Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-rzxkjsvakf
Target a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe
SHA256 495cf4303436a0d08e39dd898189e734510121d5b07c8a533491e2d5a58dda63
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

495cf4303436a0d08e39dd898189e734510121d5b07c8a533491e2d5a58dda63

Threat Level: Known bad

The file a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

DcRat

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 14:38

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 14:38

Reported

2024-06-17 14:40

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\en-US\taskhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\taskhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX458F.tmp C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\dwm.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\System.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\dwm.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX3F17.tmp C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\System.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\en-US\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Windows\Prefetch\dwm.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Windows\Prefetch\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\en-US\RCX389E.tmp C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Prefetch\RCX3D13.tmp C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Prefetch\dwm.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Windows\en-US\taskhost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\en-US\taskhost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A
N/A N/A C:\Windows\en-US\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2376 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2376 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2220 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2220 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2220 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2220 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\en-US\taskhost.exe
PID 2220 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\en-US\taskhost.exe
PID 2220 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\en-US\taskhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ogWDuB3cEe.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\en-US\taskhost.exe

"C:\Windows\en-US\taskhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0981341.xsph.ru udp
RU 141.8.192.6:80 a0981341.xsph.ru tcp

Files

memory/2376-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

memory/2376-1-0x0000000001360000-0x0000000001472000-memory.dmp

memory/2376-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/2376-3-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/2376-4-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2376-5-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/2376-6-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/2376-7-0x0000000000580000-0x000000000058C000-memory.dmp

memory/2376-10-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

C:\ProgramData\Microsoft\Windows\Templates\smss.exe

MD5 a0337fe468064f51ac3caf5879209af0
SHA1 cd23c6010648382a9265dc4d751ef703db6cca26
SHA256 495cf4303436a0d08e39dd898189e734510121d5b07c8a533491e2d5a58dda63
SHA512 159fcd10c4b62f9295b3baa2d8853620b0ea37ea17c3a4d60db66f64cefcdf0ce738ab650ae8724d4b7a264866116e6058cc68253f371fc8fb2ac6def629254c

memory/2376-77-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5cd8b6fbc6c5c33e92e95cead34aa7fd
SHA1 a6c76751d4d1a345b574e8b6c3b9f0f5a86ec1ab
SHA256 c2e87190e73d0232b25897d12dce313fd27cf1431a9657e0e6d346322c6b27b3
SHA512 85ca1b4f110556d065420fd91b9d934dab2851503ef4b0cd5b62bd715d11743f4b9a3612425e647182d812d91fe3a96ca2895b1c74c65a6a30a3bcacad59c09b

memory/3028-103-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/1892-98-0x000000001B750000-0x000000001BA32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogWDuB3cEe.bat

MD5 0fe8210fbb1815f984fdcce08658197f
SHA1 3d6b1021127b7d3b0b5be7643ce088f7795d3521
SHA256 9d7c6dab7d70fc0b7f1118401a61780a6857d96525dd918277ecbd632f8dd702
SHA512 bac744a339f715063cb8b0c0d748003fedd811130066fcd7257cc6be5fa2465b05177e3277da84916e01b312771b26e599a5c4469cb9998d881900244dff1f1e

C:\Windows\en-US\taskhost.exe

MD5 a8602217a9446d3e8af09e7ef0f81ccd
SHA1 0f5b296886e617c78c9dfefe79394fb3f57a689e
SHA256 5aae3d14e869a9011a555f872fb17681d81d573f34be89551783df0b444c4f9e
SHA512 a23b263e3bb951676906b1a2a31f3dbb44181d0f6942a45b522d3144a9ccaafe90174932628fe24986216ad8510d22c85aba3b0a5e7974b5d80f3e01173e9be9

memory/2880-122-0x00000000012F0000-0x0000000001402000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 14:38

Reported

2024-06-17 14:40

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows NT\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\powershell.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\RCX624A.tmp C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX5DC4.tmp C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\e978f868350d50 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\powershell.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InputMethod\CHT\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Windows\InputMethod\CHT\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Windows\Setup\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File created C:\Windows\Setup\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\InputMethod\CHT\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Setup\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe
PID 1168 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe
PID 2644 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2644 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 3772 wrote to memory of 3176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3772 wrote to memory of 3176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3772 wrote to memory of 5560 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe
PID 3772 wrote to memory of 5560 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Templates\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'

C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Setup\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Default\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\sysmon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\sysmon.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9TFxmxilSc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0981341.xsph.ru udp

Files

memory/1168-0-0x00007FF8AF063000-0x00007FF8AF065000-memory.dmp

memory/1168-1-0x0000000000E40000-0x0000000000F52000-memory.dmp

memory/1168-2-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

memory/1168-4-0x0000000003100000-0x0000000003110000-memory.dmp

memory/1168-5-0x0000000003110000-0x000000000311A000-memory.dmp

memory/1168-3-0x0000000001740000-0x0000000001748000-memory.dmp

memory/1168-6-0x0000000003120000-0x000000000312C000-memory.dmp

memory/1168-7-0x000000001C430000-0x000000001C43C000-memory.dmp

memory/1168-10-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

memory/1168-11-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

C:\Recovery\WindowsRE\sysmon.exe

MD5 a0337fe468064f51ac3caf5879209af0
SHA1 cd23c6010648382a9265dc4d751ef703db6cca26
SHA256 495cf4303436a0d08e39dd898189e734510121d5b07c8a533491e2d5a58dda63
SHA512 159fcd10c4b62f9295b3baa2d8853620b0ea37ea17c3a4d60db66f64cefcdf0ce738ab650ae8724d4b7a264866116e6058cc68253f371fc8fb2ac6def629254c

memory/1012-82-0x00000155A2EF0000-0x00000155A2F12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwlhb1fn.ccw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a0337fe468064f51ac3caf5879209af0_NeikiAnalytics.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

memory/1168-149-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Recovery\WindowsRE\121e5b5079f7c0

