Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-mm5m6sbe4t
Target a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe
SHA256 e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d

Threat Level: Known bad

The file a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Dcrat family

Process spawned unexpected child process

UAC bypass

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:35

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:35

Reported

2024-06-03 10:38

Platform

win7-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\csrss.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\System.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\csrss.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Web\Wallpaper\Characters\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Windows\Web\Wallpaper\Characters\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Characters\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1248 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1248 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1248 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1248 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 1248 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 1248 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 1560 wrote to memory of 556 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 556 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 556 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 1776 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 1776 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 1776 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 556 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 556 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 556 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2988 wrote to memory of 2712 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2712 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2712 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2636 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2636 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2636 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 2400 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2712 wrote to memory of 2400 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2712 wrote to memory of 2400 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2400 wrote to memory of 2412 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2412 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2412 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2688 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2688 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2688 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2412 wrote to memory of 2800 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2412 wrote to memory of 2800 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2412 wrote to memory of 2800 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2800 wrote to memory of 2840 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2840 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2840 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2192 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2192 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2192 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2840 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2840 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2840 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2704 wrote to memory of 2920 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2704 wrote to memory of 2920 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2704 wrote to memory of 2920 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2704 wrote to memory of 704 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2704 wrote to memory of 704 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2704 wrote to memory of 704 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2920 wrote to memory of 2212 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2920 wrote to memory of 2212 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2920 wrote to memory of 2212 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 2212 wrote to memory of 1316 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2212 wrote to memory of 1316 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2212 wrote to memory of 1316 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2212 wrote to memory of 2600 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2212 wrote to memory of 2600 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 2212 wrote to memory of 2600 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 1628 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 1316 wrote to memory of 1628 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 1316 wrote to memory of 1628 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\audiodg.exe
PID 1628 wrote to memory of 1908 N/A C:\Program Files (x86)\Windows Portable Devices\audiodg.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Characters\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Characters\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QfKFARzT3K.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a4fe308-f618-45a3-bc40-1fc5bd65ee50.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f18bd75-f42e-40c0-b5f1-8d3ea4c29f91.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d196dcf1-6c44-423a-9290-c48d0ead7539.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a01703ae-fc33-4f5d-b389-2b50f27d4169.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ad69faa-2c36-4826-9920-78407d24a717.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f38ad831-e59e-4699-8647-d124e1845998.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e091226-8037-480e-a287-f183f2d416ad.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9473b28-8dad-4040-a18f-e8bff03325d3.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9d28426-1432-4aba-8c0b-c28d5f9e056d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a45fdc9-51ec-43d0-b950-1de604fb9112.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1dd84ef-49ed-4eb4-a63a-87bbacc08884.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\659073ee-5bdc-4f2a-8ed0-64deb69b6b9b.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5a3c4c9-395b-4b5a-96bd-9a6d5b7d7696.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\972e1763-5c3a-4e01-b2e5-0f17d4f96844.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eddbd34f-a4b0-4143-83cf-13a648a89abf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caaf7143-6483-4d2c-8616-167c37ea97a3.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6efc7fe8-ca06-46e3-88e9-ddf5282c8491.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94f7099e-9cd7-4af1-b3ee-cc601f2c554a.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffff9ee7-37e4-4836-b771-8391cf43f8cd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd01d0ba-45a9-45a6-8e1d-87e061cb0329.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f42c574-67b7-4f75-aba6-efb779979338.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90797f39-b5d3-43c5-8bec-0f96b1cd6454.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34ca7435-eaf3-445f-b26b-2ace65bc58b2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32511f17-f971-4b06-8a6b-a5578e9ed99f.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6797c93-5975-434b-ac28-e6b5fed544fe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9356de14-5b9f-4522-98da-d3af4ed2ec57.vbs"

C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

"C:\Program Files (x86)\Windows Portable Devices\audiodg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0979698.xsph.ru udp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp

Files

memory/1616-0-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

memory/1616-1-0x00000000009D0000-0x0000000000B86000-memory.dmp

memory/1616-2-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

memory/1616-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/1616-4-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/1616-5-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/1616-6-0x0000000000470000-0x0000000000478000-memory.dmp

memory/1616-7-0x0000000000480000-0x0000000000488000-memory.dmp

memory/1616-8-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/1616-9-0x00000000004A0000-0x00000000004AC000-memory.dmp

memory/1616-10-0x00000000004C0000-0x00000000004C8000-memory.dmp

memory/1616-11-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/1616-12-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/1616-13-0x00000000004F0000-0x0000000000502000-memory.dmp

memory/1616-14-0x0000000000660000-0x000000000066C000-memory.dmp

memory/1616-15-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/1616-16-0x00000000009B0000-0x00000000009BC000-memory.dmp

memory/1616-17-0x00000000009C0000-0x00000000009CC000-memory.dmp

memory/1616-18-0x0000000002220000-0x0000000002228000-memory.dmp

memory/1616-19-0x0000000002230000-0x000000000223C000-memory.dmp

memory/1616-20-0x0000000002240000-0x000000000224A000-memory.dmp

memory/1616-21-0x0000000002250000-0x000000000225E000-memory.dmp

memory/1616-22-0x0000000002260000-0x000000000226C000-memory.dmp

memory/1616-23-0x0000000002270000-0x0000000002278000-memory.dmp

memory/1616-24-0x0000000002280000-0x000000000228A000-memory.dmp

memory/1616-25-0x0000000002290000-0x000000000229C000-memory.dmp

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe

MD5 a043d8deaf4cb618bcd1973d06c8c670
SHA1 9f0644411da819485df9bc1f0e23eb6b65ea15af
SHA256 e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d
SHA512 2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843

C:\Users\Admin\AppData\Local\Temp\QfKFARzT3K.bat

MD5 d46c0825cb05feabd05589528d187c21
SHA1 704d84a424a539dd4c5a8608a617645301e10646
SHA256 c084dd9578ae95f54a80d92f5377ccc0fd472837a0150296b22574a1b2d6b8b3
SHA512 dc2983497cc15e98d6fbff5086d9ba94b7efe16e5f8a67bf5aac0b5004ab487f5253b66c90ce7c6b6cf732f8f24e9a979fa630f63c78ed908a04565ccbe240a2

memory/1616-61-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

memory/1560-64-0x0000000000FF0000-0x00000000011A6000-memory.dmp

memory/1560-65-0x00000000005E0000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9a4fe308-f618-45a3-bc40-1fc5bd65ee50.vbs

MD5 fbeb028e38f7b60de5e9ab83a9057084
SHA1 a0f701fff9a3854dbed20c3778a54b78dd6a289c
SHA256 2edd86c653bcd77cf7509dda71cc3b5dc9bf68065ba1cf264114b37292e9ee56
SHA512 0b34241059d8e0edbee703e2a24dd22182029c977767ccd617c3b78e7a50c0e2aa2f98a99a5430a1bf3c3a600678044f024df5277259f88298da3e16984dd264

C:\Users\Admin\AppData\Local\Temp\5f18bd75-f42e-40c0-b5f1-8d3ea4c29f91.vbs

MD5 efedbf9a103c375cb662cf274e1b6940
SHA1 7a4a6df469b63a3dee04b2ce01d746925e2a414d
SHA256 0f41a89ade393c58b096d39b63a9bec380110aafa05dcecf9a702508b33fb792
SHA512 45d9628843b9e1ea396307486b99f6ce71de3e0ace62710cca4526376b22a1209b23b9ee9d74027cd090372384440181bb4ef30c4bc4398ee79b739c1689af74

memory/2988-76-0x0000000001140000-0x00000000012F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d196dcf1-6c44-423a-9290-c48d0ead7539.vbs

MD5 a7a0fb702f20d7f62ff1a15ac45bcb6d
SHA1 0b6def2ecc477ce285a714dfe656b5f6cfe29fdd
SHA256 4290aac9c9611924d8e3fc11f1831b5682adfe080d3c0ccb82dff81403947b65
SHA512 f0ad5c7a7b176b54dfe351e05f4f40ca596ae68499847fb3b8f8157c038f6c16dd2bffbc518d1e560b20635890cbcd6b9934988faff6ab14a481ebb6b0a55ae8

memory/2400-88-0x0000000000660000-0x0000000000672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ad69faa-2c36-4826-9920-78407d24a717.vbs

MD5 52ac0854acbf32050bfcbfd90e55b3e8
SHA1 63dd2a1d9566f7d475c0efcc25d0b12337fa3d9d
SHA256 5ce48e3358ed542b14e35ccf9fd9236171827714f49b840dd9e7bd1b608036c2
SHA512 c8c3b9c61f4be3776dcb4ec686cfc7aba683355262b578cb0f44b4d70823ddf30725cc750f4ba281950a53782aea612f7296d4f8524e35d94c7a42d20b868e38

C:\Users\Admin\AppData\Local\Temp\1e091226-8037-480e-a287-f183f2d416ad.vbs

MD5 10c590482576d672715b6f2b9fe88553
SHA1 3283538ea786f3583eb310141043a490ac0182c0
SHA256 f1220c3f11ee9b24c62b6d43e4fc5b758d3cfeb4605fd7340a0411400dcb6de2
SHA512 5bff63361c3c357c55e21fb3d4491437f045a6844b9c06eca798c9fad1f8117b2d50056ca8de7a97a6a6cd136c050ceb4e88d8be01ef29a7a59ae8e14c82bdae

memory/2704-111-0x00000000002F0000-0x00000000004A6000-memory.dmp

memory/2704-112-0x0000000002050000-0x0000000002062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a9d28426-1432-4aba-8c0b-c28d5f9e056d.vbs

MD5 14f4ed1f8574291da4f4fe4496383a32
SHA1 0b79ba97370e0e7d3e03158c34e6768d40fdb9ef
SHA256 cf94dc548341e3eb4708a3e3ae074d20ff8a8ca26e714bcb116e1ab768d90ce9
SHA512 77c4072868c8f3e5803dd4461ab5692624e42f6a94511af53f6a7dbc98255b630813ff75f6c7aecfb2dec7aa5bb62a9c22c3cc4a026921fd243334190823ec86

memory/2212-124-0x0000000000300000-0x00000000004B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d1dd84ef-49ed-4eb4-a63a-87bbacc08884.vbs

MD5 ba319eb4391eecc549be47234e8fe0e2
SHA1 009532ad6d4c25a438973b8f554408f050d1bc65
SHA256 830f539b48218ccf508cfe7ab0b291b80e9838274f9b775010eefffcf0ef429b
SHA512 a29656045ca403339f96c377ac5c44aa3142462ce654505829f4d6bd2e61848bd79a0b324549b2b689c0167cb4a2c85699dd74906184f299dc5cd45fda06f2f2

memory/1628-136-0x0000000001210000-0x00000000013C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f5a3c4c9-395b-4b5a-96bd-9a6d5b7d7696.vbs

MD5 b3ce9174068707a81d58c0c8cc916ada
SHA1 8ce87c58dba29d24b493cc0a886cfe18b255589e
SHA256 bce9e9058e6ed981a3ccaf48969aaf768eb66ae3966b5aaee6eb348721bb69ab
SHA512 616efc82e94b480378638c6b21a0353d682f42e999caf55f0f2a77ebc6d429560a32b183f46c35179c139f82631e9dfdf725d64cfdca868085c96bdc27bbaabc

C:\Users\Admin\AppData\Local\Temp\eddbd34f-a4b0-4143-83cf-13a648a89abf.vbs

MD5 6adc4ce1fd1805880e64203dbdee515c
SHA1 7e461beb4217eb81c06375ea87c27a84ffd91974
SHA256 6cfa3e032825f82b7344929c023a7fbc4a3724a6666456db72a12364c503f89c
SHA512 a2aabfd44b4b6b0ffe546b8fc40623d317f231304a2c9b79c3bc71bd297d9b5aab0d832d9595ca84292c100114a1b63d1946f7d7d5c0f0492a4e093e6608250a

C:\Users\Admin\AppData\Local\Temp\6efc7fe8-ca06-46e3-88e9-ddf5282c8491.vbs

MD5 ccd21f46c8c0df0df5f376d216b76f27
SHA1 b6360f177fa2076e9efbb33c43497e75666d9b07
SHA256 b18775982ea1b6f273f81b53cea14cf237ef09676ee558421411f357637b48ab
SHA512 da8de5db15d7f1dee4363a1aa0db34938cda75dfbbbd43423cc54313debf5c857c14de84cd119d20a0b4f61076bcd1a91babbaab538ede1bf9d0bff1aa037dda

memory/1508-170-0x0000000000670000-0x0000000000682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ffff9ee7-37e4-4836-b771-8391cf43f8cd.vbs

MD5 eb11e8cde6d91e053303540f1c9c256d
SHA1 b952c26815a9413cd684510d12f3d7d50765cb64
SHA256 32af2138310dd20956e3bd198257eb0345e3bb095cde6912b8f1a4eaa670d39d
SHA512 f2815d6630cda3df241ea4657e79c6eb4bb1d3992dc922dadf3f5c4ce109d559afa33e555fabf1b1da0fc65ad33fc447b16e09c8252a2278c164116869ac0b92

C:\Users\Admin\AppData\Local\Temp\9f42c574-67b7-4f75-aba6-efb779979338.vbs

MD5 40ad6dfe498a6fe96d88afa6bcdc38a6
SHA1 c18ce036b8e083daf91932339da0fa2740ae0de8
SHA256 c3a85b5f6346f44bf06ea87861602e463fcda055ad1c1facbd20ec9e637adc05
SHA512 498cd12bf1f2eca7f1b9cc69c39b79d14dab73420e54d0be6a700c18e6cb309147ee309181cb4e3c6aa2e0d6ab90fc39feb706e060659c6716eadb51fb594d60

memory/3048-193-0x0000000000350000-0x0000000000506000-memory.dmp

memory/3048-194-0x0000000000790000-0x00000000007A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34ca7435-eaf3-445f-b26b-2ace65bc58b2.vbs

MD5 d83f984e0c53a3af86b0fbcbd332afb8
SHA1 eb0dedc20221503e422162767d4c0a9ebbd97875
SHA256 524d1ef2ca633f6f81b208d63440b3bd5930dfde417b46dc0402dc43ef12f1c2
SHA512 9a6a3db52e11fb1c64e7c3714997bbde3a2ea5ac8de89466b296096ab2809b0898415ca466cdc7f02933e87c2014fc10c99d7efa236b6129d87ce5b82439dd55

C:\Users\Admin\AppData\Local\Temp\d6797c93-5975-434b-ac28-e6b5fed544fe.vbs

MD5 72ce69ccc5a9db460f0d20df868b6c20
SHA1 b60598bd80404cdd190afb39ad3557b4b09b7a6e
SHA256 087dff6c4650b722426c10765d403716f5e1a88a8a1f67db68124b796802e7e1
SHA512 ca4782ca5561876f7065c58da578ed54fc22e5b8c9300b8dc5365009673b6309d32e09d29c6a71aec5342069e69f2f181c844e8afefc69097d5bc31f5cf92871

memory/348-217-0x0000000000EB0000-0x0000000001066000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:35

