Malware Analysis Report

2024-10-10 08:00

Sample ID 240611-1rkepataqf
Target 0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe
SHA256 f1f1a7292bfa1fa9564d19ab403ff4ad7ee13a8c6c9a12183e98f1f76ac826b0
Tags
evasion execution persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1f1a7292bfa1fa9564d19ab403ff4ad7ee13a8c6c9a12183e98f1f76ac826b0

Threat Level: Known bad

The file 0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence themida trojan

Modifies security service

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 21:52

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 21:52

Reported

2024-06-11 21:55

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

winlogon.exe

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Google\Chrome\updater.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Google\Chrome\updater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Google\Chrome\updater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 3012 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1408 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 1408 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 1408 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 1408 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 1408 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 1408 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 1408 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 3740 wrote to memory of 616 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 3740 wrote to memory of 676 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 3740 wrote to memory of 944 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 316 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 3740 wrote to memory of 516 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1036 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1096 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1104 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1120 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1144 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1264 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1284 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1344 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1420 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1428 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1540 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1556 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1660 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1680 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1728 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1776 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1820 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1888 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1900 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1964 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 1976 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 1688 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 3740 wrote to memory of 2136 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 2264 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 2272 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 2388 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 2396 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 2476 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 2580 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 2592 N/A C:\Windows\system32\dialer.exe C:\Windows\sysmon.exe
PID 3740 wrote to memory of 2632 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 2640 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 2712 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sihost.exe
PID 3740 wrote to memory of 2756 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 2988 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhostw.exe
PID 3740 wrote to memory of 1844 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\unsecapp.exe
PID 3740 wrote to memory of 3132 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 3408 N/A C:\Windows\system32\dialer.exe C:\Windows\Explorer.EXE
PID 3740 wrote to memory of 3432 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 3628 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 3812 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\DllHost.exe
PID 3740 wrote to memory of 3976 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3740 wrote to memory of 3940 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3740 wrote to memory of 388 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3740 wrote to memory of 3720 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\SppExtComObj.exe
PID 3740 wrote to memory of 5052 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 3364 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3740 wrote to memory of 844 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 4496 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 3000 N/A C:\Windows\system32\dialer.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp

Files

memory/1408-1-0x00007FF807DD0000-0x00007FF807DD2000-memory.dmp

memory/1408-0-0x00007FF751010000-0x00007FF751B11000-memory.dmp

memory/1408-2-0x00007FF751010000-0x00007FF751B11000-memory.dmp

memory/1408-3-0x00007FF751010000-0x00007FF751B11000-memory.dmp

memory/1408-4-0x00007FF751010000-0x00007FF751B11000-memory.dmp

memory/1408-5-0x00007FF751010000-0x00007FF751B11000-memory.dmp

memory/4544-6-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

memory/4544-7-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

memory/4544-14-0x000001F22BD90000-0x000001F22BDB2000-memory.dmp

memory/4544-18-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5bmqy5cd.tfd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4544-21-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

memory/3740-22-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3740-29-0x00007FF806480000-0x00007FF80653E000-memory.dmp

memory/3740-28-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

memory/3740-27-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1408-31-0x00007FF751010000-0x00007FF751B11000-memory.dmp

memory/3740-25-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3740-24-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3740-23-0x0000000140000000-0x000000014002B000-memory.dmp

C:\ProgramData\Google\Chrome\updater.exe

MD5 0674084bffb7c116473c759b4ae05860
SHA1 5eb62d918c9a6a6c57012d11a89f909fc44a39fc
SHA256 f1f1a7292bfa1fa9564d19ab403ff4ad7ee13a8c6c9a12183e98f1f76ac826b0
SHA512 67c1111399e5a8b24b4bacf3709782d7610d1e2d60efbf57b67b44d24b5721431a0de7616dfa1e9d84e0bbc943539bd5d7295b8818ffaf3ce0a31a80d503e232

memory/316-49-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/516-56-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/1036-60-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/1284-85-0x000001EF4BFB0000-0x000001EF4BFDB000-memory.dmp

memory/1264-80-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/1264-79-0x0000022F90DD0000-0x0000022F90DFB000-memory.dmp

memory/1144-76-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/1144-75-0x00000215D1560000-0x00000215D158B000-memory.dmp

memory/1120-73-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/1120-72-0x0000024ED1CD0000-0x0000024ED1CFB000-memory.dmp

memory/1104-70-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/1104-69-0x000001A3E9D10000-0x000001A3E9D3B000-memory.dmp

memory/1096-67-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/1096-66-0x00000292D2060000-0x00000292D208B000-memory.dmp

memory/1036-59-0x000002B7F5F80000-0x000002B7F5FAB000-memory.dmp

memory/516-55-0x0000019FA2AC0000-0x0000019FA2AEB000-memory.dmp

memory/944-52-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/944-51-0x000001BCFA1A0000-0x000001BCFA1CB000-memory.dmp

memory/316-48-0x000002B0E60C0000-0x000002B0E60EB000-memory.dmp

memory/676-44-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/676-43-0x0000023921B70000-0x0000023921B9B000-memory.dmp

memory/616-40-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

memory/616-39-0x00000217E9310000-0x00000217E933B000-memory.dmp

memory/616-38-0x00000217E92E0000-0x00000217E9304000-memory.dmp

memory/5064-37-0x00007FF6175D0000-0x00007FF6180D1000-memory.dmp

memory/3740-32-0x0000000140000000-0x000000014002B000-memory.dmp

memory/4244-305-0x0000029A1BDA0000-0x0000029A1BDBC000-memory.dmp

memory/4244-306-0x0000029A1BDC0000-0x0000029A1BE75000-memory.dmp

memory/4244-307-0x0000029A1BD90000-0x0000029A1BD9A000-memory.dmp

memory/4244-308-0x0000029A1BFE0000-0x0000029A1BFFC000-memory.dmp

memory/4244-309-0x0000029A1BFC0000-0x0000029A1BFCA000-memory.dmp

memory/4244-310-0x0000029A1C020000-0x0000029A1C03A000-memory.dmp

memory/4244-312-0x0000029A1C000000-0x0000029A1C006000-memory.dmp

memory/4244-311-0x0000029A1BFD0000-0x0000029A1BFD8000-memory.dmp

memory/4244-313-0x0000029A1C010000-0x0000029A1C01A000-memory.dmp

memory/5064-355-0x00007FF6175D0000-0x00007FF6180D1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 21:52

Reported

2024-06-11 21:55

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

winlogon.exe

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Google\Chrome\updater.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe" C:\Windows\system32\services.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\services.exe N/A
N/A N/A C:\Windows\system32\services.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Google\Chrome\updater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6084aac549bcda01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2348 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2348 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe C:\Windows\system32\dialer.exe
PID 2224 wrote to memory of 428 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 2224 wrote to memory of 472 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\services.exe
PID 2224 wrote to memory of 488 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 2224 wrote to memory of 496 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsm.exe
PID 2224 wrote to memory of 600 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2224 wrote to memory of 680 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2224 wrote to memory of 748 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2224 wrote to memory of 816 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2224 wrote to memory of 840 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2224 wrote to memory of 968 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2224 wrote to memory of 280 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2224 wrote to memory of 300 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 2224 wrote to memory of 1068 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2224 wrote to memory of 1112 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhost.exe
PID 2224 wrote to memory of 1164 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\Dwm.exe
PID 2224 wrote to memory of 1188 N/A C:\Windows\system32\dialer.exe C:\Windows\Explorer.EXE
PID 2224 wrote to memory of 1252 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2224 wrote to memory of 2292 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2224 wrote to memory of 3056 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sppsvc.exe
PID 2224 wrote to memory of 956 N/A C:\Windows\system32\dialer.exe C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe
PID 2224 wrote to memory of 2540 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2224 wrote to memory of 2580 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2224 wrote to memory of 2624 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2224 wrote to memory of 1792 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2224 wrote to memory of 2964 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 2960 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 2392 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 1360 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 1940 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2224 wrote to memory of 1908 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 2216 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2224 wrote to memory of 1936 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 1708 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2224 wrote to memory of 2252 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2224 wrote to memory of 2784 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 2664 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 472 wrote to memory of 2552 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 472 wrote to memory of 2552 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 472 wrote to memory of 2552 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2224 wrote to memory of 2552 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2224 wrote to memory of 2552 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2224 wrote to memory of 236 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2008 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 1692 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 2320 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2224 wrote to memory of 708 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2224 wrote to memory of 1764 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 1692 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1692 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1692 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2552 wrote to memory of 2812 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 2552 wrote to memory of 2812 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 2552 wrote to memory of 2812 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 2552 wrote to memory of 2812 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0674084bffb7c116473c759b4ae05860_NeikiAnalytics.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19671366301430511360238912398392729454-63477538178313388716606268642050019374"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "199239741-596148044201097834310212809521731693319180446780217523429-2025153776"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14257837481755986834-129209214-1137769424-245414480-49881734721124732531300556012"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2069951347-409363309-649355031941769732346791759-1406914331320943967381034473"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "79866885-650106711248145053-1685440705-1110807770-427073630-280654701-233703784"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-589801521-1606975340349028342293408968-2022165541902262935-1972739985289151354"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "761265380464940899-55626030017785134151285382743-60565830914334255991147834400"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7473456162647456781588300036-9608520791409442131680766277-722895020-797233391"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "772551034-8093064507590688171168188436273034883-16768622278256438321488867024"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17841010811462173695-112179105095973034-1069929747-151946033312155686471050998437"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-130400221-11402796631423268494-3375660214759930061767881226334566281855667498"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16571851052115356948517493210852708712-551973312-1378444891582095296100807801"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11209417361604777902-450862287-20075849291743872845790194381-17735117362137648909"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20917407845773156941564379906-1279468884-1922771095-220453479728864230-690369594"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1464725856-1308397648737213840-76665521662076353-1945580443-19058095721176615697"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp

Files

memory/956-1-0x0000000076D00000-0x0000000076D02000-memory.dmp

memory/956-0-0x000000013FF20000-0x0000000140A21000-memory.dmp

memory/956-2-0x000000013FF20000-0x0000000140A21000-memory.dmp

memory/956-4-0x000000013FF20000-0x0000000140A21000-memory.dmp

memory/956-3-0x000000013FF20000-0x0000000140A21000-memory.dmp

memory/956-5-0x000000013FF20000-0x0000000140A21000-memory.dmp

memory/1708-13-0x00000000026A0000-0x00000000026A8000-memory.dmp

memory/1708-12-0x0000000076CB0000-0x0000000076E59000-memory.dmp

memory/1708-11-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

memory/1708-14-0x0000000076CB0000-0x0000000076E59000-memory.dmp

memory/1708-10-0x0000000076CB0000-0x0000000076E59000-memory.dmp

memory/1708-16-0x0000000076CB0000-0x0000000076E59000-memory.dmp

memory/956-15-0x000000013FF20000-0x0000000140A21000-memory.dmp

memory/1708-17-0x0000000076CB0000-0x0000000076E59000-memory.dmp

memory/1708-18-0x0000000076CB0000-0x0000000076E59000-memory.dmp

memory/2224-19-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2224-20-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2224-22-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2224-24-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2224-21-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2224-25-0x0000000076CB0000-0x0000000076E59000-memory.dmp

memory/428-51-0x0000000036CF0000-0x0000000036D00000-memory.dmp

memory/488-79-0x0000000036CF0000-0x0000000036D00000-memory.dmp

memory/488-77-0x000007FEBDD60000-0x000007FEBDD70000-memory.dmp

memory/488-76-0x0000000000240000-0x000000000026B000-memory.dmp

memory/472-63-0x0000000036CF0000-0x0000000036D00000-memory.dmp

memory/472-62-0x000007FEBDD60000-0x000007FEBDD70000-memory.dmp

memory/472-60-0x0000000000100000-0x000000000012B000-memory.dmp

memory/428-50-0x000007FEBDD60000-0x000007FEBDD70000-memory.dmp

memory/428-33-0x0000000000D30000-0x0000000000D5B000-memory.dmp

memory/428-32-0x0000000000D00000-0x0000000000D24000-memory.dmp

memory/428-30-0x0000000000D00000-0x0000000000D24000-memory.dmp

memory/2224-27-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2224-26-0x0000000076B90000-0x0000000076CAF000-memory.dmp

memory/956-283-0x000000013FF20000-0x0000000140A21000-memory.dmp

\ProgramData\Google\Chrome\updater.exe

MD5 0674084bffb7c116473c759b4ae05860
SHA1 5eb62d918c9a6a6c57012d11a89f909fc44a39fc
SHA256 f1f1a7292bfa1fa9564d19ab403ff4ad7ee13a8c6c9a12183e98f1f76ac826b0
SHA512 67c1111399e5a8b24b4bacf3709782d7610d1e2d60efbf57b67b44d24b5721431a0de7616dfa1e9d84e0bbc943539bd5d7295b8818ffaf3ce0a31a80d503e232

memory/472-307-0x000000013F200000-0x000000013FD01000-memory.dmp

memory/472-309-0x000000013F200000-0x000000013FD01000-memory.dmp

memory/2552-310-0x000000013F200000-0x000000013FD01000-memory.dmp

memory/236-329-0x0000000000450000-0x0000000000458000-memory.dmp

memory/236-328-0x000000001A150000-0x000000001A432000-memory.dmp

memory/2552-563-0x000000013F200000-0x000000013FD01000-memory.dmp

memory/472-594-0x000000013F200000-0x000000013FD01000-memory.dmp

memory/472-595-0x000000013F200000-0x000000013FD01000-memory.dmp

C:\Windows\System32\perfc011.dat

MD5 1f998386566e5f9b7f11cc79254d1820
SHA1 e1da5fe1f305099b94de565d06bc6f36c6794481
SHA256 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512 a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 46d08e3a55f007c523ac64dce6dcf478
SHA1 62edf88697e98d43f32090a2197bead7e7244245
SHA256 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512 b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

C:\Windows\System32\perfh009.dat

MD5 aecab86cc5c705d7a036cba758c1d7b0
SHA1 e88cf81fd282d91c7fc0efae13c13c55f4857b5e
SHA256 9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066
SHA512 e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

C:\Windows\System32\perfh007.dat

MD5 b69ab3aeddb720d6ef8c05ff88c23b38
SHA1 d830c2155159656ed1806c7c66cae2a54a2441fa
SHA256 24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625
SHA512 4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

C:\Windows\System32\perfc007.dat

MD5 0f3d76321f0a7986b42b25a3aa554f82
SHA1 7036bba62109cc25da5d6a84d22b6edb954987c0
SHA256 dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460
SHA512 bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

C:\Windows\System32\perfc00A.dat

MD5 f0ecfbfa3e3e59fd02197018f7e9cb84
SHA1 961e9367a4ef3a189466c0a0a186faf8958bdbc4
SHA256 cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324
SHA512 116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

C:\Windows\System32\perfh011.dat

MD5 54c674d19c0ff72816402f66f6c3d37c
SHA1 2dcc0269545a213648d59dc84916d9ec2d62a138
SHA256 646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5
SHA512 4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

C:\Windows\System32\perfh010.dat

MD5 4623482c106cf6cc1bac198f31787b65
SHA1 5abb0decf7b42ef5daf7db012a742311932f6dad
SHA256 eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512 afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

C:\Windows\System32\perfc010.dat

MD5 d73172c6cb697755f87cd047c474cf91
SHA1 abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA256 9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA512 7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

C:\Windows\System32\perfh00C.dat

MD5 5f684ce126de17a7d4433ed2494c5ca9
SHA1 ce1a30a477daa1bac2ec358ce58731429eafe911
SHA256 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA512 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

C:\Windows\System32\perfc00C.dat

MD5 ce233fa5dc5adcb87a5185617a0ff6ac
SHA1 2e2747284b1204d3ab08733a29fdbabdf8dc55b9
SHA256 68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31
SHA512 1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

C:\Windows\System32\perfh00A.dat

MD5 7d0bac4e796872daa3f6dc82c57f4ca8
SHA1 b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256 ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512 145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e