of 1528 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 1528 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 1528 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 2272 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 752 wrote to memory of 2272 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 752 wrote to memory of 2272 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 1528 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1528 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1528 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1528 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 1528 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 1528 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\dwm.exe
PID 2272 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Recent\dwm.exe
PID 2272 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Recent\dwm.exe
PID 2272 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Recent\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Search\Data\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Search\Data\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\Search\Data\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5KPVWow13d.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Recent\dwm.exe

"C:\Users\Default\Recent\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\692ac32b-6eb6-4f97-93e8-7de7d8a6b46d.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6294799-3e59-4fb4-9074-31b05e6d808e.vbs"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Recent\dwm.exe

"C:\Users\Default\Recent\dwm.exe"

C:\Users\Default\Recent\dwm.exe

C:\Users\Default\Recent\dwm.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84b03aa9-5008-4fb2-941d-d6938a7c25f1.vbs"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Recent\dwm.exe

"C:\Users\Default\Recent\dwm.exe"

C:\Users\Default\Recent\dwm.exe

C:\Users\Default\Recent\dwm.exe

Network

N/A

Files

memory/1712-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

memory/1712-1-0x00000000000F0000-0x00000000003B4000-memory.dmp

memory/1712-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/1712-3-0x0000000000410000-0x000000000041E000-memory.dmp

memory/1712-4-0x0000000000420000-0x000000000043C000-memory.dmp

memory/1712-6-0x00000000006E0000-0x00000000006F2000-memory.dmp

memory/1712-5-0x0000000000640000-0x0000000000656000-memory.dmp

memory/1712-7-0x0000000000770000-0x0000000000780000-memory.dmp

memory/1712-8-0x0000000000780000-0x00000000007D6000-memory.dmp

memory/1712-9-0x00000000007D0000-0x00000000007DC000-memory.dmp

memory/1712-10-0x00000000007E0000-0x00000000007F2000-memory.dmp

memory/1712-11-0x0000000002390000-0x000000000239C000-memory.dmp

memory/1712-12-0x00000000023A0000-0x00000000023AA000-memory.dmp

memory/1712-13-0x00000000023B0000-0x00000000023BE000-memory.dmp

memory/1712-14-0x00000000023C0000-0x00000000023C8000-memory.dmp

memory/1712-15-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/1712-16-0x00000000023E0000-0x00000000023EA000-memory.dmp

memory/1712-17-0x00000000023F0000-0x00000000023FC000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe

MD5 9f537f5beee3ed03ea3454fadbbe2590
SHA1 7dfd75bb82009a2ba9fa46c38997357517f9230a
SHA256 e2a1908e50ef159ee1ae5f559b746e1815c81d9d842b9c4107c2e190ec20cbfd
SHA512 ba9bbd6647771c069b308201fa58154466fa45a369fadd370667703ad230592f4c68fe9963b658c78580c8c10380ff9f0dddde782b769a92e5042197ba298bb9

C:\Users\Admin\AppData\Local\Temp\5KPVWow13d.bat

MD5 3a393e7e9efa121ff1de3edb4d4b1368
SHA1 4745bed23ad2a8960e1ccedb0463b80f17ef5ffe
SHA256 2b1348170b974bb4ad6a1a40f22bf195b4a06f4c6a8f790416f05de5762892ab
SHA512 7c1ffa5e14a620abef2ba17dd981a3fb2e2a72609fb117825fe3766a0a767607aecbd91a455e0458cc5eff7582d27efcc9c963e0110c3927388ec9bbd9ef13bb

memory/1712-41-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/596-44-0x0000000000890000-0x0000000000B54000-memory.dmp

memory/596-45-0x0000000000400000-0x0000000000412000-memory.dmp

memory/596-46-0x0000000000510000-0x0000000000522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

MD5 df39f3b319965435b115c422da6d0bca
SHA1 c2516f2b75503709fd6f362ef38c0740d00f9611
SHA256 5ad9db84a2b45ee8856e03d24cf2781600daa0c01e3fb87c43e7f50752f4938f
SHA512 f56d2d24db1c15bc0fa21fb799b3da20e7f9beb040eeebe83e0384ceedb9a9658f899511a728d855357979c1536ea15799a86e3e190485c1746bf224cb035bba

C:\Users\Admin\AppData\Local\Temp\e6294799-3e59-4fb4-9074-31b05e6d808e.vbs

MD5 ed782107e5cb785bdd20c2b4d76c3bc2
SHA1 5c72e70a081d842a8beef78f80dde7344431f12e
SHA256 d1dc8e11cede9d2c64f5fcf3779acad2425e438bfd3fb5b828f6aefb882bc82a
SHA512 da2097156982e9eff8f34042d8795974286291cdaf0f10eae7e20aa90e4a22405d2971daf0528a0c4d5d564483c586fa6738182ea948c2e937ce963ace67a3bd