Reported

2024-06-03 10:38

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sysmon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\sysmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A
N/A N/A C:\Recovery\WindowsRE\sysmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sysmon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe C:\Recovery\WindowsRE\sysmon.exe
PID 224 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe C:\Recovery\WindowsRE\sysmon.exe
PID 5072 wrote to memory of 3344 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 5072 wrote to memory of 3344 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 5072 wrote to memory of 4752 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 5072 wrote to memory of 4752 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3344 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 3344 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 2512 wrote to memory of 1152 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 1152 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2324 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2324 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 1152 wrote to memory of 2616 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 1152 wrote to memory of 2616 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 2616 wrote to memory of 3208 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 3208 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 4844 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 4844 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3208 wrote to memory of 3020 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 3208 wrote to memory of 3020 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 3020 wrote to memory of 3260 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3020 wrote to memory of 3260 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3020 wrote to memory of 1184 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3020 wrote to memory of 1184 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3260 wrote to memory of 4500 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 3260 wrote to memory of 4500 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 4500 wrote to memory of 2308 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4500 wrote to memory of 2308 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4500 wrote to memory of 4476 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4500 wrote to memory of 4476 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2308 wrote to memory of 4424 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 2308 wrote to memory of 4424 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 4424 wrote to memory of 2488 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4424 wrote to memory of 2488 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4424 wrote to memory of 4736 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4424 wrote to memory of 4736 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 3612 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 2488 wrote to memory of 3612 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 3612 wrote to memory of 2220 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3612 wrote to memory of 2220 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3612 wrote to memory of 2628 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3612 wrote to memory of 2628 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2220 wrote to memory of 4428 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 2220 wrote to memory of 4428 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 4428 wrote to memory of 2632 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4428 wrote to memory of 2632 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4428 wrote to memory of 2000 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 4428 wrote to memory of 2000 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2632 wrote to memory of 1636 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 2632 wrote to memory of 1636 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 1636 wrote to memory of 464 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 1636 wrote to memory of 464 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 1636 wrote to memory of 2240 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 1636 wrote to memory of 2240 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 464 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 464 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 1468 wrote to memory of 3328 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 3328 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 4936 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 4936 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 3328 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 3328 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\sysmon.exe
PID 2712 wrote to memory of 408 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 408 N/A C:\Recovery\WindowsRE\sysmon.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\sysmon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\sysmon.exe

"C:\Recovery\WindowsRE\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db90feae-79cc-4e36-b361-b45612c25de1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e618cc36-09f3-44c4-81ab-5d77a554aaf5.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9e6a750-a425-4741-a099-afc91a7fb6c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f50b93e-eb6c-4adf-b112-8000acc27d04.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db1600be-5cb4-4219-a24a-bd8026858741.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a324d6-9e33-441f-8a76-930f010d4fb5.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed78caeb-a315-434f-9f41-aec9280cc80f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19076ac5-7a1b-4a6e-a67f-adc1d721cdc2.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24784853-a9ee-4c1f-b63c-700810593d01.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af7dd437-16e8-48d7-baa7-2118ced17dc0.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90d26095-6b16-47cf-a6f6-4286c947e69d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f4a0114-f8bb-42f4-af2f-cf4f0d9c2e8a.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29459002-46a9-44ae-8bf5-9e008cb7c0a7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a776865-176c-41b8-acdb-a14650634c01.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229a6ba4-8800-45d7-be2a-48618a9facd7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c3a8318-602f-4d3e-ab90-d7d90b889d88.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826852ed-7b09-49be-8013-22c1e2b3836e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82772869-3fd6-4895-b1bc-663c3fe60535.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25b88613-81d1-455f-9ae6-77f5e001dfd7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fa941ba-e64d-4c41-85f1-666399767822.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be0c4446-96a6-4941-9c14-8a6a49f907b9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54372aea-51aa-4f7d-9b69-5b195ac43fab.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bea1458-8c35-4f63-8737-b0a2480846d8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cc2fb12-db7a-435d-a139-551d8b524c02.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\690b31e5-92d1-4df8-ab4e-903d5840db93.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a28708bc-bada-4726-95ea-f909e69f2942.vbs"

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66356032-baf5-4d32-84c0-0e2176581a63.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d3e4a60-9669-486a-98f7-5fe755d7c9bc.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 a0979698.xsph.ru udp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp
RU 141.8.192.6:80 a0979698.xsph.ru tcp

Files

memory/224-0-0x00007FF96DF73000-0x00007FF96DF75000-memory.dmp

memory/224-1-0x0000000000AC0000-0x0000000000C76000-memory.dmp

memory/224-2-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

memory/224-3-0x0000000002D50000-0x0000000002D5E000-memory.dmp

memory/224-4-0x0000000002D60000-0x0000000002D68000-memory.dmp

memory/224-5-0x000000001B850000-0x000000001B860000-memory.dmp

memory/224-6-0x000000001B860000-0x000000001B868000-memory.dmp

memory/224-8-0x000000001B8D0000-0x000000001B8DA000-memory.dmp

memory/224-7-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

memory/224-9-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

memory/224-10-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

memory/224-12-0x000000001B910000-0x000000001B918000-memory.dmp

memory/224-13-0x000000001C0A0000-0x000000001C0B2000-memory.dmp

memory/224-11-0x000000001B900000-0x000000001B90C000-memory.dmp

memory/224-14-0x000000001C600000-0x000000001CB28000-memory.dmp

memory/224-15-0x000000001C0D0000-0x000000001C0DC000-memory.dmp

memory/224-17-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

memory/224-16-0x000000001C0E0000-0x000000001C0E8000-memory.dmp

memory/224-18-0x000000001C100000-0x000000001C10C000-memory.dmp

memory/224-20-0x000000001C220000-0x000000001C22C000-memory.dmp

memory/224-19-0x000000001C210000-0x000000001C218000-memory.dmp

memory/224-21-0x000000001C230000-0x000000001C23A000-memory.dmp

memory/224-22-0x000000001C340000-0x000000001C34E000-memory.dmp

memory/224-23-0x000000001C350000-0x000000001C35C000-memory.dmp

memory/224-24-0x000000001C360000-0x000000001C368000-memory.dmp

memory/224-25-0x000000001C370000-0x000000001C37A000-memory.dmp

memory/224-26-0x000000001C380000-0x000000001C38C000-memory.dmp

C:\Recovery\WindowsRE\lsass.exe

MD5 a043d8deaf4cb618bcd1973d06c8c670
SHA1 9f0644411da819485df9bc1f0e23eb6b65ea15af
SHA256 e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d
SHA512 2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843

memory/224-101-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db90feae-79cc-4e36-b361-b45612c25de1.vbs

MD5 f7d7048aecf16a6fe7d2161e6c13ca0e
SHA1 e8879b309a101194c5450fae1a0d7ee31f2d9ef1
SHA256 7acf97cb5089cf96132b9639d746223b65897089f9d331d687c5b19f0e8cf113
SHA512 fcfc0e936476ace9ec965189d5ef9db49f95c4377ab252a5e9593973e6448a7167d145a91b4ce92f25e16105e3cbfd4b31f16f31db25711ff87acb846b719857

C:\Users\Admin\AppData\Local\Temp\e618cc36-09f3-44c4-81ab-5d77a554aaf5.vbs

MD5 651fb665c64794d67d879d149b31673f
SHA1 fdde5b4f552f2252c626fe62281c40c3402cfdf1
SHA256 df956cc9bd41ab3db1667e943401b9af96bb8c40e084252441e0d544ecb8bb55
SHA512 b368b567ea234161a65d81f7f5e62a8915a29c51c97c179f6a7586a36a9d0e7250e6b6566c2b00f0619eaf16bb9773174f2baac519b7444f68b0bf1f49dce2cb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

MD5 caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1 b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256 b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512 da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8