MD5 778b341da6389e83f9f1e7a40e2c3531
SHA1 d64a00bfe7619d00ef26ae23892afc6ea54437f9
SHA256 45e7dbd9a745b0071dfef42aaa27a728c30e86cc57e8e8b20a90c2ea994a778f
SHA512 bd013cfd0a44f33cee4ee931ee19dbf4eb236e9a86828da1383a4fc3459578c0129c68b8ee0fc84092634cd5c07a243db71ac0088b4faedbfda625e6abd6f57a

C:\Users\Admin\AppData\Local\Temp\9TFxmxilSc.bat

MD5 cea0a474a722dbdf1892268974fd8aee
SHA1 10c85dadbea408130d3f3b69f2b535ff22a67a9a
SHA256 e614237e8d76720f4276660be640611ea3263db23c836c324ecb47a7ad8d0325
SHA512 789a01d790bc0073a38e46c41ea4b1e30c709e99358886792adbb3cb3c8d566ebd98996f80bc871adcf8387585a5ef8ea3b8c5235313235169e533dd9d89c2fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 624e41a75a6dfd62039973dbbfdbe622
SHA1 f791e4cc85d6ae7039acef57a9025b173d7e963b
SHA256 ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1
SHA512 a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d

memory/1576-408-0x000002AB98A50000-0x000002AB98BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a1d5945d69caaa5ad4650aa92416db8
SHA1 fce5ff33231a7b99c4e54afac0b356aa72c86aef
SHA256 536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567
SHA512 04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2

memory/2668-412-0x000001F0D6B00000-0x000001F0D6C6A000-memory.dmp

memory/4672-411-0x0000013D7EB90000-0x0000013D7ECFA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 32b16440fab3a1055d9c22b90935bdfb
SHA1 ee350c4a65b81468487a3660dfe4f373660b9070
SHA256 ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35
SHA512 5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

memory/1572-423-0x000002D6F2340000-0x000002D6F24AA000-memory.dmp

memory/3712-424-0x000001B6DCF80000-0x000001B6DD0EA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17ea263ce8c38396c330fd30047d0522
SHA1 65304731eecbe75dd17c1bafbcc48dbf25e17eb7
SHA256 e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8
SHA512 0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34477c71724989cda19ddd7a5a4d7b29
SHA1 debaa011b19ba910190607cc62ed2ec2212dfa0c
SHA256 59a4123ada3faee2ab3d8be31e8b523c574acc9ade3761a4564db03f83190c98
SHA512 c61d2254e664ce601c58eae8ed3d0346ca399a780587ed884db66db5e345725597b8076fd6d0ada823df034d227f004a1c545d9f9fb6c7349adcfeb8215beee9

memory/5020-454-0x000001CB4F550000-0x000001CB4F6BA000-memory.dmp

memory/3192-457-0x000002A1508B0000-0x000002A150A1A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9f0650e5656121e0c63333fcd49fc133
SHA1 f6efd0b4d35c6adf7df451a7f80b0f7a4da5adff
SHA256 36457b2b5dc32923c8f1e3b3223eb6a7ab588dc56b15ecb4aa24fdebf0294e99
SHA512 78de45da645e9e2c0f1d2134d01fbc6bd2c5510b68ba00d3ee24784c76a7f46c0aade01a65f35feecbd8c2c423509828ba6809b4fc7966e9a344e44e32606af5

memory/2824-451-0x00000227A1E40000-0x00000227A1FAA000-memory.dmp

memory/4140-450-0x000001EDF45A0000-0x000001EDF470A000-memory.dmp

memory/1924-449-0x0000024BF4B20000-0x0000024BF4C8A000-memory.dmp

memory/4692-446-0x0000020FEFB30000-0x0000020FEFC9A000-memory.dmp

memory/852-441-0x0000019B5A600000-0x0000019B5A76A000-memory.dmp

memory/4352-438-0x000001A53E750000-0x000001A53E8BA000-memory.dmp

memory/764-437-0x000001A15A310000-0x000001A15A47A000-memory.dmp

memory/5004-436-0x0000021B70040000-0x0000021B701AA000-memory.dmp

memory/1812-433-0x000001AD706D0000-0x000001AD7083A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4f473e15a0686d0c819ad40b5f232368
SHA1 a769892ae2e8203e7d4a992a317189b56723da33
SHA256 53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237
SHA512 d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cfecb4e0f846589c2742fd84d6bbd1db
SHA1 730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec
SHA256 12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa
SHA512 669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 481c1608c2bec426ca209e8800611abd
SHA1 5df5a08760b0e5c56cb9daf768894435354d2651
SHA256 44e538c7570e175634f9929d350a79203730fcb753638f611a1dd4780ec430ed
SHA512 5a87762225beffbd34048fd0d617a75eff25ca6dfe47c258cdfad8c841f8b0b4144ae8c7ef04ee5de36987cb6ae0953499d5fa27b2100483a8042ee5e27d190c

memory/3384-420-0x0000025DC1270000-0x0000025DC13DA000-memory.dmp

memory/2556-415-0x000001E23BF80000-0x000001E23C0EA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6019bc03fe1dc3367a67c76d08b55399
SHA1 3d0b6d4d99b6b8e49829a3992072c3d9df7ad672
SHA256 7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0
SHA512 6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb