Malware Analysis Report

2024-11-16 13:19

Sample ID 240519-n4n77agc6y
Target b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe
SHA256 6b4f87b48c72cb08688413039bed57be6882933ead00949e7d85f582a504f1e8
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b4f87b48c72cb08688413039bed57be6882933ead00949e7d85f582a504f1e8

Threat Level: Known bad

The file b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Modifies WinLogon for persistence

Sality

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 11:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 11:57

Reported

2024-05-19 11:59

Platform

win7-20240508-en

Max time kernel

26s

Max time network

101s

Command Line

"taskhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Windows\system\Fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Windows\SVIQ.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Windows\dc.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\system\Fun.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system\Fun.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system\Fun.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\system\Fun.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Windows\system\Fun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Windows\SVIQ.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Windows\dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Windows\system\Fun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Windows\SVIQ.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Windows\dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system\Fun.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\J: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\L: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\M: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\O: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\P: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\E: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\G: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\K: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\N: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Windows\system\Fun.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinSit.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\config\Win.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Windows\dc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\dc.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\wininit.ini C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\Fun.exe C:\Windows\dc.exe N/A
File created C:\Windows\system\Fun.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\Help\Other.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\Help\Other.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\wininit.ini C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\system\Fun.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\SVIQ.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\dc.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\inf\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dc.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\wininit.ini C:\Windows\system\Fun.exe N/A
File created C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\inf\Other.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\dc.exe C:\Windows\dc.exe N/A
File created C:\Windows\system\Fun.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\inf\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\system\Fun.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\SVIQ.EXE C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\system\Fun.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\Other.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\inf\Other.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\wininit.ini C:\Windows\dc.exe N/A
File opened for modification C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\inf\Other.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\SVIQ.EXE C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\Help\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dc.exe C:\Windows\system\Fun.exe N/A
File created C:\Windows\SVIQ.EXE C:\Windows\SVIQ.EXE N/A
File created C:\Windows\SVIQ.EXE C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\dc.exe C:\Windows\dc.exe N/A
File created C:\Windows\SVIQ.EXE C:\Windows\dc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\dc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\Fun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 836 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 836 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 836 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 836 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system\Fun.exe
PID 836 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system\Fun.exe
PID 836 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system\Fun.exe
PID 836 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system\Fun.exe
PID 2740 wrote to memory of 2680 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 2740 wrote to memory of 2680 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 2740 wrote to memory of 2680 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 2740 wrote to memory of 2680 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 836 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\dc.exe
PID 836 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\dc.exe
PID 836 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\dc.exe
PID 836 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\dc.exe
PID 2740 wrote to memory of 1116 N/A C:\Windows\system\Fun.exe C:\Windows\system32\taskhost.exe
PID 2740 wrote to memory of 1164 N/A C:\Windows\system\Fun.exe C:\Windows\system32\Dwm.exe
PID 2740 wrote to memory of 1212 N/A C:\Windows\system\Fun.exe C:\Windows\Explorer.EXE
PID 2740 wrote to memory of 1036 N/A C:\Windows\system\Fun.exe C:\Windows\system32\DllHost.exe
PID 2740 wrote to memory of 2680 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 2740 wrote to memory of 2680 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 2740 wrote to memory of 2820 N/A C:\Windows\system\Fun.exe C:\Windows\dc.exe
PID 2740 wrote to memory of 2820 N/A C:\Windows\system\Fun.exe C:\Windows\dc.exe
PID 2740 wrote to memory of 1280 N/A C:\Windows\system\Fun.exe C:\Windows\system32\DllHost.exe
PID 2740 wrote to memory of 1116 N/A C:\Windows\system\Fun.exe C:\Windows\system32\taskhost.exe
PID 2740 wrote to memory of 1164 N/A C:\Windows\system\Fun.exe C:\Windows\system32\Dwm.exe
PID 2740 wrote to memory of 1212 N/A C:\Windows\system\Fun.exe C:\Windows\Explorer.EXE
PID 2740 wrote to memory of 1036 N/A C:\Windows\system\Fun.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system\Fun.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe"

C:\Windows\system\Fun.exe

C:\Windows\system\Fun.exe

C:\Windows\SVIQ.EXE

C:\Windows\SVIQ.EXE

C:\Windows\dc.exe

C:\Windows\dc.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system\Fun.exe

C:\Windows\system\Fun.exe

C:\Windows\system\Fun.exe

C:\Windows\system\Fun.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dungcoivb.googlepages.com udp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp

Files

memory/836-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/836-2-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-10-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-4-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-7-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-8-0x00000000025A0000-0x000000000362E000-memory.dmp

C:\Windows\SVIQ.EXE

MD5 b6d204cf96e004b32efbeaae6852962b
SHA1 549abe4a13e5aa2c6f78b2e5dce3408641568c96
SHA256 6b4f87b48c72cb08688413039bed57be6882933ead00949e7d85f582a504f1e8
SHA512 ed7293f46e23297876d176cfe97a9db4715f2328b5a505b129a39ff991ad9e6e9923453531c698cedc19db0aaf765c3510df2e074db0a42ea7191c22887b46f8

memory/836-12-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-9-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-5-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-31-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-45-0x00000000036C0000-0x00000000036C2000-memory.dmp

memory/836-44-0x00000000036C0000-0x00000000036C2000-memory.dmp

memory/836-13-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-43-0x00000000036D0000-0x00000000036D1000-memory.dmp

memory/836-41-0x00000000036D0000-0x00000000036D1000-memory.dmp

memory/836-40-0x00000000036C0000-0x00000000036C2000-memory.dmp

memory/1116-32-0x0000000000410000-0x0000000000412000-memory.dmp

memory/836-30-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-56-0x0000000005D70000-0x0000000005D98000-memory.dmp

memory/836-55-0x0000000005D70000-0x0000000005D98000-memory.dmp

C:\Windows\wininit.ini

MD5 e839977c0d22c9aa497b0b1d90d8a372
SHA1 b5048e501399138796b38f3d3666e1a88c397e83
SHA256 478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2
SHA512 4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

memory/2680-87-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2740-86-0x0000000002540000-0x0000000002568000-memory.dmp

memory/836-128-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-130-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-129-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-148-0x00000000025A0000-0x000000000362E000-memory.dmp

memory/836-147-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2740-155-0x0000000004D00000-0x0000000005D8E000-memory.dmp

memory/2740-153-0x0000000004D00000-0x0000000005D8E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 eb16cc3010bdbabeee4d6517e72f6416
SHA1 598d6ef3966a163c64cd0f061c3115a5d3a673e3
SHA256 4ff89e3861f195b0afb777e488c5a57715f60ea34f6000195b07fb0b7fe7d876
SHA512 886f6c8227ad25aeaf891e87319dce09bdc12692b3e452c4db0c68d01c5987cf937baff7fd4d6730eeb4ca19ceaf744ea24ea28c15996d6e9afaae0ce67980b2

memory/2740-156-0x0000000004D00000-0x0000000005D8E000-memory.dmp

memory/2740-188-0x0000000004D00000-0x0000000005D8E000-memory.dmp

memory/2740-172-0x0000000004720000-0x0000000004721000-memory.dmp

memory/2740-149-0x0000000004D00000-0x0000000005D8E000-memory.dmp

memory/2740-152-0x0000000004D00000-0x0000000005D8E000-memory.dmp

memory/2740-261-0x0000000004D00000-0x0000000005D8E000-memory.dmp

C:\gqoepd.exe

MD5 a186c23b0f5e815d41519a3904ed2df6
SHA1 9d07aede414d6e8a2316fdd62d6925f72a63c3c0
SHA256 9cfc820d4eb33d9b00f32b67f78429056059aa0751f5b20c093ad8ec40311610
SHA512 c4e3a9efcb3597c15c57824eff124651553340c792af09743e7ec60556c3c846125f0390ce010cc3becf605b5d597d8575a9b7ebaff91fe80b706111a12fd232