C:\Users\Admin\AppData\Local\Temp\a9e6a750-a425-4741-a099-afc91a7fb6c5.vbs

MD5 12d4fbd0bc4e22230f70dbca364c2f29
SHA1 fea62baf4773ebb9d579c61bf3c16ca6d0b08aa8
SHA256 c22dd5930a5f7b84bc0c5c134161cc63ecac7b40061b3e9d2ee383de9c2a7ebb
SHA512 efd5abbe468b0c0940b29f4ec1404a85d9c37fe19b97fd24163ad7ce0b1f67c50d4cc6a0ad89451e58b62fbb104a92e4388e5bea3dbb679a1d6c07b940e18efb

C:\Users\Admin\AppData\Local\Temp\db1600be-5cb4-4219-a24a-bd8026858741.vbs

MD5 447c57f02a33ed1368664c5ac661e732
SHA1 4f54f18b94635af305b4dbaf2e28c53a8608b51c
SHA256 b747f370ae9edd4c30c20b70cb318d20b02d9873e2dfeeeb1da15e66d6fef5f8
SHA512 ea2c23e567bc7e91519e5f46d5a7fc58facbefdc9c9c956920729fd4fab005eb0b350e6fc7bda0f8d9c8cdc8ed19b200ffbe619f08e34a5baf70fa930d217a43

C:\Users\Admin\AppData\Local\Temp\ed78caeb-a315-434f-9f41-aec9280cc80f.vbs

MD5 5e17c6d60a5ca3727c27ab43956203e4
SHA1 4e905af8c2cf75d501760ed5e67008cb4f03db62
SHA256 640cd372f4abd261feba95a5800ea2ce8b00a1d387953f9261d2979637d347d4
SHA512 046da46639e485adfa57005beeb2a598f069eafacc0dc9ae5d2c0f7ece7685ceea38edf7c319c9ff417bef942d315b1caec2bab9458f5853ebdfb5b119cf0a1d

C:\Users\Admin\AppData\Local\Temp\24784853-a9ee-4c1f-b63c-700810593d01.vbs

MD5 598f16412d1299669ea13d1b2da971ea
SHA1 af925592b0e52c26d20922728aa280c3822627e0
SHA256 c1ec60c3c6c259f2389a0ec58a74736a8dc1f191b9b70ebf2470577b11c2a895
SHA512 f1995bcf21e6638d1863f641b65138e1a24888787786e4bc1b411609d8a03396b8dd411fc5d1a3916cf9d5e535fda0e472fb6f944b2b6a9829505ec3a21a8f38

C:\Users\Admin\AppData\Local\Temp\90d26095-6b16-47cf-a6f6-4286c947e69d.vbs

MD5 af43632c155d56f6daa9f8cf06f9e94b
SHA1 2391d0f23d35c9a7bb5281a0b2a3a060476a35ee
SHA256 11a20a727f56cb5878468d0d0e14d7b487ec9929510936ad8168115d360622b7
SHA512 3ca7171cf1ad5d6f8027a9d910abdf5223c08e061ed120dd1a4824d23e82f1c50ebf6de8769afe2f937b6b1e43deee6dad4121ec021f06727d400bac1bf08e41

C:\Users\Admin\AppData\Local\Temp\29459002-46a9-44ae-8bf5-9e008cb7c0a7.vbs

MD5 e0804ff93c725aaa3c8355213fa3b298
SHA1 1e927a3eba22380da9bf86e916ed7e96c8ceed9a
SHA256 60fa566fab1dbcef3d46eb2fdcd2778fc9d4bb0e247553a73bbb055ce7d338f3
SHA512 5d363f9950938928b7dd73019d8b25d97b2cb3529733cc852248519b476c55c2c0bfb4095129ca205bd23c249bb2a040ecf897f8526324c61b3df326f4a34463

C:\Users\Admin\AppData\Local\Temp\229a6ba4-8800-45d7-be2a-48618a9facd7.vbs

MD5 7bac388fa6fc6edd4ee2a56e0e704a71
SHA1 0470ca2b7172d3936643bd697a26419d4ea15512
SHA256 c03cf3e28e95ffd32176673b85db2cdf308d2216808b1cd4ed0f8ca0ae8a8567
SHA512 9704ef8d00d9d7650e430a5496c913012b4129969bd279cbbec55350212e12d7af681fa013773ee16cff4b98f90bda0b2bed8d6c49d6132d3ab96c869f1f8523

C:\Users\Admin\AppData\Local\Temp\826852ed-7b09-49be-8013-22c1e2b3836e.vbs

MD5 ea2f20a811dea38354975bb146dc13c8
SHA1 e12d77bdb64e07ea020b6200d16fe51ba67041a6
SHA256 e75ed7e09c2c6654ae314b780550e21937feda08d98fd7e7544fa98a8c2e4074
SHA512 03e9a72fefb0ab058c8d3a850601c6716ca34e3b57d63553a036306f2e8e67d5dff001cbbdbb45d79edd256a15b7fa23d9a774e519524b17befced8c83cfefc7

memory/1468-202-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25b88613-81d1-455f-9ae6-77f5e001dfd7.vbs

MD5 2ef9b84af6eb0795e35756aba5b22389
SHA1 94f57038d38ed0ac2508e123ba861d41127c1267
SHA256 71535db6b2d5f74fbcb77d860abfc84759e4df2cbb8492451096ff21f5e984ac
SHA512 b5617403eba4b57a8aba96415997204dc95b8da0221cc7317df3e38bd58c21656fe798f2574ae9d4127af4b6075f650722209b250ea1af0b8060e9c52bba039d

memory/2712-214-0x000000001BAE0000-0x000000001BAF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\be0c4446-96a6-4941-9c14-8a6a49f907b9.vbs

MD5 937bfc565452e01e5867407c8280db16
SHA1 ee0d3bde26545eada14cd356a052960a6c4a71ef
SHA256 a713aaa8272b0b4b4acc4beaae73d8edfb1962b79c5cdc941843b824620cc9d6
SHA512 6f6297d151e70b8252449d0e5591581778b18a4761d8ebd02f4510b3967bd3d88279e10fa99d3394f53449314a06f4d68a4e50645838e9ed7f44fbe00ac2ff12

C:\Users\Admin\AppData\Local\Temp\2bea1458-8c35-4f63-8737-b0a2480846d8.vbs

MD5 652791a17f908b457bba98ff814ca827
SHA1 b4b6146a5fa6f08fc359f637d732e3eeb07e0ffc
SHA256 2eb730982f08d4300aad860293190d8d2ca370d50cf3ca898f5eac3c3bff02ab
SHA512 a6380a2fd329a35cce0bb7ae2aa7a9284947e46d715263bc0edf1dd7edc0af7831a87e6d756c18361be987e6b5d23a084af3dbea99f16a6d44fb3ee4f91a4ada

C:\Users\Admin\AppData\Local\Temp\690b31e5-92d1-4df8-ab4e-903d5840db93.vbs

MD5 6b40ca9ff087a9ae63b178bbfcfec549
SHA1 c5ec6c5526aa255ac05a00802e6507345794de6f
SHA256 caaaee9d306357a63634ab8d03b687f240ad2ad2ee855fc6621a97c755a5e3ca
SHA512 57270fef6793d3564eef57944dace5f741719101fc15141d77d28c41ff49452d3aa06881333845b5b9ef910b11923d113b5064e1a73b63cc3c019b2b41fd5670

C:\Users\Admin\AppData\Local\Temp\66356032-baf5-4d32-84c0-0e2176581a63.vbs

MD5 7ce0a823cdb7693b391291b7e98170f6
SHA1 4b2ba3cb946f9e95e551ad67ac57ac2feabbe43f
SHA256 622bf4cee51d8535e87344388cf4646e6cbb08a83809e3824a785b2e4a5aa7d6
SHA512 a8959acfb99c73dad572cd0b04579fda8402722a5cc112b911d5fe0bb85be67558e087ab630db83450120d08af06a3c59f58bb921e89a420f55886748cf2da5d