Malware Analysis Report

2024-11-16 13:19

Sample ID 240519-qnth3sac69
Target c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe
SHA256 910a6350a191dc05080476edd8865f07a99eda54f33e58dad0e3ef8109414942
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

910a6350a191dc05080476edd8865f07a99eda54f33e58dad0e3ef8109414942

Threat Level: Known bad

The file c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies firewall policy service

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Sality

Modifies WinLogon for persistence

Windows security bypass

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Windows security modification

UPX packed file

Deletes itself

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 13:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 13:24

Reported

2024-05-19 13:27

Platform

win7-20240508-en

Max time kernel

125s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\V: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\Y: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\H: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\N: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\S: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\R: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\U: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\W: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\Z: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\L: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\M: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\P: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\X: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\E: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\J: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\Q: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\O: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\G: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\I: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\K: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification F:\autorun.inf \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 
PID 1636 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 
PID 1636 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 
PID 1636 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 
PID 1636 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1636 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1636 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1636 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2284 wrote to memory of 1208 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 2284 wrote to memory of 2252 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\DllHost.exe
PID 2284 wrote to memory of 1636 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe
PID 2284 wrote to memory of 1636 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe
PID 2284 wrote to memory of 2720 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2284 wrote to memory of 2720 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2720 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2720 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2720 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2720 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2924 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1436 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1436 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1436 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1436 wrote to memory of 2788 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2788 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2788 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2788 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2788 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2788 wrote to memory of 532 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2788 wrote to memory of 532 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2788 wrote to memory of 532 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2788 wrote to memory of 532 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2284 wrote to memory of 1208 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 2284 wrote to memory of 2924 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\explorer.exe
PID 2284 wrote to memory of 2924 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\explorer.exe
PID 2284 wrote to memory of 2788 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\svchost.exe
PID 2284 wrote to memory of 2788 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\svchost.exe
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2284 wrote to memory of 1208 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2284 wrote to memory of 1208 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2284 wrote to memory of 1208 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2284 wrote to memory of 1208 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 2664 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2788 wrote to memory of 2664 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2788 wrote to memory of 2664 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2788 wrote to memory of 2664 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2284 wrote to memory of 1208 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 2284 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2284 wrote to memory of 1180 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\Dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe"

\??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 

c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 13:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 13:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 13:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1636-0-0x0000000000400000-0x0000000000441000-memory.dmp

\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 

MD5 8c1cfd45c4ea90d8b274145c5340aac4
SHA1 4e8d7e7948475372db67266c4caa4516c55841bf
SHA256 5646c13f0599eb99334de2475d19bdbb78f2629b7701112a54671487d49b124a
SHA512 ebe5ca88aff4e8d12583001215a4d784c173f928fd8eee0132226d5b31fedfc02622e92bd8faf78a95157fad7f482cf32d6824633ba0114d41f576a3bcfaad8f

memory/1636-8-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/2284-14-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2284-16-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 82befad1f17f6c34bc6d738d3fc5ae71
SHA1 51e247fb6d2d83de18273f9e82aedcc793f73e07
SHA256 d5ecdc7221adefda9a3beaf93b116b9d78c626d7b124a7fc16cb7f509f7a1564
SHA512 9840b5f2d30a10d132d1ebfae415a9a7d05c8390034396a8864b04a396d996c3f2e52e92eb6b9396407e00b8f3ab6e1b5265ef7e7f2972c304e8b107788e3195

memory/2284-18-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-19-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-27-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/1636-32-0x0000000002620000-0x0000000002661000-memory.dmp

memory/2284-30-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-59-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/1636-66-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1636-63-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2720-62-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2284-61-0x0000000003F50000-0x0000000003F52000-memory.dmp

memory/1636-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2284-29-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2720-58-0x0000000000220000-0x0000000000222000-memory.dmp

\Windows\system\explorer.exe

MD5 ac340104413028b75e9d55a3ad0b9284
SHA1 5510f7522896bbd075ebc92e27d1a1b1e9edcdcb
SHA256 c075f86b8786bdbe0a00d088f17e40a31434866f7d57f90b64ed0a34348e9d60
SHA512 3c7ae904d758618f0cd3779927062dbdc0a9731262860360f2e96d0164957b169cd7f5b18051b78ce2c7ea31dd8792e3cb3942905701ddff45cfb2cd4093eb1f

memory/2720-79-0x00000000034B0000-0x00000000034F1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 8fa8c8ad2888d553814200cd13f9ce68
SHA1 8fa351251318062fd1b671cf85b18f4c227d3b8b
SHA256 d0d5a815cbe931945310ee109288f1673a3b6972a3a6f223fbaa25e40f10af75
SHA512 e9c9d6a612fef1f4c43e0a3916bd597e92803511919311ca3df77603827f9ad4a17548780a7b767e02f1bfd7e48e315570055d088e0ad9ae05f45760bde38371

C:\Windows\system\svchost.exe

MD5 9246acc0df2d7432a674af9e1c45d091
SHA1 5af67686b781ef446b4ab43bc7e10b94f25f633c
SHA256 cc3fe2dcb5de9a737f1479959d453eeba79447b5ea222e30322549f6c1ad160c
SHA512 3911d072ea741311040d7a7eac01fd755924c4d9e9ad39e45605bfc6fcaf23490df105518020bcd9f6b26761614a339c83754d2811c32990ed3760c10f9eeebc

memory/1804-116-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 464d2b0dca7ef24ffc8fa000c0c97482
SHA1 b8ecd94a17a98555a6b9314489cafdb056469173
SHA256 bbd8e1651ade0b5b137c0be4f4c4565262d5829b2be958391c92f8a3356b0d35
SHA512 82334094aafc4d8279520376ea4850b0da30f3caac5ec60e40b42ace3a6399c38ad45aff63d362d69f08ae5c437dce528471a68545a2b5d75328162693caa056

memory/1636-129-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1636-127-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2720-125-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1436-121-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1804-118-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2924-93-0x0000000002D30000-0x0000000002D71000-memory.dmp

memory/2720-78-0x00000000034B0000-0x00000000034F1000-memory.dmp

memory/2284-57-0x0000000003F50000-0x0000000003F52000-memory.dmp

memory/2284-28-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2720-56-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2284-52-0x00000000040A0000-0x00000000040A1000-memory.dmp

memory/1636-44-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1636-43-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1104-35-0x00000000003A0000-0x00000000003A2000-memory.dmp

memory/2284-22-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2720-34-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1636-33-0x0000000002620000-0x0000000002661000-memory.dmp

memory/2284-131-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-132-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-133-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-134-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-135-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-137-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2284-138-0x0000000001CB0000-0x0000000002D3E000-memory.dmp

memory/2924-151-0x0000000002570000-0x0000000002572000-memory.dmp

memory/2924-150-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2284-163-0x0000000003F50000-0x0000000003F52000-memory.dmp

F:\pviqx.exe

MD5 e8bb932dc35d6cde8e5b6cc3619181b8
SHA1 5e253ad173635af5e83e4b86f25de9807c8021dc
SHA256 12398deb13421f5bc58ab00e4b184eae27856465ec0d432e6d1d1e6cbf3fc42c
SHA512 f6091417b64c5575d5baff19b08ee6d709f87b908272df94a8939cf3dbb5dfb502473697f96abfecd17d10d7f58d922e7cc7c7f7415a6b4c4002331611540549

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 13:24

Reported

2024-05-19 13:27

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\R: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\T: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\V: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\N: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\P: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\S: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\Z: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\E: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\H: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\J: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\L: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\Y: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\K: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\Q: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\U: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\W: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\G: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\I: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\M: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened (read-only) \??\X: \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\autorun.inf \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\SYSTEM.INI \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 
PID 1160 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 
PID 1160 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 
PID 1160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4232 wrote to memory of 784 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4232 wrote to memory of 792 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4232 wrote to memory of 1020 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\dwm.exe
PID 4232 wrote to memory of 2504 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\sihost.exe
PID 4232 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4232 wrote to memory of 2692 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhostw.exe
PID 4232 wrote to memory of 3460 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 4232 wrote to memory of 3604 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4232 wrote to memory of 3792 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\DllHost.exe
PID 4232 wrote to memory of 3896 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4232 wrote to memory of 3960 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 4084 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4232 wrote to memory of 4140 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 4464 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 336 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4232 wrote to memory of 4272 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4232 wrote to memory of 388 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4232 wrote to memory of 1160 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe
PID 4232 wrote to memory of 1160 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe
PID 1516 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1516 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1516 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1348 wrote to memory of 532 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1348 wrote to memory of 532 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1348 wrote to memory of 532 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 532 wrote to memory of 4700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 532 wrote to memory of 4700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 532 wrote to memory of 4700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4700 wrote to memory of 64 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4700 wrote to memory of 64 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4700 wrote to memory of 64 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4700 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4700 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4700 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4232 wrote to memory of 784 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4232 wrote to memory of 792 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4232 wrote to memory of 1020 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\dwm.exe
PID 4232 wrote to memory of 2504 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\sihost.exe
PID 4232 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4232 wrote to memory of 2692 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\taskhostw.exe
PID 4232 wrote to memory of 3460 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 4232 wrote to memory of 3604 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4232 wrote to memory of 3792 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\DllHost.exe
PID 4232 wrote to memory of 3896 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4232 wrote to memory of 3960 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 4084 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4232 wrote to memory of 4140 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 4464 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 336 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4232 wrote to memory of 4272 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4232 wrote to memory of 388 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4232 wrote to memory of 1348 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\explorer.exe
PID 4232 wrote to memory of 1348 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\explorer.exe
PID 4232 wrote to memory of 4700 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\svchost.exe
PID 4232 wrote to memory of 4700 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  \??\c:\windows\system\svchost.exe
PID 4232 wrote to memory of 3720 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 5108 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4232 wrote to memory of 784 N/A \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe  N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe"

\??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 

c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\at.exe

at 13:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\at.exe

at 13:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 13:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1160-0-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe 

MD5 8c1cfd45c4ea90d8b274145c5340aac4
SHA1 4e8d7e7948475372db67266c4caa4516c55841bf
SHA256 5646c13f0599eb99334de2475d19bdbb78f2629b7701112a54671487d49b124a
SHA512 ebe5ca88aff4e8d12583001215a4d784c173f928fd8eee0132226d5b31fedfc02622e92bd8faf78a95157fad7f482cf32d6824633ba0114d41f576a3bcfaad8f

memory/4232-8-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4232-12-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-14-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/1516-19-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4232-17-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-28-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

memory/4232-26-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-29-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-33-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

C:\Windows\System\explorer.exe

MD5 5f07d74c4ff6da8ed8d02c084482df18
SHA1 21d04f6b4272cf964366d01af13e62b4c3bd3e2f
SHA256 fd69590930135ead282a515f5bb3f581737bed1844ff722fb1382449d29d32c4
SHA512 5e9291034754838d5442fe6c98df8c22c3da786047697be5d88c8c56984cfd84b559ff95286377b9debf1219dbf9037639814c6de9fdb6a7f1c2e0e819f3c5ca

memory/1160-32-0x00000000029C0000-0x00000000029C2000-memory.dmp

memory/1160-27-0x00000000029C0000-0x00000000029C2000-memory.dmp

memory/4232-25-0x0000000002230000-0x00000000032BE000-memory.dmp

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 82befad1f17f6c34bc6d738d3fc5ae71
SHA1 51e247fb6d2d83de18273f9e82aedcc793f73e07
SHA256 d5ecdc7221adefda9a3beaf93b116b9d78c626d7b124a7fc16cb7f509f7a1564
SHA512 9840b5f2d30a10d132d1ebfae415a9a7d05c8390034396a8864b04a396d996c3f2e52e92eb6b9396407e00b8f3ab6e1b5265ef7e7f2972c304e8b107788e3195

memory/4232-24-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/1160-22-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/1160-21-0x00000000029C0000-0x00000000029C2000-memory.dmp

memory/4232-15-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-13-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-10-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-42-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-44-0x0000000002230000-0x00000000032BE000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 bfe997abb31f2f1ce1e3b09fc40a9f90
SHA1 ee6050c4a8cd2b37e0bf3998a442fc7074db66a4
SHA256 40664af62820e34d47569a91a96080292ce42139e01a6d8fa9bfd6f8d9c2cb58
SHA512 12956dbb7a61c8ece06f1b53b67071de1b0e09ebf2e27715ddbadb2fecbc3a9c4a51abaadcef9b6111ac4c93e1d152a156bcff26938d58f40b03a8affc53d913

memory/532-55-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\System\svchost.exe

MD5 c469cbfbf54358a9c98d0434c33f1de3
SHA1 afbedb53737f0033b998b9dc28f7e5654f1fe0a7
SHA256 51de08afdfdd95ae967a6df67d26d68f4b7dedcf8f6aa4257023436c9281801d
SHA512 1103c11f6842df3a12a67cbc537c7f8b3445115a2d22877d1b516185118a4769b55a7b95b1f5c31f5d9a509c22485344e4e24a575c8872e8973118d8f5a000b7

memory/4232-65-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/64-67-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4232-70-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/532-71-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1516-73-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1160-77-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4232-72-0x0000000002230000-0x00000000032BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 60d13eaa08ea5d3ae85c3e3074ac635d
SHA1 a3d0a5850c0c56ebaa7754dbeb8481fe2aaa9c5d
SHA256 491ac2cd119646bc2abd5cc676723ef8bae0d838fd8d484b940640feb3d66e18
SHA512 93d68a31461f68e768d211980455d2188f0a58cdf56072b1643fd85de322e61cc001121829c19058a7c48784620977f836d0755fb1974005b0c5d7ced5643eae

memory/4232-80-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4700-86-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

memory/1348-85-0x00000000021A0000-0x00000000021A2000-memory.dmp

memory/4700-84-0x00000000035F0000-0x00000000035F1000-memory.dmp

memory/1348-82-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/4232-87-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-88-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-89-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-91-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-92-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-94-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-99-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-100-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-102-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-103-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-109-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-110-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-113-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-116-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-117-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-118-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-122-0x0000000002230000-0x00000000032BE000-memory.dmp

memory/4232-123-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

memory/4232-124-0x0000000002230000-0x00000000032BE000-memory.dmp

C:\qymst.pif

MD5 9914d1f67fc4bd5e676ae09ee2185567
SHA1 735260f0a7bf16d7fd25d0aa103f1ed5312208d9
SHA256 186b5d504d821e62c013c423993fad6d120e41a23b9a6dad18872127ab8f731f
SHA512 a2856cdafc5f47fdabdb4d9b96ed337eb1558fc525884211e60a5c8118adff2ddfb44792139117789c65b7b20744d54656c2c854c1a7becf3f7af351fc59031c