Malware Analysis Report

2024-11-16 13:16

Sample ID 240519-sl8lbscf8y
Target dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe
SHA256 3493ee438d9443ec8e17b3dcbcbf401a31b166646abbdecaab322417e5c873f9
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3493ee438d9443ec8e17b3dcbcbf401a31b166646abbdecaab322417e5c873f9

Threat Level: Known bad

The file dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Sality

Windows security bypass

Modifies firewall policy service

Loads dropped DLL

Windows security modification

Executes dropped EXE

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:13

Reported

2024-05-19 15:16

Platform

win7-20240221-en

Max time kernel

51s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76c468 \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
File created C:\Windows\f762378 C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Wininit C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\245c45946461cdfe96491f1b5e\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\245c45946461cdfe96491f1b5e\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2104 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2104 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2104 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2576 wrote to memory of 1844 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2576 wrote to memory of 1844 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2576 wrote to memory of 1844 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2576 wrote to memory of 1844 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2576 wrote to memory of 1844 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2576 wrote to memory of 1844 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2576 wrote to memory of 1844 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2104 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2104 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2104 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2104 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2104 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2104 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\245c45946461cdfe96491f1b5e\Setup.exe
PID 2104 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2104 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2104 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2104 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2104 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2104 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2576 wrote to memory of 1104 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\taskhost.exe
PID 2576 wrote to memory of 1172 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\Dwm.exe
PID 2576 wrote to memory of 1196 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe"

\??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

\??\c:\245c45946461cdfe96491f1b5e\Setup.exe

c:\245c45946461cdfe96491f1b5e\Setup.exe

Network

N/A

Files

memory/2104-0-0x0000000000400000-0x0000000000778000-memory.dmp

memory/2104-1-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-5-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-7-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-10-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-4-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-20-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2104-26-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2104-25-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2104-21-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1104-13-0x0000000002050000-0x0000000002052000-memory.dmp

memory/2104-12-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-11-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-9-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-8-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-6-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-3-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-31-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2104-32-0x0000000000390000-0x0000000000392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F762674_Rar\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe

MD5 b6d4a469dfc5247caf19b783b5c4262b
SHA1 6c920d73ec22213ddcab617ea9339f93ff1b6787
SHA256 05fc4c2e2a80a0d06601cd587c69a3ae22dcc07a8bab8e8f5f70c320a60c8542
SHA512 10153d47f732cd87bd3a026db76f8430980a2775018ba1e73a0e313bf7fa70898bfdb8a08da72c33900c16b441ce80f8d46e74ee27a0f08a8c5b523768aaea8e

memory/2104-46-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-45-0x0000000002230000-0x00000000032EA000-memory.dmp

\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

MD5 2ebe7b204aa13f112e5f914a31ab015f
SHA1 49a6efe315ff0853f5eb864ef2be3c56eef0c7f6
SHA256 97fb96a9f51143d49c666a4704690c4ea167613bf4bb8c7bbff8f2b66d608492
SHA512 3ee72a41e82f1caf00c3013152cd69e933aa112e1f7ea6d155918b874386eb24f3489d9b2c866e546fb010c927c2aa76192f3cc8d029756c3ceae97fdb13a7ee

memory/2576-55-0x0000000001000000-0x00000000014E8000-memory.dmp

memory/2104-56-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-54-0x0000000005C50000-0x0000000006138000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F7630F0_Rar\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

MD5 cede02d7af62449a2c38c49abecc0cd3
SHA1 b84b83a8a6741a17bfb5f3578b983c1de512589d
SHA256 66b797b3b4f99488f53c2b676610dfe9868984c779536891a8d8f73ee214bc4b
SHA512 d2d99e06d49a5990b449cf31d82a33104a6b45164e76fbeb34c43d10bcd25c3622af52e59a2d4b7f5f45f83c3ba4d23cf1a5fc0c03b3606f42426988e63a9770

\245c45946461cdfe96491f1b5e\Setup.exe

MD5 9a1141fbceeb2e196ae1ba115fd4bee6
SHA1 922eacb654f091bc609f1b7f484292468d046bd1
SHA256 28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef
SHA512 b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168

\245c45946461cdfe96491f1b5e\SetupEngine.dll

MD5 a030c6b93740cbaa232ffaa08ccd3396
SHA1 6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb
SHA256 0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63
SHA512 6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42

\245c45946461cdfe96491f1b5e\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFI3525.tmp.html

MD5 f0dbeb751dc7b704e73f6d2389cb6bab
SHA1 5f09fef2b5f1ad763c5164dfe5cc6b189d6a49e8
SHA256 69ec74a07d5fa2dbaed0092fe0c470abeee3523be5d634b2406ec7d4f594a5f2
SHA512 d61a6ba9daa4b7cc4a689aedadc0c58cbe0c3226afcf18a8ed5cf44a36be4f6d4f819ec74f0bb04a21d08fbae7215f1977eee81a64013e7d0cf239fa8a3c38e3

\??\c:\245c45946461cdfe96491f1b5e\UiInfo.xml

MD5 4f90fcef3836f5fc49426ad9938a1c60
SHA1 89eba3b81982d5d5c457ffa7a7096284a10de64a
SHA256 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b
SHA512 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

\??\c:\245c45946461cdfe96491f1b5e\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

\??\c:\245c45946461cdfe96491f1b5e\ParameterInfo.xml

MD5 46db5d342d306778cab61e413a84fece
SHA1 d0885ae1f706e014015cacb0cd67ca786d0962c2
SHA256 227bd903261486663665ba232b753781bafd7afba68b5614ad93d6d1f5a1e16b
SHA512 5de734ce86888ae41db113be13b8b6652f67de8e7ff0dc062a3e217e078ccafacf44117bbfff6e26d6c7e4fa369855e87b4926e9bdfa96f466a89a9d9c67a5bc

\??\c:\245c45946461cdfe96491f1b5e\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\245c45946461cdfe96491f1b5e\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\245c45946461cdfe96491f1b5e\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\245c45946461cdfe96491f1b5e\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\245c45946461cdfe96491f1b5e\SetupUi.dll

MD5 c744ec120e54027c57318c4720b4d6be
SHA1 ab65fc4e68ad553520af049129fae4f88c7eff74
SHA256 d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857
SHA512 6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7

\??\c:\245c45946461cdfe96491f1b5e\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\245c45946461cdfe96491f1b5e\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\245c45946461cdfe96491f1b5e\1033\SetupResources.dll

MD5 718ab3eb3f43c9bcf16276c1eb17f2c1
SHA1 a3091fd7784a9469309b3edb370e24a0323e30ac
SHA256 e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa
SHA512 9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a

\??\c:\245c45946461cdfe96491f1b5e\watermark.bmp

MD5 1a5caafacfc8c7766e404d019249cf67
SHA1 35d4878db63059a0f25899f4be00b41f430389bf
SHA256 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2
SHA512 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46

\??\c:\245c45946461cdfe96491f1b5e\header.bmp

MD5 3ad1a8c3b96993bcdf45244be2c00eef
SHA1 308f98e199f74a43d325115a8e7072d5f2c6202d
SHA256 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a
SHA512 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658

\??\c:\245c45946461cdfe96491f1b5e\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\245c45946461cdfe96491f1b5e\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\245c45946461cdfe96491f1b5e\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\245c45946461cdfe96491f1b5e\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\245c45946461cdfe96491f1b5e\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\245c45946461cdfe96491f1b5e\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\245c45946461cdfe96491f1b5e\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\245c45946461cdfe96491f1b5e\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\245c45946461cdfe96491f1b5e\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

memory/2104-176-0x0000000000400000-0x0000000000778000-memory.dmp

memory/2576-192-0x0000000000480000-0x0000000000481000-memory.dmp

memory/2104-188-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/1844-200-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/1844-199-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2576-193-0x0000000000470000-0x0000000000472000-memory.dmp

memory/2104-189-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-202-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-203-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-204-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-205-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-209-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-211-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-212-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-213-0x0000000002230000-0x00000000032EA000-memory.dmp