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 11:57

Reported

2024-05-19 11:59

Platform

win10v2004-20240426-en

Max time kernel

21s

Max time network

101s

Command Line

"fontdrvhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Windows\system\Fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Windows\SVIQ.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" C:\Windows\dc.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\system\Fun.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system\Fun.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\system\Fun.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system\Fun.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\system\Fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\system\Fun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Windows\SVIQ.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Windows\dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Windows\system\Fun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Windows\SVIQ.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" C:\Windows\dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" C:\Windows\system\Fun.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system\Fun.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\G: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\H: C:\Windows\system\Fun.exe N/A
File opened (read-only) \??\I: C:\Windows\system\Fun.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Windows\dc.exe N/A
File created C:\Windows\SysWOW64\WinSit.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\config\Win.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\WinSit.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\Win.exe C:\Windows\dc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\inf\Other.exe C:\Windows\system\Fun.exe N/A
File created C:\Windows\system\Fun.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\SVIQ.EXE C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\inf\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\wininit.ini C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\SVIQ.EXE C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\Help\Other.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\system\Fun.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\wininit.ini C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\dc.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\inf\Other.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\wininit.ini C:\Windows\SVIQ.EXE N/A
File created C:\Windows\dc.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\SVIQ.EXE C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\inf\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\Other.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\SVIQ.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\wininit.ini C:\Windows\dc.exe N/A
File opened for modification C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE N/A
File opened for modification C:\Windows\system\Fun.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dc.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\SVIQ.EXE C:\Windows\system\Fun.exe N/A
File created C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE N/A
File created C:\Windows\dc.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\inf\Other.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\dc.exe C:\Windows\dc.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\system\Fun.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dc.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\Other.exe C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
File created C:\Windows\system\Fun.exe C:\Windows\system\Fun.exe N/A
File opened for modification C:\Windows\Help\Other.exe C:\Windows\system\Fun.exe N/A
File created C:\Windows\SVIQ.EXE C:\Windows\dc.exe N/A
File opened for modification C:\Windows\system\Fun.exe C:\Windows\dc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\system\Fun.exe N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\SVIQ.EXE N/A
N/A N/A C:\Windows\dc.exe N/A
N/A N/A C:\Windows\dc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1824 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1824 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1824 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1824 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1824 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1824 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1824 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1824 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1824 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1824 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1824 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1824 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1824 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1824 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1824 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system\Fun.exe
PID 1824 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system\Fun.exe
PID 1824 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\system\Fun.exe
PID 3404 wrote to memory of 1092 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 3404 wrote to memory of 1092 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 3404 wrote to memory of 1092 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 1824 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\dc.exe
PID 1824 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\dc.exe
PID 1824 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe C:\Windows\dc.exe
PID 3404 wrote to memory of 748 N/A C:\Windows\system\Fun.exe C:\Windows\system32\fontdrvhost.exe
PID 3404 wrote to memory of 752 N/A C:\Windows\system\Fun.exe C:\Windows\system32\fontdrvhost.exe
PID 3404 wrote to memory of 1016 N/A C:\Windows\system\Fun.exe C:\Windows\system32\dwm.exe
PID 3404 wrote to memory of 3060 N/A C:\Windows\system\Fun.exe C:\Windows\system32\sihost.exe
PID 3404 wrote to memory of 2816 N/A C:\Windows\system\Fun.exe C:\Windows\system32\svchost.exe
PID 3404 wrote to memory of 3108 N/A C:\Windows\system\Fun.exe C:\Windows\system32\taskhostw.exe
PID 3404 wrote to memory of 3444 N/A C:\Windows\system\Fun.exe C:\Windows\Explorer.EXE
PID 3404 wrote to memory of 3548 N/A C:\Windows\system\Fun.exe C:\Windows\system32\svchost.exe
PID 3404 wrote to memory of 3740 N/A C:\Windows\system\Fun.exe C:\Windows\system32\DllHost.exe
PID 3404 wrote to memory of 3836 N/A C:\Windows\system\Fun.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3404 wrote to memory of 3900 N/A C:\Windows\system\Fun.exe C:\Windows\System32\RuntimeBroker.exe
PID 3404 wrote to memory of 3980 N/A C:\Windows\system\Fun.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3404 wrote to memory of 2040 N/A C:\Windows\system\Fun.exe C:\Windows\System32\RuntimeBroker.exe
PID 3404 wrote to memory of 4384 N/A C:\Windows\system\Fun.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3404 wrote to memory of 3268 N/A C:\Windows\system\Fun.exe C:\Windows\System32\RuntimeBroker.exe
PID 3404 wrote to memory of 3092 N/A C:\Windows\system\Fun.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3404 wrote to memory of 1092 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 3404 wrote to memory of 1092 N/A C:\Windows\system\Fun.exe C:\Windows\SVIQ.EXE
PID 3404 wrote to memory of 3916 N/A C:\Windows\system\Fun.exe C:\Windows\dc.exe
PID 3404 wrote to memory of 3916 N/A C:\Windows\system\Fun.exe C:\Windows\dc.exe
PID 3404 wrote to memory of 496 N/A C:\Windows\system\Fun.exe C:\Windows\System32\RuntimeBroker.exe
PID 3404 wrote to memory of 4232 N/A C:\Windows\system\Fun.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system\Fun.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe"

C:\Windows\system\Fun.exe

C:\Windows\system\Fun.exe

C:\Windows\SVIQ.EXE

C:\Windows\SVIQ.EXE

C:\Windows\dc.exe

C:\Windows\dc.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 dungcoivb.googlepages.com udp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 19.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp
GB 142.250.178.19:80 dungcoivb.googlepages.com tcp

Files

memory/1824-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1824-5-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-6-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-4-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-3-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-8-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/1824-7-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/1824-1-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-9-0x0000000002B00000-0x0000000003B8E000-memory.dmp

C:\Windows\INF\Other.exe

MD5 b6d204cf96e004b32efbeaae6852962b
SHA1 549abe4a13e5aa2c6f78b2e5dce3408641568c96
SHA256 6b4f87b48c72cb08688413039bed57be6882933ead00949e7d85f582a504f1e8
SHA512 ed7293f46e23297876d176cfe97a9db4715f2328b5a505b129a39ff991ad9e6e9923453531c698cedc19db0aaf765c3510df2e074db0a42ea7191c22887b46f8

memory/1824-15-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-10-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-13-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/1824-12-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-11-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/1824-14-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/3404-41-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1824-37-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-36-0x0000000002B00000-0x0000000003B8E000-memory.dmp

C:\Windows\wininit.ini

MD5 e839977c0d22c9aa497b0b1d90d8a372
SHA1 b5048e501399138796b38f3d3666e1a88c397e83
SHA256 478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2
SHA512 4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

memory/1092-68-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3916-92-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1824-110-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-111-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-112-0x0000000002B00000-0x0000000003B8E000-memory.dmp

memory/1824-118-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/1824-127-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3404-133-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-134-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-135-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-144-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3916-147-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/1092-146-0x0000000001FD0000-0x0000000001FD2000-memory.dmp

memory/3404-145-0x0000000005780000-0x0000000005782000-memory.dmp

memory/3916-143-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/1092-141-0x0000000002C30000-0x0000000002C31000-memory.dmp

memory/3404-139-0x00000000058D0000-0x00000000058D1000-memory.dmp

memory/3404-131-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-128-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-132-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-130-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-137-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d45f374ad2864e147cda9746ecec7411
SHA1 bc52d781d3d75a24a408e2241e5fefccd67b833f
SHA256 5f3c4553782153771f5ab4da20b392ba8a5877c27a01283f3cff2e34e34b4870
SHA512 542ffea3a21405f26dee18d48ce2e9feab61823eb6482b2169e8d3c0c4711bdc40352701716490855a3d74e40c52f6ee67559def8112a82090eb637d535654b0

memory/3404-136-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-148-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-149-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-150-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-152-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-151-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-154-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-155-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-156-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-157-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-159-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-161-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

memory/3404-197-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

C:\bkif.exe

MD5 b5620c37c74c5169ff50b6f8e3be6414
SHA1 215f44a10af373a581220521175661b4e13d79c8
SHA256 e37776934bb6e126694877f13c311f3d7c1ad2720acdf4a5a9c902d51855b2c9
SHA512 d003c01d12747dbc2b03de504a8586b6190eab292e7bbac1959374fde5a4f0731c7adb165981ba2aeb909f303278bc64f13a64dc853ac0bf3ffbcf49fefc4d2d