sality | a3ea847e0b96858a2e18982391eb3db69f7ca6f71485b86b110907f0a5c771fe

Windows Service

T1543.003

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Global.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Global.exe

Adds policy Run key to start application 2 TTPs 14 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

system.exesystem.exeGlobal.exesvchost.exesvchost.exesystem.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe

Drops file in Drivers directory 7 IoCs

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exesvchost.exesvchost.exesystem.exesystem.exesystem.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe

Sets file execution options in registry 2 TTPs 64 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exesvchost.exesvchost.exesystem.exeGlobal.exesystem.exesystem.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	system.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

Processes:

Global.exesvchost.exesvchost.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Global.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

Executes dropped EXE 6 IoCs

Processes:

Global.exesvchost.exesvchost.exesystem.exesystem.exesystem.exe

pid process

4404 Global.exe
4184 svchost.exe
3520 svchost.exe
4160 system.exe
2648 system.exe
984 system.exe

pid	process
4404	Global.exe
4184	svchost.exe
3520	svchost.exe
4160	system.exe
2648	system.exe
984	system.exe

Modifies system executable filetype association 2 TTPs 14 IoCs

Modify Registry

Change Default File Association

T1546.001

Processes:

Global.exesvchost.exesvchost.exesystem.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exesystem.exesystem.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1424-1-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-4-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-5-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-12-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-13-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-9-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-10-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-6-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-8-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-14-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-24-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-23-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-25-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-76-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-78-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-116-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/1424-129-0x0000000002C00000-0x0000000003CBA000-memory.dmp	upx
behavioral2/memory/4404-147-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-164-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-152-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-174-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-173-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-163-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-161-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-160-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-151-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-153-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-162-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-154-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-183-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-191-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-192-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-201-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx
behavioral2/memory/4404-211-0x0000000005FD0000-0x000000000708A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

Global.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Global.exe

Adds Run key to start application 2 TTPs 21 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

svchost.exesvchost.exesystem.exesystem.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exesystem.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Global.exe

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Global.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

description	ioc	process
File opened (read-only)	\??\H:	Global.exe
File opened (read-only)	\??\J:	Global.exe
File opened (read-only)	\??\K:	Global.exe
File opened (read-only)	\??\L:	Global.exe
File opened (read-only)	\??\M:	Global.exe
File opened (read-only)	\??\E:	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened (read-only)	\??\E:	Global.exe
File opened (read-only)	\??\G:	Global.exe
File opened (read-only)	\??\I:	Global.exe

Drops autorun.inf file 1 TTPs 14 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

system.exeGlobal.exesvchost.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exesystem.exesvchost.exesystem.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File created	C:\autorun.inf	Global.exe
File created	D:\autorun.inf	Global.exe
File opened for modification	F:\autorun.inf	Global.exe
File created	F:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File opened for modification	C:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	D:\autorun.inf	Global.exe

Drops file in System32 directory 64 IoCs

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exesystem.exesystem.exesvchost.exesvchost.exesystem.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Default.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\Global.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\svchost.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Global.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.exesystem.exesystem.exesystem.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exesvchost.exeGlobal.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	svchost.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	svchost.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\Media\rndll32.pif	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\Fonts\Fonts.exe	Global.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	Global.exe
File opened for modification	C:\WINDOWS\Fonts\tskmgr.exe	Global.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	svchost.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File created	C:\WINDOWS\Fonts\wav.wav	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\pchealth\Global.exe	Global.exe
File created	C:\Windows\e5836ab	Global.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	svchost.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File opened for modification	C:\Windows\SYSTEM.INI	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\Media\rndll32.pif	svchost.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\Help\microsoft.hlp	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	svchost.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File opened for modification	C:\WINDOWS\Fonts\wav.wav	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\system\KEYBOARD.exe	Global.exe
File created	C:\WINDOWS\pchealth\Global.exe	svchost.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\Media\rndll32.pif	svchost.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\Windows\e57f05b	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	svchost.exe
File created	C:\WINDOWS\Help\microsoft.hlp	svchost.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	svchost.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 28 IoCs

evasion

Processes:

Global.exesvchost.exesystem.exesystem.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exesvchost.exesystem.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	Global.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe

Modifies registry class 64 IoCs

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exesvchost.exesystem.exesystem.exesystem.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exe

pid	process
1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
4404	Global.exe
4404	Global.exe
4404	Global.exe
4404	Global.exe
4404	Global.exe
4404	Global.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Token: SeDebugPrivilege	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exesvchost.exesvchost.exesystem.exesystem.exesystem.exe

pid	process
1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
4404	Global.exe
4184	svchost.exe
3520	svchost.exe
4160	system.exe
2648	system.exe
984	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exeGlobal.exe

description	pid	process	target process
PID 1424 wrote to memory of 800	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	fontdrvhost.exe
PID 1424 wrote to memory of 804	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	fontdrvhost.exe
PID 1424 wrote to memory of 336	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	dwm.exe
PID 1424 wrote to memory of 2820	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	sihost.exe
PID 1424 wrote to memory of 2852	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	svchost.exe
PID 1424 wrote to memory of 3036	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	taskhostw.exe
PID 1424 wrote to memory of 3336	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	Explorer.EXE
PID 1424 wrote to memory of 3508	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	svchost.exe
PID 1424 wrote to memory of 3708	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	DllHost.exe
PID 1424 wrote to memory of 3844	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 1424 wrote to memory of 3928	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1424 wrote to memory of 4012	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	SearchApp.exe
PID 1424 wrote to memory of 4112	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1424 wrote to memory of 492	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1424 wrote to memory of 4660	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	TextInputHost.exe
PID 1424 wrote to memory of 3120	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 2336	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4800	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 416	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 3208	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4304	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4328	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4404	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	Global.exe
PID 1424 wrote to memory of 4404	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	Global.exe
PID 1424 wrote to memory of 4404	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	Global.exe
PID 1424 wrote to memory of 800	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	fontdrvhost.exe
PID 1424 wrote to memory of 804	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	fontdrvhost.exe
PID 1424 wrote to memory of 336	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	dwm.exe
PID 1424 wrote to memory of 2820	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	sihost.exe
PID 1424 wrote to memory of 2852	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	svchost.exe
PID 1424 wrote to memory of 3036	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	taskhostw.exe
PID 1424 wrote to memory of 3336	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	Explorer.EXE
PID 1424 wrote to memory of 3508	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	svchost.exe
PID 1424 wrote to memory of 3708	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	DllHost.exe
PID 1424 wrote to memory of 3844	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 1424 wrote to memory of 3928	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1424 wrote to memory of 4012	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	SearchApp.exe
PID 1424 wrote to memory of 4112	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1424 wrote to memory of 492	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1424 wrote to memory of 4660	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	TextInputHost.exe
PID 1424 wrote to memory of 3120	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 2336	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4800	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 416	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 3208	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4304	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4328	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	msedge.exe
PID 1424 wrote to memory of 4404	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	Global.exe
PID 1424 wrote to memory of 4404	1424	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe	Global.exe
PID 4404 wrote to memory of 4184	4404	Global.exe	svchost.exe
PID 4404 wrote to memory of 4184	4404	Global.exe	svchost.exe
PID 4404 wrote to memory of 4184	4404	Global.exe	svchost.exe
PID 4404 wrote to memory of 800	4404	Global.exe	fontdrvhost.exe
PID 4404 wrote to memory of 804	4404	Global.exe	fontdrvhost.exe
PID 4404 wrote to memory of 336	4404	Global.exe	dwm.exe
PID 4404 wrote to memory of 2820	4404	Global.exe	sihost.exe
PID 4404 wrote to memory of 2852	4404	Global.exe	svchost.exe
PID 4404 wrote to memory of 3036	4404	Global.exe	taskhostw.exe
PID 4404 wrote to memory of 3336	4404	Global.exe	Explorer.EXE
PID 4404 wrote to memory of 3508	4404	Global.exe	svchost.exe
PID 4404 wrote to memory of 3708	4404	Global.exe	DllHost.exe
PID 4404 wrote to memory of 3844	4404	Global.exe	StartMenuExperienceHost.exe
PID 4404 wrote to memory of 3928	4404	Global.exe	RuntimeBroker.exe
PID 4404 wrote to memory of 4012	4404	Global.exe	SearchApp.exe

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

Processes:

svchost.exe5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exesvchost.exesystem.exesystem.exeGlobal.exesystem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2852

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3036

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\5b489dd68c0fe003dbf340a428b12140_NeikiAnalytics.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Adds policy Run key to start application
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Checks computer location settings
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1424
- - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
    "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Adds policy Run key to start application
    - Drops file in Drivers directory
    - Sets file execution options in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4404
  - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
      "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
      4⤵
      Adds policy Run key to start application
      Drops file in Drivers directory
      Sets file execution options in registry
      Checks computer location settings
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4184
    - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
        
        "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
        5⤵
        Adds policy Run key to start application
        Drops file in Drivers directory
        Sets file execution options in registry
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Control Panel
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4160
    - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
        
        "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
        5⤵
        Adds policy Run key to start application
        Drops file in Drivers directory
        Sets file execution options in registry
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Control Panel
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2648
  - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
      "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
      4⤵
      Adds policy Run key to start application
      Drops file in Drivers directory
      Sets file execution options in registry
      Checks computer location settings
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3520
    - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
        
        "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
        5⤵
        Adds policy Run key to start application
        Drops file in Drivers directory
        Sets file execution options in registry
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Control Panel
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:492

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffa2d402e98,0x7ffa2d402ea4,0x7ffa2d402eb0
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3056 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3264 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5484 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5620 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery