Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-d74ryaec57
Target 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
SHA256 7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44

Threat Level: Known bad

The file 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Disables use of System Restore points

UPX packed file

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:39

Reported

2024-05-26 03:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification F:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A
File created F:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\X: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\T: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\E: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\J: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\L: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\S: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Windows\4k51k4.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Windows\4k51k4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\4k51k4.exe
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\4k51k4.exe
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\4k51k4.exe
PID 2968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\4k51k4.exe
PID 2968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2968 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2968 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2968 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2968 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2968 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2968 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2968 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2968 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2968 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2968 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2968 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2968 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2968 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2756 wrote to memory of 2008 N/A C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe
PID 2756 wrote to memory of 2008 N/A C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe
PID 2756 wrote to memory of 2008 N/A C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe
PID 2756 wrote to memory of 2008 N/A C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe
PID 2784 wrote to memory of 3064 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe
PID 2784 wrote to memory of 3064 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe
PID 2784 wrote to memory of 3064 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe
PID 2784 wrote to memory of 3064 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe
PID 2756 wrote to memory of 672 N/A C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2756 wrote to memory of 672 N/A C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2756 wrote to memory of 672 N/A C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2756 wrote to memory of 672 N/A C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1800 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\4k51k4.exe
PID 1800 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\4k51k4.exe
PID 1800 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\4k51k4.exe
PID 1800 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\4k51k4.exe
PID 1444 wrote to memory of 1884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE C:\Windows\4k51k4.exe
PID 1444 wrote to memory of 1884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE C:\Windows\4k51k4.exe
PID 1444 wrote to memory of 1884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE C:\Windows\4k51k4.exe
PID 1444 wrote to memory of 1884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE C:\Windows\4k51k4.exe
PID 2784 wrote to memory of 2848 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2784 wrote to memory of 2848 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2784 wrote to memory of 2848 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2784 wrote to memory of 2848 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 612 wrote to memory of 2148 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE C:\Windows\4k51k4.exe
PID 612 wrote to memory of 2148 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE C:\Windows\4k51k4.exe
PID 612 wrote to memory of 2148 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE C:\Windows\4k51k4.exe
PID 612 wrote to memory of 2148 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE C:\Windows\4k51k4.exe
PID 1800 wrote to memory of 1624 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\SysWOW64\IExplorer.exe
PID 1800 wrote to memory of 1624 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\SysWOW64\IExplorer.exe
PID 1800 wrote to memory of 1624 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\SysWOW64\IExplorer.exe
PID 1800 wrote to memory of 1624 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\SysWOW64\IExplorer.exe
PID 2548 wrote to memory of 2584 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2548 wrote to memory of 2584 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2548 wrote to memory of 2584 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2548 wrote to memory of 2584 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2968-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 5d53a28bb3daf2eac3243d9b8bf62c00
SHA1 6141c8ceab00d56d312101232c95e73e438d1612
SHA256 7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44
SHA512 e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2

C:\Windows\4k51k4.exe

MD5 c4a2f3d6ebdaaca9e937457ee2c7db1a
SHA1 73771c42b00c88c4213a426d66263c799326d2f2
SHA256 110567b49e1a6df99092b65f8782f344ee469d408ada986154e9e45c2b0686e8
SHA512 b5df772ccee0bce1578cf7696376bc85cfdcaa7eef6ae333577c633c9dd1fed6188804bf52353a3131a5441d3eaf7ac725cee840526f551a761b22737de8926e

memory/2756-116-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2968-115-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/2968-114-0x0000000000390000-0x00000000003B3000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 739c32514fcfcf0cd3f04862d7dad501
SHA1 da2bc54aaaa87fcd7f147e2a995623f5ae148414
SHA256 33a911ab281e982db1c3723a1d503c06e94122bc03d4672081adc82aed01d243
SHA512 0d1461abbec09ffffc1c0b6700c5df92360bf901409527d7bed58530c6d72976357a69b52f9310af2d60c6a5e37042f05b90cd0cc8e3f767d2557a65d5ca5010

memory/2968-126-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/2784-127-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 adc460ee4bd3b8ba08a9bcc946e77ba1
SHA1 d7c295e2f4eb18ebc12bf5ca493f1a3c80f74752
SHA256 5448ff07306cfeeef986611f822def36f9ffee8bbd62f0145750972bef594055
SHA512 a4e02cff07465d17f610e64132069b11d4deaecd8c921d7c94ff02d9c104dd8ea064103c9e97a01086d8b3398bfa9d54f44c8243f2f3022ff8057735edbedc44