C:\Users\Admin\AppData\Local\Temp\692ac32b-6eb6-4f97-93e8-7de7d8a6b46d.vbs

MD5 6e3e5231240ea0bcae8b378edb3fbf27
SHA1 fd92f497cce455205ab730e5bd6b7085cb3538dc
SHA256 2e4347187a1c5e0573ff8c778300cd39b20f51a1bf94c382e1b87be4d03305a8
SHA512 182b7774806ef903b0955562dced45fa630e6c810c2d3c5a77e332386bb7516a5e525bab6d404ee72fec5b24b889de6fa996ca22d11ed4a3c78dd8755becb594

memory/752-63-0x00000000002E0000-0x00000000005A4000-memory.dmp

memory/752-64-0x00000000002D0000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84b03aa9-5008-4fb2-941d-d6938a7c25f1.vbs

MD5 3a12bd68bb0f38ca96c331b322b2747d
SHA1 4e9e6d33cb60f7524e406f374a16b0d2d061a6a1
SHA256 324bf5053758244d8de99e3840892bae3b9dddb10ac7801479b7f279aa99c0ad
SHA512 6e8859f618149f34f39afbb162fda41b1213d5079205eedc802b3fbf1e83a0c0b11ae6b2d5b3711efb598bd69bfd1fc3ed5f766d0c023eb74514c26eb86b69ee

C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

MD5 ecaf9b12c5b112eeb599bdfca487f0c5
SHA1 bcb1bffde00d6ebbdccb49b9eb76308ca0987338
SHA256 19c72bfbc4dea35676007446b37df963da7fa381808aa63973474f0104948c7f
SHA512 5221ff318b4f2b0f4c9cfe044e534195e894767288552ded91506b6ae38f061c181980762982da589fd52b5472ea68567fa62ad7474279e13b9a86e5ef78a640

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:53

Reported

2024-06-03 06:55

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\Globalization\Time Zone\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\Globalization\Time Zone\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\smss.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\sysmon.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\System.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\schemas\EAPMethods\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Windows\Globalization\Time Zone\dllhost.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Windows\Globalization\Time Zone\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
File created C:\Windows\rescache\_merged\Registry.exe C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\Globalization\Time Zone\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\Globalization\Time Zone\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Globalization\Time Zone\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 812 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2012 wrote to memory of 424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2012 wrote to memory of 424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2012 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 2012 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 1396 wrote to memory of 4920 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 4920 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 4636 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\WScript.exe
PID 1396 wrote to memory of 4636 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\WScript.exe
PID 4920 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4920 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4920 wrote to memory of 4724 N/A C:\Windows\System32\cmd.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 4920 wrote to memory of 4724 N/A C:\Windows\System32\cmd.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 4636 wrote to memory of 3276 N/A C:\Windows\System32\WScript.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 4636 wrote to memory of 3276 N/A C:\Windows\System32\WScript.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 4724 wrote to memory of 4424 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 4424 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 4700 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\cmd.exe
PID 4724 wrote to memory of 4700 N/A C:\Windows\Globalization\Time Zone\dllhost.exe C:\Windows\System32\cmd.exe
PID 4700 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4700 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4424 wrote to memory of 700 N/A C:\Windows\System32\WScript.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 4424 wrote to memory of 700 N/A C:\Windows\System32\WScript.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 4700 wrote to memory of 4036 N/A C:\Windows\System32\cmd.exe C:\Windows\Globalization\Time Zone\dllhost.exe
PID 4700 wrote to memory of 4036 N/A C:\Windows\System32\cmd.exe C:\Windows\Globalization\Time Zone\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9f537f5beee3ed03ea3454fadbbe2590NeikiAnalytics_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Time Zone\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Time Zone\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Oracle\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ypQhCMeWxH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Globalization\Time Zone\dllhost.exe

"C:\Windows\Globalization\Time Zone\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65bb9354-b5b9-4a20-86a3-5c165b29c2b0.vbs"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Globalization\Time Zone\dllhost.exe

"C:\Windows\Globalization\Time Zone\dllhost.exe"

C:\Windows\Globalization\Time Zone\dllhost.exe

"C:\Windows\Globalization\Time Zone\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a5d306c-5b91-4141-a0b5-8841cd92211e.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Globalization\Time Zone\dllhost.exe

"C:\Windows\Globalization\Time Zone\dllhost.exe"

C:\Windows\Globalization\Time Zone\dllhost.exe

"C:\Windows\Globalization\Time Zone\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/812-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

memory/812-1-0x0000000000F40000-0x0000000001204000-memory.dmp

memory/812-2-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/812-3-0x00000000033E0000-0x00000000033EE000-memory.dmp

memory/812-4-0x000000001BD30000-0x000000001BD4C000-memory.dmp

memory/812-5-0x000000001C4F0000-0x000000001C540000-memory.dmp

memory/812-7-0x0000000003400000-0x0000000003412000-memory.dmp

memory/812-6-0x000000001BD50000-0x000000001BD66000-memory.dmp

memory/812-8-0x000000001BD80000-0x000000001BD90000-memory.dmp

memory/812-9-0x000000001C4A0000-0x000000001C4F6000-memory.dmp

memory/812-10-0x000000001BD70000-0x000000001BD7C000-memory.dmp

memory/812-11-0x000000001C640000-0x000000001C652000-memory.dmp

memory/812-12-0x000000001CBA0000-0x000000001D0C8000-memory.dmp

memory/812-13-0x000000001C670000-0x000000001C67C000-memory.dmp

memory/812-18-0x000000001C8C0000-0x000000001C8CA000-memory.dmp

memory/812-16-0x000000001C7A0000-0x000000001C7A8000-memory.dmp

memory/812-15-0x000000001C790000-0x000000001C79E000-memory.dmp

memory/812-14-0x000000001C780000-0x000000001C78A000-memory.dmp

memory/812-19-0x000000001C8D0000-0x000000001C8DC000-memory.dmp

memory/812-17-0x000000001C8B0000-0x000000001C8B8000-memory.dmp

C:\Program Files (x86)\Common Files\Oracle\sysmon.exe

MD5 9f537f5beee3ed03ea3454fadbbe2590
SHA1 7dfd75bb82009a2ba9fa46c38997357517f9230a
SHA256 e2a1908e50ef159ee1ae5f559b746e1815c81d9d842b9c4107c2e190ec20cbfd
SHA512 ba9bbd6647771c069b308201fa58154466fa45a369fadd370667703ad230592f4c68fe9963b658c78580c8c10380ff9f0dddde782b769a92e5042197ba298bb9

C:\Users\Admin\AppData\Local\Temp\ypQhCMeWxH.bat

MD5 0b053850de8523e6063e823c752635c8
SHA1 eb1093d6cf7e3ad69ccd55c2d4dd38e86935cb67
SHA256 3d4eefdbe1964f075aefcc390e52c4622bc7e2ffebe3759dac0c2a45e67f9034
SHA512 31d11fea40f30b66e850ccdaef1f3e4a33a8296bcab6a662193db23ec8ace4dd7752dc72307f1d85ce59d584c2205fc52d1dc13b356a9d86a220c1e66f2e20fd

memory/812-58-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/1396-62-0x000000001B1F0000-0x000000001B202000-memory.dmp

memory/1396-63-0x000000001B210000-0x000000001B266000-memory.dmp

memory/1396-64-0x000000001B270000-0x000000001B282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65bb9354-b5b9-4a20-86a3-5c165b29c2b0.vbs

MD5 3826fe867fc3381abdb0b9cbedcdc7c8
SHA1 afaf55ee994dca6b02d3172ee88e91c79895e77f
SHA256 8776c2e3b01a7f4d5aa68930bf808c34954e799a58abdd26b8746b150a72852a
SHA512 0bbd212d0c953264a0a3fcd53fc8785fc26a6babcd611f0a28cb5e1b01ad270b1e7c87d3b4263b0114fffb7c212a6f0660ea6cbb631c097776666f738c1b83b5

C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

MD5 f869d82ffdce28883ed12c01ec666d7d
SHA1 7ac61292d66c8967637dc98bab43e28563e82996
SHA256 887fd9ab3ba4f3b5bb744a15c1d45154f68e841575f1bf7ea6b506183f43a193
SHA512 fa3249d3e5506d26f6eca88d02cd812ed5478e305c8aca1a214447ac08346bac1af4aa2865c942dbc62a061a3c76ea389fefc812d92f165d41017db5b6c41dc7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

memory/4724-78-0x0000000002F20000-0x0000000002F32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6a5d306c-5b91-4141-a0b5-8841cd92211e.vbs

MD5 d4ec19bc775915779bd9febeab34dfe5
SHA1 f5dc313b9117020f9b8eb2dc278a0fd594739589
SHA256 d6041739d452882def3584a2ca13537616261a9c1cdeb722cffcf926d9aec267
SHA512 bff09aecf41da17470ca77b0f7acdecbf30cbf1470dbfc94eae50b0af59cde0e1afadf3f7a389960b12feb96213eca2cf3bf4d532a49137f0e146aa065a627f8

C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

MD5 54b6bbdb80c46f40d82568dc0cf9d3fb
SHA1 a2958c1242072a24d8e857318e7740eacca537e6
SHA256 8c4e91b6f07d399ae58c9768b7960cb8c51f04c37a7e3ef4b7f48e38630b0269
SHA512 f5126e2e1d557ccf0333b5816ca75f2e6aec4465ea5a16a1f9c2276165470517c697e70a4ec892ff84dacb74585ef1e8da8ccc8752dfddb55ed764394e82b90d