memory/2104-225-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2104-230-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2104-280-0x0000000000400000-0x0000000000778000-memory.dmp

memory/2104-281-0x0000000002230000-0x00000000032EA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 000d478b15c9e6b5e9bfc955e7df2487
SHA1 03707fdf2457ad3bb586b7a3cd16e159e97ac6b4
SHA256 8c7183be6734c4e92eca11bf2adc23ec23a1b4a299a3f9820116e969c5523729
SHA512 3fd94fee2f72be52df2bbb900d884634116a7e40cf887deccef1daffb609a979c7656427722e605937b5c52d73d1d88f8b60d1f4a75f3820b529361d9a5a66c0

C:\bcrdub.pif

MD5 3ba2ded692e13030da80714b70b4a8ba
SHA1 8213a4eb036e58a5e7e4850fee4c7f20ddb7ccdd
SHA256 9ff58298866a770da5a5a66032bd0e9711944835e7f49866199d084b26eea1ab
SHA512 bed663cae075dbe845130d703c8168fe6daa48481246f436ae55fcfd4d7069a7546e2946d1ee75ba552890284b61c57e45b38027696b749a7e684c71167d383a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 15:13

Reported

2024-05-19 15:16

Platform

win10v2004-20240426-en

Max time kernel

23s

Max time network

135s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573ff7 C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Wininit C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
File created C:\Windows\e576b9b \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\ab26d1c462a0351508f66542\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\ab26d1c462a0351508f66542\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 2280 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 2280 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 2280 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 2280 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 2280 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 2280 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2280 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 2280 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2280 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2280 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 2280 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2280 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 2280 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2280 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 2280 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2280 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2280 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2280 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 2280 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 
PID 4512 wrote to memory of 5012 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\ab26d1c462a0351508f66542\Setup.exe
PID 4512 wrote to memory of 5012 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\ab26d1c462a0351508f66542\Setup.exe
PID 4512 wrote to memory of 5012 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\ab26d1c462a0351508f66542\Setup.exe
PID 4512 wrote to memory of 788 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4512 wrote to memory of 784 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4512 wrote to memory of 380 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\dwm.exe
PID 4512 wrote to memory of 2984 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\sihost.exe
PID 4512 wrote to memory of 2072 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4512 wrote to memory of 660 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\taskhostw.exe
PID 4512 wrote to memory of 3480 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 4512 wrote to memory of 3612 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4512 wrote to memory of 3796 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\DllHost.exe
PID 4512 wrote to memory of 3892 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4512 wrote to memory of 3952 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 4048 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4512 wrote to memory of 4188 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 1812 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4512 wrote to memory of 4436 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 2016 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4512 wrote to memory of 1340 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4512 wrote to memory of 2612 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\BackgroundTransferHost.exe
PID 4512 wrote to memory of 2800 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 1788 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 5012 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\ab26d1c462a0351508f66542\Setup.exe
PID 4512 wrote to memory of 5012 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  \??\c:\ab26d1c462a0351508f66542\Setup.exe
PID 4512 wrote to memory of 788 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4512 wrote to memory of 784 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\fontdrvhost.exe
PID 4512 wrote to memory of 380 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\dwm.exe
PID 4512 wrote to memory of 2984 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\sihost.exe
PID 4512 wrote to memory of 2072 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4512 wrote to memory of 660 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\taskhostw.exe
PID 4512 wrote to memory of 3480 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\Explorer.EXE
PID 4512 wrote to memory of 3612 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\svchost.exe
PID 4512 wrote to memory of 3796 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\DllHost.exe
PID 4512 wrote to memory of 3892 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4512 wrote to memory of 3952 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 4048 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4512 wrote to memory of 4188 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 1812 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4512 wrote to memory of 4436 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe
PID 4512 wrote to memory of 2016 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4512 wrote to memory of 1340 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\backgroundTaskHost.exe
PID 4512 wrote to memory of 2612 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\system32\BackgroundTransferHost.exe
PID 4512 wrote to memory of 2800 N/A \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe  N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