memory/2968-139-0x0000000000390000-0x00000000003B3000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 e6eb4cec7d532a4ea59564835f43d24d
SHA1 b2090fc5c57d49f7fb7bd814943f54ce1ef6b842
SHA256 9f5818d4ccd79427acd078f11bd4011f629d648139b719d7f0628e232f8fabf7
SHA512 94e2968d4c2b1959fc58644dfd02672ae9f1b4a505fcb1d56b2c506bb6b5268bef6ab098295534205734881872b61dee6a329a30e91cbb2ff3be69b2e2bc9d29

memory/1444-150-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2968-149-0x0000000000390000-0x00000000003B3000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 a897e2d973ec48d838c9dd6d718490fd
SHA1 5f76dc8bed004feec45d2a143224ff48951c42fe
SHA256 ac613b1c85571148c8c988c78e2578eb1b09a62b4bfa40de6d68040f971f9320
SHA512 f2e3286ad9325d6782c5edd96e350cf5df04a41b8daa005b462e3af9e383d9a28a4e2451e696f2a2b39cb228e4d3020e3762c112f0db6b730480e5a6a525a25f

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 5fd9aa4a27723da4d04067b86982c52d
SHA1 712b0bb53c6d0c739b4762ea1f3e3b8fc0fa9708
SHA256 23fa3979c17a19adb4986f847d81ca97a19abe11fb981883193cff1992effcc2
SHA512 24c4fc212a94b66bade7dd13db388a3365be6cee2cc4d1acce190bdadcb7a2de8435a35d22820da3c8531def36d3d4f5c8df5bd4e7d44d814bc3076c86122c32

memory/2968-170-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/2968-169-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 ecd4eb23ce4a84065d71557c01daa26f
SHA1 23e54594f49e3c514806ade05f81d0b1bda71ce7
SHA256 f890fda8de7673bfe5337d25516405f44b4b1608db1d2fa9cfd26a85d1033564
SHA512 b1bb56f441baf126c370f46f4dbc5090396311415b6b07fbe84105fa74dc9b19029b3110fc7b5f3d28bebba12eded186c6cdf591033152ab1177d40afad8e806

memory/2756-180-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2968-184-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 5eaee01cc0ca56307d44b256f15bb120
SHA1 4c81f067210a8d6482f57e06335dc55579f29987
SHA256 e121d1c3cf4e775259c22647442ab67b157d57e67fa96ab57f423674f991c9d1
SHA512 428a799de98532f25ec573887b9aa7c5dd27e65b8ec2dea5bfbb454ae6da5a81456a5cfc89baa40dabb7a572e51794c53ccaa34a6c9f6d8b33e792af5ebc6d37

C:\Puisi.txt

MD5 001424d7974b9a3995af292f6fcfe171
SHA1 f8201d49d594d712c8450679c856c2e8307d2337
SHA256 660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA512 66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

C:\Windows\SysWOW64\MrHelloween.scr

MD5 9223d742854bcb271a91f62846e405f7
SHA1 f33d48f2c71b246992c0c9c7613441f64e857cf8
SHA256 e84673a105a9f8273f565c6564f329285c772d7de75e397a1d05efd62bc58794
SHA512 bd2ec4d1ed25ef47e9f3d6884b34d5a63849f3a7ddc88bb800a5635dfa6f8de255f9bc97267048cd00869a18b68feeb4f593fc0307026d79b9fb0fcc61d54667

C:\Windows\SysWOW64\shell.exe

MD5 1bc894ff4249e36d3968df3277d75e9f
SHA1 f3d282e12ed1405753107962feca99cac940c6d9
SHA256 6f3b671e21e780a24f4d4b6107c5d97781b0cfd0774c242ecb0a40afd5cb1b62
SHA512 691559af43e47868640d4a0698a04f704c5466d68cb935101f86b1a540168d17bd4dd9ba336c7fb707702aa3ff394646cbb9ce9abbd15b9e450e22e9ef320e6c

