Malware Analysis Report

2024-11-16 13:17

Sample ID 240519-bb3tnaaa37
Target 3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe
SHA256 7286faa87d9761ae37f4cd3122865b829f2cab42eff87a3ffba01047929e508a
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7286faa87d9761ae37f4cd3122865b829f2cab42eff87a3ffba01047929e508a

Threat Level: Known bad

The file 3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies visiblity of hidden/system files in Explorer

Modifies firewall policy service

UAC bypass

Modifies visibility of file extensions in Explorer

Windows security bypass

Sality

Executes dropped EXE

Loads dropped DLL

Windows security modification

UPX packed file

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 00:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 00:59

Reported

2024-05-19 01:01

Platform

win7-20240221-en

Max time kernel

8s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f762bb2 C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
File created C:\Windows\f763498 C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2168 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2168 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2168 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2168 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2168 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2168 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2168 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2168 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2168 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2984 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2984 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2984 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2984 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

N/A

Files

memory/2168-0-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2168-5-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-9-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-7-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-12-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-14-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-34-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2168-33-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2168-32-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2168-30-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2168-29-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1068-21-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2168-13-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-11-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-10-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-8-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-15-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-38-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2168-37-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2984-69-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-70-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-75-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-89-0x00000000001F0000-0x00000000001F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F763534_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

memory/2984-68-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-67-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-65-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-63-0x00000000028B0000-0x000000000396A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 8b6d3d50e32f3ce4a40c520fb4c11e06
SHA1 6a00b3147e1c61f7e2bc80158e73a8d2b2033aca
SHA256 94f42d2b22181d604a0df80cd7bb4df65e9e2dcf1e1e5d6750eae40f98174fa7
SHA512 16c2d90c5bc2eec1341caeadf8fd25e36b536cf8997278ff33ef436c4be42496b914d52b48b5156f2c1f5e9c4998eeba6212f977c907d0989059066ec0a4559d

memory/2984-61-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2168-60-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2984-59-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2168-58-0x0000000008DF0000-0x0000000008EAF000-memory.dmp

memory/2984-66-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-64-0x00000000028B0000-0x000000000396A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 3b94744c1af3863468425acb2d086870
SHA1 e8e04d433b325e7c6f7375ed90eb6f44bddb4a50
SHA256 7286faa87d9761ae37f4cd3122865b829f2cab42eff87a3ffba01047929e508a
SHA512 bf12103aa593d6a4d5fa8325c22f26487b718865c278dc1a740780490c6ac1438db082bfbfcf1847be18c449076c4cc3db7c1289a2104f84863cac348ca639e7

memory/2168-43-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/2984-94-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2984-93-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2984-92-0x0000000000380000-0x0000000000381000-memory.dmp

memory/2984-71-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-95-0x00000000028B0000-0x000000000396A000-memory.dmp

memory/2984-96-0x00000000028B0000-0x000000000396A000-memory.dmp

C:\egmpao.pif

MD5 af3ca52f822347031a36df4f8a91186b
SHA1 f1c48e09eb359805914cfd27ee737be99fd7ace0
SHA256 d84a95636c92ca8a43216902fb224f5c3885e14c8545b62aeddc06ceb112d2f3
SHA512 45ea76645141437e5a221b4aa05bd36350247c83bfc15d8f8cfda3f34edd7d781a620579927d45df696f57256ffaee94fcc864c5208daa8486212ab33c7f707a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 00:59

Reported

2024-05-19 01:01

Platform

win10v2004-20240426-en

Max time kernel

17s

Max time network

138s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5743a0 C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
File created C:\Windows\e577501 C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 700 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 700 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 700 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 700 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 700 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 700 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 700 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 700 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 700 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 700 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 700 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 700 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 700 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 700 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 700 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 700 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 700 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 700 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 700 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 700 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2364 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2364 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2364 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2364 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2364 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2364 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2364 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2364 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2364 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2364 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2364 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2364 wrote to memory of 388 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2364 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2364 wrote to memory of 436 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2364 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2364 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2364 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b94744c1af3863468425acb2d086870_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.194:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp

Files

memory/700-0-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/700-3-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-1-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-6-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-21-0x0000000001770000-0x0000000001772000-memory.dmp

memory/700-16-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-15-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-23-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-5-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-18-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-9-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/700-8-0x0000000001770000-0x0000000001772000-memory.dmp

memory/700-17-0x0000000001770000-0x0000000001772000-memory.dmp

memory/700-7-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-24-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-25-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-26-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/700-29-0x0000000003330000-0x00000000043EA000-memory.dmp

memory/2364-33-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/700-49-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/700-39-0x0000000001770000-0x0000000001772000-memory.dmp

memory/700-36-0x0000000003330000-0x00000000043EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 3b94744c1af3863468425acb2d086870
SHA1 e8e04d433b325e7c6f7375ed90eb6f44bddb4a50
SHA256 7286faa87d9761ae37f4cd3122865b829f2cab42eff87a3ffba01047929e508a
SHA512 bf12103aa593d6a4d5fa8325c22f26487b718865c278dc1a740780490c6ac1438db082bfbfcf1847be18c449076c4cc3db7c1289a2104f84863cac348ca639e7

C:\Users\Admin\AppData\Local\Temp\0E574F1A_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

C:\Windows\SYSTEM.INI

MD5 cf078fe7cba1e80a6d6fce26fe36716a
SHA1 eb457dd1649a7387a92d060ba1d27394d85a305a
SHA256 cfe46b4fb340aa3f1b7b12ceba168cde126fff81e6c2d68048e62ba074a1b5a1
SHA512 cd2c79fc2d0a9ab715bd94863370f3be1f48452139ab4a47c49a5091d938716fe469a9ce348e38969adc9cf5de907009472530054265fc865dd955c974dd046d

memory/2364-63-0x0000000003830000-0x0000000003831000-memory.dmp

memory/2364-71-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

memory/2364-61-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-70-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-73-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

memory/2364-72-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-69-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-60-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-57-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-56-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-55-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-53-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-58-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-59-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-75-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-74-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-76-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-77-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-78-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-80-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-81-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-82-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-84-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-86-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-88-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-87-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-91-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-93-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-113-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2364-122-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

C:\xxud.exe

MD5 1d7b6137c06486ced9254e0b617177c1
SHA1 6e2731c495e7d4436198efa6304bfb87ec38a8c0
SHA256 b8cc5155d127db73d32b7beb464f2d398a01ed162b5ec78f89a90749d580003f
SHA512 6e5aa40c2cfb358be7d319ceb8306e6542320d7ebb6ad1c4a10975e5a2ecfc01d938f2c24e442edd3c599d181f1505055b99d250553c48c98aeea5d5ef0f4455