\??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

\??\c:\ab26d1c462a0351508f66542\Setup.exe

c:\ab26d1c462a0351508f66542\Setup.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 201.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2280-0-0x0000000000400000-0x0000000000778000-memory.dmp

memory/2280-7-0x0000000004070000-0x0000000004071000-memory.dmp

memory/2280-4-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-9-0x0000000002490000-0x0000000002492000-memory.dmp

memory/2280-5-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-21-0x00000000044F0000-0x00000000044F1000-memory.dmp

memory/2280-16-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-18-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-24-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-20-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-25-0x00000000025B0000-0x000000000366A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E5741EB_Rar\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe

MD5 b6d4a469dfc5247caf19b783b5c4262b
SHA1 6c920d73ec22213ddcab617ea9339f93ff1b6787
SHA256 05fc4c2e2a80a0d06601cd587c69a3ae22dcc07a8bab8e8f5f70c320a60c8542
SHA512 10153d47f732cd87bd3a026db76f8430980a2775018ba1e73a0e313bf7fa70898bfdb8a08da72c33900c16b441ce80f8d46e74ee27a0f08a8c5b523768aaea8e

memory/2280-8-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-17-0x0000000002490000-0x0000000002492000-memory.dmp

memory/2280-10-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-3-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-6-0x0000000002490000-0x0000000002492000-memory.dmp

memory/2280-1-0x00000000025B0000-0x000000000366A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

MD5 2ebe7b204aa13f112e5f914a31ab015f
SHA1 49a6efe315ff0853f5eb864ef2be3c56eef0c7f6
SHA256 97fb96a9f51143d49c666a4704690c4ea167613bf4bb8c7bbff8f2b66d608492
SHA512 3ee72a41e82f1caf00c3013152cd69e933aa112e1f7ea6d155918b874386eb24f3489d9b2c866e546fb010c927c2aa76192f3cc8d029756c3ceae97fdb13a7ee

memory/4512-41-0x0000000001000000-0x00000000014E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E574556_Rar\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe 

MD5 cede02d7af62449a2c38c49abecc0cd3
SHA1 b84b83a8a6741a17bfb5f3578b983c1de512589d
SHA256 66b797b3b4f99488f53c2b676610dfe9868984c779536891a8d8f73ee214bc4b
SHA512 d2d99e06d49a5990b449cf31d82a33104a6b45164e76fbeb34c43d10bcd25c3622af52e59a2d4b7f5f45f83c3ba4d23cf1a5fc0c03b3606f42426988e63a9770

memory/2280-46-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-45-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-51-0x00000000025B0000-0x000000000366A000-memory.dmp

memory/2280-64-0x0000000000400000-0x0000000000778000-memory.dmp

C:\ab26d1c462a0351508f66542\Setup.exe

MD5 9a1141fbceeb2e196ae1ba115fd4bee6
SHA1 922eacb654f091bc609f1b7f484292468d046bd1
SHA256 28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef
SHA512 b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168

C:\ab26d1c462a0351508f66542\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFI4A0A.tmp.html

MD5 7078f81b6bcdea228ffd28a702888884
SHA1 aa0a413431f5959d6bb6656f508a70867855e366
SHA256 8ffe803d37f0967ddbec5d5c6e52c6a658754241e40f101ed07faa18f7f160e2
SHA512 9712d50ec278e045111ead3117f586362c6d9fe8cab6313ed6ccabc4ca7fd180fbdcdf72430cc21be825d78249893f48159e0903cc3bc48850a18d5046129f07

\??\c:\ab26d1c462a0351508f66542\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\ab26d1c462a0351508f66542\SetupEngine.dll

MD5 a030c6b93740cbaa232ffaa08ccd3396
SHA1 6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb
SHA256 0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63
SHA512 6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42

\??\c:\ab26d1c462a0351508f66542\UiInfo.xml

MD5 4f90fcef3836f5fc49426ad9938a1c60
SHA1 89eba3b81982d5d5c457ffa7a7096284a10de64a
SHA256 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b
SHA512 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

\??\c:\ab26d1c462a0351508f66542\ParameterInfo.xml

MD5 46db5d342d306778cab61e413a84fece
SHA1 d0885ae1f706e014015cacb0cd67ca786d0962c2
SHA256 227bd903261486663665ba232b753781bafd7afba68b5614ad93d6d1f5a1e16b
SHA512 5de734ce86888ae41db113be13b8b6652f67de8e7ff0dc062a3e217e078ccafacf44117bbfff6e26d6c7e4fa369855e87b4926e9bdfa96f466a89a9d9c67a5bc

\??\c:\ab26d1c462a0351508f66542\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\??\c:\ab26d1c462a0351508f66542\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\ab26d1c462a0351508f66542\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\ab26d1c462a0351508f66542\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\ab26d1c462a0351508f66542\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\ab26d1c462a0351508f66542\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\ab26d1c462a0351508f66542\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\ab26d1c462a0351508f66542\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\ab26d1c462a0351508f66542\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\ab26d1c462a0351508f66542\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

C:\ab26d1c462a0351508f66542\SetupUi.dll

MD5 c744ec120e54027c57318c4720b4d6be
SHA1 ab65fc4e68ad553520af049129fae4f88c7eff74
SHA256 d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857
SHA512 6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7

\??\c:\ab26d1c462a0351508f66542\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\ab26d1c462a0351508f66542\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

C:\ab26d1c462a0351508f66542\1033\SetupResources.dll

MD5 718ab3eb3f43c9bcf16276c1eb17f2c1
SHA1 a3091fd7784a9469309b3edb370e24a0323e30ac
SHA256 e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa
SHA512 9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a

\??\c:\ab26d1c462a0351508f66542\watermark.bmp

MD5 1a5caafacfc8c7766e404d019249cf67
SHA1 35d4878db63059a0f25899f4be00b41f430389bf
SHA256 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2
SHA512 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46

\??\c:\ab26d1c462a0351508f66542\header.bmp

MD5 3ad1a8c3b96993bcdf45244be2c00eef
SHA1 308f98e199f74a43d325115a8e7072d5f2c6202d
SHA256 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a
SHA512 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658

\??\c:\ab26d1c462a0351508f66542\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\ab26d1c462a0351508f66542\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\ab26d1c462a0351508f66542\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

C:\Windows\SYSTEM.INI

MD5 fe83376bc18c598013283dfd7bbb2963
SHA1 3ef18b65a98aa5c29ee0d9a6e3c646c135f10f21
SHA256 8f8f94b1a86aea739b6cf3bf5ee562b4f479ac16af99ef123096fe8a8c5601f8
SHA512 6990bf4b07dbd4c97910977a0400c6d63f99e7312a3f4f5c7144950ac18c2c62b401f596a9c906556889c969f9913136134d0f5b7971944f68faa0559f62cc95

memory/4512-181-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/5012-190-0x00000000024B0000-0x00000000024B2000-memory.dmp

memory/5012-189-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/4512-187-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/4512-184-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-185-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-194-0x0000000000720000-0x0000000000722000-memory.dmp

memory/4512-192-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-183-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-182-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-180-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-179-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-177-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-191-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-200-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-199-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-201-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-202-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-203-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-205-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-206-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-207-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-208-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-211-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-212-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-213-0x0000000004C40000-0x0000000005CFA000-memory.dmp

memory/4512-216-0x0000000004C40000-0x0000000005CFA000-memory.dmp

C:\kjwslg.pif

MD5 30a6d505de54cae367f4c99d2a280ea1
SHA1 d7fc63bba56f00204ac071bbdf8090100ee357b9
SHA256 5d96332cc1cb79a0ed50e9e31ba10ad4880860f4c9fdd699e90edc2c1a064148
SHA512 e25fe985d0911be1199ca8a6c815d62be1df79e1f3185fbee14eff48061f69ec7b770a5da8970111d317537fe12323adac8e750e6ce95d2765ddd6442ce16b72