Malware Analysis Report

2024-11-16 13:17

Sample ID 240518-z6khkagb5s
Target 046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe
SHA256 a5a7ad5872db1dc1b3cd3decdfa17fc307f2fe1c1a853fa7d5fb111ce994f460
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5a7ad5872db1dc1b3cd3decdfa17fc307f2fe1c1a853fa7d5fb111ce994f460

Threat Level: Known bad

The file 046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 21:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 21:19

Reported

2024-05-18 21:22

Platform

win7-20240221-en

Max time kernel

125s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f767aea C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe"

Network

N/A

Files

memory/1184-23-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-24-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-19-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-4-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-5-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-25-0x0000000003480000-0x0000000003482000-memory.dmp

memory/1184-22-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-20-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-6-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-21-0x0000000003480000-0x0000000003482000-memory.dmp

memory/1184-7-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-18-0x0000000003A50000-0x0000000003A51000-memory.dmp

memory/1184-16-0x0000000003A50000-0x0000000003A51000-memory.dmp

memory/1184-15-0x0000000003480000-0x0000000003482000-memory.dmp

memory/1104-8-0x0000000001C20000-0x0000000001C22000-memory.dmp

memory/1184-2-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-1-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1184-31-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-32-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-33-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-34-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-35-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-37-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-38-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-39-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-42-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-47-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-50-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-51-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-53-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-54-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-57-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-58-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-61-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-62-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-64-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-66-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-73-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-75-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-82-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-93-0x0000000000710000-0x00000000017CA000-memory.dmp

memory/1184-98-0x0000000003480000-0x0000000003482000-memory.dmp

C:\pkcl.pif

MD5 60487487e09d1009f4eb50d3ccd360f0
SHA1 86505ef0759adc2798930d1b735918dc95384067
SHA256 6e3246325ac5224e7051b10e7498296d709ae010e48ddf1b1fda36f235f47985
SHA512 784f3ded355094c90387b6b5960da732d050e857f34bdb1d6081cea94f66f9f02186e9bb5bb541d8719049e578e01d56728a5018d291d5f1d23ebd6d93f1eb86

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 21:19

Reported

2024-05-18 21:22

Platform

win10v2004-20240426-en

Max time kernel

122s

Max time network

104s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
File created C:\Windows\e575505 C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3292 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3292 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3292 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3292 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3292 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3292 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3292 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3292 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3292 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3292 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3292 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3292 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3292 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3292 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3292 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3292 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3292 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3292 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3292 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3292 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3292 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3292 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3292 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3292 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3292 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3292 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3292 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3292 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3292 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3292 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3292 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3292 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3292 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3292 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3292 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3292 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3292 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\046e62226efbb2810694adf45a34fdd0_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3292-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3292-1-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-3-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-6-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-4-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-20-0x0000000003E40000-0x0000000003E42000-memory.dmp

memory/3292-17-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-16-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-21-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-7-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-5-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-18-0x0000000003E40000-0x0000000003E42000-memory.dmp

memory/3292-8-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-10-0x0000000003F90000-0x0000000003F91000-memory.dmp

memory/3292-9-0x0000000003E40000-0x0000000003E42000-memory.dmp

memory/3292-19-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-22-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-23-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-24-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-26-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-25-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-28-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-29-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-30-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-32-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-33-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-35-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-37-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-40-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-43-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-44-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-47-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-46-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-49-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-50-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-51-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-54-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-61-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-63-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-64-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-65-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-66-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-67-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-69-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-73-0x0000000003E40000-0x0000000003E42000-memory.dmp

memory/3292-72-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3292-77-0x0000000000880000-0x000000000193A000-memory.dmp

F:\rsfb.exe

MD5 d1526602854e5c3ff1b6bb5e4bb99d15
SHA1 2fe80789a98c97d9e785667b386e7fb5d3d1ef56
SHA256 68390c9c322abec94578e863f6577275e73301978c952e88a4d7d1830782d3f2
SHA512 d65c31e8c77257f8cb39d02f521a660b507a4c5d9a0c681e4f0db62366e8aff4191be88d62a3ff3b7bfdc52bf4d1dfc7e60aa4e222be9fc39f556dddaa5955b4