Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-r1rexsvalg
Target a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe
SHA256 7ba97c08c68b3fb7bf3137a32ded5cfd2dc235e8e89403711459dfc2b2cd0d67
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ba97c08c68b3fb7bf3137a32ded5cfd2dc235e8e89403711459dfc2b2cd0d67

Threat Level: Known bad

The file a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 14:39

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 14:39

Reported

2024-06-17 14:42

Platform

win7-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows NT\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows NT\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows NT\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\en-US\services.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\RCX1E01.tmp C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\System.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\services.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\System.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SchCache\lsass.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Windows\SchCache\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SchCache\lsass.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows NT\System.exe N/A
N/A N/A C:\Program Files\Windows NT\System.exe N/A
N/A N/A C:\Program Files\Windows NT\System.exe N/A
N/A N/A C:\Program Files\Windows NT\System.exe N/A
N/A N/A C:\Program Files\Windows NT\System.exe N/A
N/A N/A C:\Program Files\Windows NT\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2160 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2160 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2308 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2308 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2308 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2308 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe
PID 2308 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe
PID 2308 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe
PID 1952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1984 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows NT\System.exe
PID 1984 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows NT\System.exe
PID 1984 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows NT\System.exe
PID 908 wrote to memory of 2304 N/A C:\Program Files\Windows NT\System.exe C:\Windows\System32\WScript.exe
PID 908 wrote to memory of 2304 N/A C:\Program Files\Windows NT\System.exe C:\Windows\System32\WScript.exe
PID 908 wrote to memory of 2304 N/A C:\Program Files\Windows NT\System.exe C:\Windows\System32\WScript.exe
PID 908 wrote to memory of 536 N/A C:\Program Files\Windows NT\System.exe C:\Windows\System32\WScript.exe
PID 908 wrote to memory of 536 N/A C:\Program Files\Windows NT\System.exe C:\Windows\System32\WScript.exe
PID 908 wrote to memory of 536 N/A C:\Program Files\Windows NT\System.exe C:\Windows\System32\WScript.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows NT\System.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows NT\System.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows NT\System.exe
PID 484 wrote to memory of 2120 N/A C:\Program Files\Windows NT\System.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows NT\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows NT\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalyticsa" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalyticsa" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wfNKgTND0E.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Cookies\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SchCache\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\lsass.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bjknkRRiu6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows NT\System.exe

"C:\Program Files\Windows NT\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e4d434c-e5ce-4bd3-a256-e23aaaa3104b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4897cadc-593a-45bf-a06a-7a309ebde9b8.vbs"

C:\Program Files\Windows NT\System.exe

"C:\Program Files\Windows NT\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce91797-cbd6-4044-be2f-8b74e561ef07.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d87e6c46-fe11-4425-b490-bfc29b0c400a.vbs"

C:\Program Files\Windows NT\System.exe

"C:\Program Files\Windows NT\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7804f16-0589-4f5c-8be7-eb00699e42d7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8d5afb-9ba2-44f9-9be2-e56bb9ecd345.vbs"

C:\Program Files\Windows NT\System.exe

"C:\Program Files\Windows NT\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76305965-8e44-4862-b063-ac30d0a58a6a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7490d4b2-d459-4681-9c8c-f524aca40a45.vbs"

C:\Program Files\Windows NT\System.exe

"C:\Program Files\Windows NT\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e64a84-8598-4c33-8507-1eddfebffd2c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a390bb0e-a9d2-4b17-a0bb-839f3c9a35d7.vbs"

C:\Program Files\Windows NT\System.exe

"C:\Program Files\Windows NT\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051a1a72-c400-4457-84b6-4b34f42a7071.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3973592-6abc-4e60-a1e8-f4aa081a47e9.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0854644.xsph.ru udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp

Files

memory/2160-0-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

memory/2160-1-0x0000000000850000-0x0000000000A1E000-memory.dmp

memory/2160-2-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

memory/2160-3-0x0000000000250000-0x000000000026C000-memory.dmp

memory/2160-4-0x0000000000270000-0x0000000000278000-memory.dmp

memory/2160-5-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2160-6-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/2160-7-0x0000000000410000-0x0000000000422000-memory.dmp

memory/2160-8-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/2160-9-0x00000000004D0000-0x00000000004DA000-memory.dmp

memory/2160-10-0x0000000000560000-0x0000000000572000-memory.dmp

memory/2160-11-0x0000000000570000-0x000000000057A000-memory.dmp

memory/2160-12-0x0000000000840000-0x000000000084E000-memory.dmp

memory/2160-13-0x00000000020B0000-0x00000000020BE000-memory.dmp

memory/2160-14-0x0000000002140000-0x000000000214C000-memory.dmp

memory/2160-15-0x0000000002150000-0x000000000215C000-memory.dmp

C:\Program Files (x86)\Internet Explorer\en-US\services.exe

MD5 a0b73b5cc9f1b7ce5bf11c87b5f96710
SHA1 f3f81ce272d71f5ec9b890a400908d06910db863
SHA256 7ba97c08c68b3fb7bf3137a32ded5cfd2dc235e8e89403711459dfc2b2cd0d67
SHA512 2c4ac1d388813431867595d0dfb49aeea923e425ca1eeb8fd252754d3d8de3a750c0ce7126401a609229ba4ea94a99cb4251932c46171fceae7c5f3f2462c6f8

C:\Users\Default\System.exe

MD5 f4e78ee6ffd6f46f6d3fbd6865fd368e
SHA1 1ee9bb89627a0b3b1cc4ffb6a5e2eb29272a2d59
SHA256 1bd68b96e85d03bbcaf3ca9951f0b1c265624fd00b628d7a0586ec0b117defcb
SHA512 101aa9cf88bd48da5656df47847de5a88e15691e0339997d32312a5062bdaa926a4df39441a1689a91383a3163148af71d1f22044591ec0383f6912a2926fe21

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CLEJFKESGIH0ZLNIYIV0.temp

MD5 76696e542e10ce186649db32fb82a704
SHA1 15effab9593269a60a2d9725a96d9d258acb3178
SHA256 666015a551a501a2e40200ca4b2da1264f852eb1d461c06e9364c1ce87a4fed1
SHA512 01d8fe20490cb65f716b3e2209e02a8c59319b7392fd0f68db5bb1da545329fe85622c50615df021ae09db1f999b77b2194ca0f3a5c70e6ade98e1eae863f25e

memory/1516-80-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wfNKgTND0E.bat

MD5 dbd42b97c3c1644027c336ad579e9fbe
SHA1 a394848a1f6315561229d88fbd90a77961928697
SHA256 1acf246c61f6760961615c67977c5cd0a1efd09f5eeb3a85b8b5e1541bde20b3
SHA512 ab8629f8afd1ae3086b8566500b62f80a88a6e47e1b185bd41931787188c2ab8da868181770472b273c1ad3abf1e34094b40a9f1ab1e29745d8d32ea9957cfcb

memory/2160-92-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

memory/1516-90-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/1952-99-0x00000000008D0000-0x0000000000A9E000-memory.dmp

memory/1952-100-0x00000000020A0000-0x00000000020B2000-memory.dmp

memory/2724-131-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/2724-141-0x00000000002C0000-0x00000000002C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bjknkRRiu6.bat

MD5 bde35400600c90336722aba2b67d197a
SHA1 39fba619a8520feea795810dff09bb88a8ede771
SHA256 320ce6e4e02834935c3ee534891bf4ae7fd0781cf512b87642674137df35dccd
SHA512 2e84330e9c85f17822d699055c9c6fc501f08a61b1e03b66a1ad006092edea4ed73e7732c9796a1ba63b4d51695d8b32e53635f78501484fa5419ec7058db75c

memory/908-160-0x00000000013A0000-0x000000000156E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8e4d434c-e5ce-4bd3-a256-e23aaaa3104b.vbs

MD5 806759d1d4e6624c7004668c4bb8e6b6
SHA1 b795cafe08bdfe6a812e825c0b9c4ff1f05d5162
SHA256 2531e55a8ba9a1e8d4c8c3fc26b0e5e9a80e6ab80ada1f62b8f3e1cd710e2b4e
SHA512 9e2bddfbacfe1ea27be4ee8b1f6bbb6d6e665892ecac2e100c48eb658d83cdf8f6b19a8ab1980d5a0444a2f15564782bb643de52f897f86f010644b171586eba

C:\Users\Admin\AppData\Local\Temp\4897cadc-593a-45bf-a06a-7a309ebde9b8.vbs

MD5 c38b91ae06967595763bb74c41f5d3c3
SHA1 9e3c0224eee560a63ac0082537c896672eced0ac
SHA256 969f300cec48192b5cd9f7654f9f08bcfc78d31250edf8f3694f388535d9b84f
SHA512 8bc3445360fa2d8e694d581e92d3c96458c434cc00e9347fdce7696c26800b010edf32abb92ef679942eb5286203dcd7afe7e3a6069c8c45c6fd56c1a4239f95

memory/484-171-0x0000000000650000-0x0000000000662000-memory.dmp

memory/484-172-0x0000000000B40000-0x0000000000B52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ce91797-cbd6-4044-be2f-8b74e561ef07.vbs

MD5 47abdd1cefe2743330d71fdb983e33e2
SHA1 49770569acc9e2eb0bcc4cb7c42eb102c3a9f9e9
SHA256 faf404a390ef95baac70b7f05e7c70f4848f4a83801da1644d0f34069ebc1a62
SHA512 987b4bffe1bcf6a2d8a2b0796d4d37037f881a17c106f5d2f9014d03f16fd40df843f77d7598792ddadd1b8f10ffbd8aea75bf339b812be32a788de1afd4e85e

memory/3016-184-0x00000000000B0000-0x000000000027E000-memory.dmp

memory/3016-185-0x0000000000710000-0x0000000000722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7804f16-0589-4f5c-8be7-eb00699e42d7.vbs

MD5 77f7fecdf415b42853d7bac75a7eaccd
SHA1 436143784801e689138f45d056ebdd20ac997c2d
SHA256 997b1ea290bf20498cc0b82d97b39752f340e2e01a10424252e90d639d952e6c
SHA512 df59895db198c808b37bea0070052fc9a195e150b1d5a8c4841791d6b4712388f522ec4f02f63ecc8f593e76a282c779f158df28bf11f2f977cfecac8ee5292d

C:\Users\Admin\AppData\Local\Temp\76305965-8e44-4862-b063-ac30d0a58a6a.vbs

MD5 c1e11392e32250669957ea1a484d96e1
SHA1 b93b0210d0e225e34e2b002da2e6df55dfb01db6
SHA256 9019d6bd6e45191c6adf899b5edfc705b9a65a54f3777f264665a2883db195b8
SHA512 5329d0711cf3cd5e3644528dbb4d7c7fc93ac657611801728154be89fa381c3f7f02c7111da691c4c77e053890795a39ba02200dbe25c782f37eeb7e6e270e6b

memory/2668-208-0x00000000011D0000-0x000000000139E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\07e64a84-8598-4c33-8507-1eddfebffd2c.vbs

MD5 01eb7270a63433af475498b3e30ccbc3
SHA1 da67559455f02dbfc633afe9f44b269eb8875884
SHA256 b43a5b65dd804ab8ed1c2275c529d86fe32801dee73a818902a9170bd1ac8659
SHA512 c49d46960a7d5bc06587d7951cda380a4b6067cec986196ece4cf0c8ac5d0664a957d9434f612a902b797338acf0b024a3daac69477e20e8b1f564c834b17fab

C:\Users\Admin\AppData\Local\Temp\051a1a72-c400-4457-84b6-4b34f42a7071.vbs

MD5 c3e7d8b139089bc3173635c378488788
SHA1 7005983e6f5973c3842c4264bbea55e59c34bce1
SHA256 2797a9ba7ce2ec301222702a93f5100323fc5454f9f8373634271f881fddf785
SHA512 be02456597260adf40755183418bf7515ddb4eef57df8cd7da0969dca7a91f8e4853454bc75026db8e1f0512797ea8dbc4ca743925465ecbbde030c91f2388ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 14:39

Reported

2024-06-17 14:42

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\lsass.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX6236.tmp C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX643B.tmp C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Cursors\sihost.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Windows\Cursors\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Cursors\RCX6032.tmp C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
File created C:\Windows\Cursors\sihost.exe C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Recovery\WindowsRE\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Recovery\WindowsRE\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Recovery\WindowsRE\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Recovery\WindowsRE\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Recovery\WindowsRE\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Recovery\WindowsRE\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\lsass.exe N/A
N/A N/A C:\Recovery\WindowsRE\lsass.exe N/A
N/A N/A C:\Recovery\WindowsRE\lsass.exe N/A
N/A N/A C:\Recovery\WindowsRE\lsass.exe N/A
N/A N/A C:\Recovery\WindowsRE\lsass.exe N/A
N/A N/A C:\Recovery\WindowsRE\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Recovery\WindowsRE\lsass.exe
PID 2568 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe C:\Recovery\WindowsRE\lsass.exe
PID 872 wrote to memory of 4612 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 872 wrote to memory of 4612 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 872 wrote to memory of 1008 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 872 wrote to memory of 1008 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4612 wrote to memory of 3000 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 4612 wrote to memory of 3000 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 3000 wrote to memory of 1692 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 3000 wrote to memory of 1692 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 3000 wrote to memory of 4804 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 3000 wrote to memory of 4804 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 1692 wrote to memory of 4216 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 1692 wrote to memory of 4216 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 4216 wrote to memory of 3792 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4216 wrote to memory of 3792 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4216 wrote to memory of 2572 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4216 wrote to memory of 2572 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 3792 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 3792 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 5056 wrote to memory of 216 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 216 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 2380 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 2380 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 216 wrote to memory of 4716 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 216 wrote to memory of 4716 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 4716 wrote to memory of 1792 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 1792 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 1960 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 1960 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 1792 wrote to memory of 4360 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 1792 wrote to memory of 4360 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\lsass.exe
PID 4360 wrote to memory of 3156 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4360 wrote to memory of 3156 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4360 wrote to memory of 400 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe
PID 4360 wrote to memory of 400 N/A C:\Recovery\WindowsRE\lsass.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Cursors\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a0b73b5cc9f1b7ce5bf11c87b5f96710_NeikiAnalytics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'

C:\Recovery\WindowsRE\lsass.exe

"C:\Recovery\WindowsRE\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e1018e-86c7-481e-940f-4427352f8dec.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75bd9242-7aae-4361-bcf9-536e2c86cea3.vbs"

C:\Recovery\WindowsRE\lsass.exe

C:\Recovery\WindowsRE\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7f1d572-f121-43c1-8907-dd17d3e2607a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fa1c3f1-461b-4786-85f1-88323c4da8b4.vbs"

C:\Recovery\WindowsRE\lsass.exe

C:\Recovery\WindowsRE\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacaae1c-890c-4b68-9174-d53f7503ae45.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb07c64e-e4b7-486a-8ff9-c583820a9495.vbs"

C:\Recovery\WindowsRE\lsass.exe

C:\Recovery\WindowsRE\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c273f0f6-d4fb-4e1c-86d9-44b87880c005.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123d5fea-5cae-4dd8-b7e2-4a549d9c7e7c.vbs"

C:\Recovery\WindowsRE\lsass.exe

C:\Recovery\WindowsRE\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\693dc70a-ff42-46ff-8035-5408bcd4d52a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f28d9400-8a00-40e2-998f-51c0ffc75ba6.vbs"

C:\Recovery\WindowsRE\lsass.exe

C:\Recovery\WindowsRE\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feef5e7d-e489-4080-820c-99a12e36d28f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f707d43-74e9-4a3b-bf25-bd3a132edace.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 a0854644.xsph.ru udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp

Files

memory/2568-0-0x00007FF942E73000-0x00007FF942E75000-memory.dmp

memory/2568-1-0x0000000000AF0000-0x0000000000CBE000-memory.dmp

memory/2568-2-0x00007FF942E70000-0x00007FF943931000-memory.dmp

memory/2568-4-0x000000001B8A0000-0x000000001B8F0000-memory.dmp

memory/2568-5-0x0000000002EE0000-0x0000000002EE8000-memory.dmp

memory/2568-6-0x0000000002EF0000-0x0000000002F00000-memory.dmp

memory/2568-8-0x0000000003040000-0x0000000003052000-memory.dmp

memory/2568-7-0x0000000002F00000-0x0000000002F16000-memory.dmp

memory/2568-3-0x0000000002EC0000-0x0000000002EDC000-memory.dmp

memory/2568-9-0x0000000003070000-0x0000000003080000-memory.dmp

memory/2568-10-0x0000000003050000-0x000000000305A000-memory.dmp

memory/2568-11-0x0000000003060000-0x0000000003072000-memory.dmp

memory/2568-12-0x000000001C6D0000-0x000000001CBF8000-memory.dmp

memory/2568-15-0x00000000030C0000-0x00000000030CE000-memory.dmp

memory/2568-14-0x00000000030B0000-0x00000000030BE000-memory.dmp

memory/2568-13-0x00000000030A0000-0x00000000030AA000-memory.dmp

memory/2568-16-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

memory/2568-17-0x000000001B900000-0x000000001B90C000-memory.dmp

C:\ProgramData\backgroundTaskHost.exe

MD5 a0b73b5cc9f1b7ce5bf11c87b5f96710
SHA1 f3f81ce272d71f5ec9b890a400908d06910db863
SHA256 7ba97c08c68b3fb7bf3137a32ded5cfd2dc235e8e89403711459dfc2b2cd0d67
SHA512 2c4ac1d388813431867595d0dfb49aeea923e425ca1eeb8fd252754d3d8de3a750c0ce7126401a609229ba4ea94a99cb4251932c46171fceae7c5f3f2462c6f8

C:\Recovery\WindowsRE\lsass.exe

MD5 718dc877ccfc62013bc802939d400d7d
SHA1 4ff7c02ccf7c58f45f4c81a40044820f3827760a
SHA256 e284b362ea5ac543e35d7eee381dc455fd25f579301596299b0aced9561e967a
SHA512 32b04bb53cb8debcb863a946e4b7bfb6247c0ddcd0bb3b0903ccb1907adfaae92bdd2a52bd260f17dbe5d90201c61ecc228cf62b395bcf9a783264cd1d321514

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nvces4pi.5l4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1504-129-0x00000179A6D60000-0x00000179A6D82000-memory.dmp

memory/872-195-0x0000000000670000-0x000000000083E000-memory.dmp

memory/2568-196-0x00007FF942E70000-0x00007FF943931000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/872-212-0x000000001CF60000-0x000000001CF72000-memory.dmp

memory/872-213-0x000000001D0E0000-0x000000001D0F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a6e1018e-86c7-481e-940f-4427352f8dec.vbs

MD5 1a19f7510b9065656e1a5fa8ea5b482a
SHA1 24c1729403cb4fd6ffe5e02463f16965139e2c50
SHA256 07f14c62399914debbebab26baf4414d845db59a6f213c5935b06f421a122005
SHA512 e52347baf45306519a5111fd540a3838ea42b49b9c274c092a182bfe8ea9f761848b70a50db37a135054179e9c33d38595e767769f08fac303edd1f2fb02d763

C:\Users\Admin\AppData\Local\Temp\75bd9242-7aae-4361-bcf9-536e2c86cea3.vbs

MD5 324154e2399331f94e2df4cbaa973e1b
SHA1 fd81875f0c7c2161e4fb6c1748ed7cee2d101c14
SHA256 93b10f7974cdd37aec5adcd8df3ed18be9322ba79847e07164999850c666df4d
SHA512 dfabfcf0fd04c5fb987154bb3e6a98729965eea3faf483e7935ab06aa7d7990b2fb610e206c4d69ed154f92e0efe780555f1451344ae91dd0cfd8630b3fc581b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/3000-226-0x000000001BFF0000-0x000000001C002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7f1d572-f121-43c1-8907-dd17d3e2607a.vbs

MD5 07ebb7f932f816041b297c9ec333982a
SHA1 43d748bf9ba3168abe021234e0c8713d665816fd
SHA256 778b5672d6c9a9fd0f3a94aac03b1b62d158d39f7f52d3f854fd7b286d3c29b1
SHA512 f8ca2e449818403ad5ffae9933dcab52dea110cc4f448285fee3643d3a9bb356d585bac8c812a8e383e1cbfe0900ec648d223ef10d14d5cbf77725d47f562388

C:\Users\Admin\AppData\Local\Temp\cacaae1c-890c-4b68-9174-d53f7503ae45.vbs

MD5 14be1f861de9068135d0707eacb25621
SHA1 b2cdb3460125738dc20df0ff035ba59188ea22d7
SHA256 0e2ce4a9e5b4a999eba54e2c84e80341ff8d79d82a37e3756b90209d8c5ca978
SHA512 4589bc3faf76e6f0a9abc9c6d61255a94fade4a9793f6115a150fcc2ef603e9db19b21bdddbb977b72921f97c135d9faccd8c6e55b5f42aa24209c637d7f611c

memory/5056-249-0x000000001AFF0000-0x000000001B002000-memory.dmp

memory/5056-250-0x000000001CA40000-0x000000001CA52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c273f0f6-d4fb-4e1c-86d9-44b87880c005.vbs

MD5 ca932860c1c487f726273b1b1c56adac
SHA1 4e8af1be35f09c7457c26625ec9327468a80d782
SHA256 37aa8fc2368669cbf5e0660d435c92b953f7924abd0a3f600599eb5d10d68edd
SHA512 5fdfd4d6996261f7e39951698e57665cd9c227922d483c669b240c41639fd4c7ab2a4f77553e26cb11eefa573df84edd39523a33f28793a9f2d538a82dba3f56

C:\Users\Admin\AppData\Local\Temp\693dc70a-ff42-46ff-8035-5408bcd4d52a.vbs

MD5 4d2dfc068e90127c63efd4cfe231a952
SHA1 2af271657e8029d7c7646017ff3788142168d1da
SHA256 8d2ce1e754f29d0f64e3405f7b12c8ba96adb1277fce349f5f11105a1742a687
SHA512 8fca0e983c22a54f0e3c00e4ee1f74426be47a2e3eb97e5ac5f6f57ed401e5b4af4f4d5f7131a9db81e99ef7aaa896b583f00ab055b09472a524192a9813b614

memory/4360-273-0x000000001B9F0000-0x000000001BA02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\feef5e7d-e489-4080-820c-99a12e36d28f.vbs

MD5 a1ed053d1819531cbebd6e61c939fabe
SHA1 e34ca445b2368aed0c159509dadff88825575cb4
SHA256 bb237929188379cfc2112a93533b02b2b1d89beff18d5c98d4d9b2ff72c63901
SHA512 2b1fc9723a773c1d306fad355ee51c9b0a3a38d8ab177689d423b2f41620bf8f27fdf624315e166902685e5757b86cf8c844f876e66c56c3a5818946db02943f