C:\4k51k4.exe

MD5 33ce30993f4678f0b5898eb7f74daa1c
SHA1 63ec9c2c9725f77544c55317b4c78f2ca366e9bf
SHA256 f4cc8c793f1ee2eb4b3a9b3037c2d2ed00899c9dad80572340bd0f61d6e627da
SHA512 e6c8cff710d15977b0bdf30cd61219bb207813c7c5fc6bcc6a6b8d3cca2d103141d35f693bda435f28407fbc1252473c5d79fb2072976c2d83693ebb47f54d2f

memory/2784-215-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/1800-242-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2784-241-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2784-240-0x00000000026D0000-0x00000000026F3000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 b7d5f03b478ef31f8d5e2418f5d730f0
SHA1 4d451e9a8422dadb456a76fced0cf0fd9e610f73
SHA256 7b9a279f385bc75e492de6c728b995ce351ca3596cb840b0c26c2ce989f31abc
SHA512 6bca25f5270d63d9699127f6baebd2b7476c9a67e1349e5b1fc3c6b0c8194c42dd3c3fc928320b7a65e180d0a5df68d7c29d05bf3a812f093fe9b5f994578f49

memory/2008-249-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2008-247-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2756-251-0x00000000025A0000-0x00000000025C3000-memory.dmp

memory/3064-332-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3064-331-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/672-313-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 e3f89aa16f8af66b0b9be4783bfdfa53
SHA1 621c00305e97c4abe0d6da7b47c79be3f3a1cdf3
SHA256 1de81a2fb731e98570c3633646c05504ea3afb8da774912a54d3c08b2217683c
SHA512 1c63889984f63bebb55ec9862c46ba45ac16a75c5868bf181ce5a5bd7a8b6e22185f9c0617e6732142c7469206f1185a64ec8487afcc8b82712ba06d024abfd8

C:\Windows\SysWOW64\MrHelloween.scr

MD5 7200851c871f80b34b7de224e6daf3c1
SHA1 bedbc884e966a1fcbc336c0690c10ec662ee0794
SHA256 1d44228401a877210e9a54f8c5e90a8ec498305765b7803c949d03703271266b
SHA512 dc868788f3afc331767ae2f78de0c1125947411e1c6b7ea84f0748ef557a2578b1b205fea88abeeaa6da5e6a0ee993758433393eae495a683383698b559a551f

C:\Windows\SysWOW64\shell.exe

MD5 0b7f0ded62096d58334e252c3b231d14
SHA1 9ae160efa11ae6b0f6d579635a007fac1e29b5fc
SHA256 73d754ece4401262fdc5b5b6703f389f5f80a873a2cb40e34ad281798cdf07f7
SHA512 097d30b9ae6d106e5321f295a6c77e7946ecfa08971384c1e895f77c39337a054557b9539e7400eeeccb02dc98566e2cda50d712ab35fcd5483d4ec742e8e176

C:\4k51k4.exe

MD5 ed3ba3010622d3d9905fd6c03b3aaeb4
SHA1 eaef97649256345efe142844c4710d20c1553692
SHA256 96e5b8f63b035672b81238e16c93a495c6cfacf5c2696f283db5e03e36a3a8e7
SHA512 8a13b677895a0b1d63f78bef233cf9e2d9b1946adaa1b51e4afac7098e7b8285620c90171c45f5741a95fec7f169d035b5a2447a3e55424c669ecaaca8c111cb

memory/612-359-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/1884-366-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2548-403-0x0000000000400000-0x0000000000423000-memory.dmp

memory/612-410-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1624-409-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2148-408-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2784-407-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2784-406-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2548-405-0x0000000000670000-0x0000000000693000-memory.dmp

memory/2784-404-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2584-372-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1884-365-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2848-363-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2848-362-0x0000000077270000-0x000000007736A000-memory.dmp

memory/2848-361-0x0000000077370000-0x000000007748F000-memory.dmp

memory/1344-411-0x0000000000400000-0x0000000000423000-memory.dmp

memory/900-339-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1800-338-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/2380-376-0x0000000000400000-0x0000000000423000-memory.dmp

memory/672-291-0x0000000000260000-0x0000000000270000-memory.dmp

memory/2684-386-0x0000000000400000-0x0000000000423000-memory.dmp

memory/900-378-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2784-337-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/1444-336-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2784-414-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2784-415-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2756-416-0x00000000025A0000-0x00000000025C3000-memory.dmp

memory/2784-417-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2400-424-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2148-434-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2708-445-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1844-444-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2472-474-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2492-473-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1344-500-0x0000000002640000-0x0000000002663000-memory.dmp

memory/1924-480-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1800-536-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/1444-534-0x0000000002320000-0x0000000002343000-memory.dmp

memory/1256-533-0x0000000000400000-0x0000000000423000-memory.dmp

memory/428-551-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2008-549-0x0000000000400000-0x0000000000423000-memory.dmp

memory/948-547-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1344-560-0x0000000002640000-0x0000000002663000-memory.dmp

memory/612-567-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/2548-566-0x0000000000670000-0x0000000000693000-memory.dmp

memory/2548-565-0x0000000000670000-0x0000000000693000-memory.dmp

memory/1800-564-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/612-563-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/612-562-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/1444-557-0x0000000002320000-0x0000000002343000-memory.dmp

memory/1220-556-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2756-555-0x00000000025A0000-0x00000000025C3000-memory.dmp

memory/2756-554-0x00000000025A0000-0x00000000025C3000-memory.dmp

memory/1864-532-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2024-531-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1800-535-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/2932-485-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1800-498-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/1648-497-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2012-496-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2784-495-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/1800-494-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/2784-492-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/1472-478-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2628-476-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2492-472-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2600-471-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2628-470-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2976-442-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2784-441-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2548-440-0x0000000000670000-0x0000000000693000-memory.dmp

memory/2784-438-0x00000000026D0000-0x00000000026F3000-memory.dmp

memory/2548-469-0x0000000000670000-0x0000000000693000-memory.dmp

memory/1440-468-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2548-467-0x0000000000670000-0x0000000000693000-memory.dmp

memory/2756-466-0x00000000025A0000-0x00000000025C3000-memory.dmp

memory/1472-465-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1800-464-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/1800-463-0x00000000023F0000-0x0000000002413000-memory.dmp

memory/2888-461-0x0000000000400000-0x0000000000423000-memory.dmp

memory/612-460-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/2492-459-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2756-458-0x00000000025A0000-0x00000000025C3000-memory.dmp

memory/2708-450-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2716-437-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2548-446-0x0000000000670000-0x0000000000693000-memory.dmp

memory/2536-614-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2756-634-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2784-635-0x0000000000400000-0x0000000000423000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:39

Reported

2024-05-26 03:42

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created F:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification F:\desktop.ini C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\U: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\W: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\E: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened (read-only) \??\Y: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened (read-only) \??\I: C:\Windows\4k51k4.exe N/A
File opened (read-only) \??\T: C:\Windows\4k51k4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File created C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\MrHelloween.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\4k51k4.exe C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\4k51k4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\4k51k4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Windows\4k51k4.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\4k51k4.exe
PID 3228 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\4k51k4.exe
PID 3228 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\4k51k4.exe
PID 3228 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3228 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3228 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3228 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3228 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3228 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3228 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3228 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3228 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3228 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3228 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3228 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3228 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3228 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3228 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3228 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3228 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3228 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3624 wrote to memory of 3160 N/A C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe
PID 3624 wrote to memory of 3160 N/A C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe
PID 3624 wrote to memory of 3160 N/A C:\Windows\4k51k4.exe C:\Windows\4k51k4.exe
PID 3624 wrote to memory of 832 N/A C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3624 wrote to memory of 832 N/A C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3624 wrote to memory of 832 N/A C:\Windows\4k51k4.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2280 wrote to memory of 1360 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe
PID 2280 wrote to memory of 1360 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe
PID 2280 wrote to memory of 1360 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\4k51k4.exe
PID 2280 wrote to memory of 4180 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2280 wrote to memory of 4180 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2280 wrote to memory of 4180 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3624 wrote to memory of 4160 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3624 wrote to memory of 4160 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3624 wrote to memory of 4160 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2280 wrote to memory of 4164 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2280 wrote to memory of 4164 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2280 wrote to memory of 4164 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3624 wrote to memory of 4628 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3624 wrote to memory of 4628 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3624 wrote to memory of 4628 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2280 wrote to memory of 876 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2280 wrote to memory of 876 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2280 wrote to memory of 876 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2280 wrote to memory of 1316 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2280 wrote to memory of 1316 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2280 wrote to memory of 1316 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3624 wrote to memory of 4468 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3624 wrote to memory of 4468 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3624 wrote to memory of 4468 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2280 wrote to memory of 3648 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2280 wrote to memory of 3648 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2280 wrote to memory of 3648 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1000 wrote to memory of 4196 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\4k51k4.exe
PID 1000 wrote to memory of 4196 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\4k51k4.exe
PID 1000 wrote to memory of 4196 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\4k51k4.exe
PID 3624 wrote to memory of 1948 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3624 wrote to memory of 1948 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3624 wrote to memory of 1948 N/A C:\Windows\4k51k4.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2280 wrote to memory of 4924 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2280 wrote to memory of 4924 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2280 wrote to memory of 4924 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1000 wrote to memory of 4860 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE C:\Windows\SysWOW64\IExplorer.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\4k51k4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\4k51k4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Windows\4k51k4.exe

C:\Windows\4k51k4.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3228-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 5d53a28bb3daf2eac3243d9b8bf62c00
SHA1 6141c8ceab00d56d312101232c95e73e438d1612
SHA256 7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44
SHA512 e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2

C:\Windows\4k51k4.exe

MD5 7190b38b2940345ace84e2c3356b8d14
SHA1 e26c5c3b2a7f5500093735007cf85193c29a4f70
SHA256 be5faaafb0bc258d13ec49320f2b60532e129b534e08ef506826c57a678b5d8e
SHA512 3ee61933845aaf9fe59952cc897d4947edb7b7a79c9713c0ce26cfdaec4f6293eaf6cb739cf3f9e7505cac17ad8feb65a578d0b12a1195c3627bfe3efd248332

C:\Windows\SysWOW64\IExplorer.exe

MD5 08ff110ff32f6817ae2b1980bd8a6059
SHA1 b8321f5602f4ab0247a58b05058e4023e69ffbda
SHA256 ae240ab44ec8650d9f0efb236210cf66f7b576584fdaf58c5d490fdf8304625c
SHA512 8283c5c6ef045b65bf1603ccf4063e0a396be6e792fbb5e5354a5e722b3377b73a38a9a7e93f26c05b995dc3550f97be23453027fc788734e43aa3bb8e074971

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 04ec7cf90223414e92bfd6537a86beeb
SHA1 34c3d1c6f2e95024bdc4713c6ef2bb0326f9acb4
SHA256 2a45e6c0d9ef8f4fd2b17d46cc415bdebe6d835717eab296b191f98f4354f687
SHA512 2aff2cc959c2bdb1cbb6a0bf14bb6fc28b0ac63a58cee6ac166a3d23bc36b1f1a9f7f93ac02945c99852b9dfd212b3e32a7d0fa5143d98998d2f557e86994a22

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 871be703aca346d79dd82003515a529d
SHA1 e69da354bfd0803bd5598f8c6031386ff7fe2d25
SHA256 ea7e7b7c6cad7cf42c5ab07e9caf6eace00ece0316f0f235b6e8799d6b8fb304
SHA512 b45ded96f103b2a3ce7afab8ecdc79736baa61806139a42f2951b209de85d5985897ef0868e875d582ce3b6782299b8834d060c7e30d39d5bf98f0bafbfbd68f

memory/4136-129-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 b605b1df3d682e2d569f700073f164b9
SHA1 0b1aa9ba58a4dc03581dcfe005f7b5f978b7e67f
SHA256 61e2e92cf9ecfdd8ab6cd0e16025ca009e39ca9c4c4af2dd7e8499c5efcf9cfc
SHA512 4149ed44ee4dc72718a0602aabb9775b4d8cc78c46ded9ebef0772bfc545ba0c9aa1d2e5a36cf66e1a8a94ef19453039eceda10739f72d90bf6b2165c21ac151

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 74e473ca0a41a34d4201e223af31bca4
SHA1 6510311ed895c32e0ab3ee505f0b673d100747b4
SHA256 329d467cf944105db4328fc12a7a22adf48cfbd217e976e2e0372024a1668849
SHA512 a046d1941ca29de11940c9fbb8695ab71e3ce36fba65729fa8456e2c780d01bdf304f16a23a4844e5b050d95f55d8a940827473b91084ce8112ae3bb5433d54f

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 72dcd32c5e60b36512fe7bf71ef428b0
SHA1 14dccb1f4d37a54e1bc4cf385b169f9042e2659f
SHA256 dda66a43b6e86903bff35e02875d5edabc688e5fe3386d8011e2ab812ea61a03
SHA512 2a3a18cda35ee513f5a2fc85f85455708147a71425ee7a9b93f228585093c306692d53dda026e75bfeb9f7b0c7a41e777ab18e344094dee7235c5aa417ea77f7

memory/3228-148-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Puisi.txt

MD5 001424d7974b9a3995af292f6fcfe171
SHA1 f8201d49d594d712c8450679c856c2e8307d2337
SHA256 660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA512 66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

C:\Windows\MSVBVM60.DLL

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3160-189-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1360-204-0x0000000000400000-0x0000000000423000-memory.dmp

memory/832-203-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1360-211-0x0000000000400000-0x0000000000423000-memory.dmp

memory/832-213-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3624-225-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4160-231-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4180-229-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2280-236-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1000-239-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4136-241-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4164-235-0x0000000000400000-0x0000000000423000-memory.dmp

memory/876-263-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4628-265-0x0000000000400000-0x0000000000423000-memory.dmp

memory/396-261-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 99bfe8511257d272b35e1ea8615cd578
SHA1 9db7daeaccc8c1d740c1e2d9768956d7384731cf
SHA256 3472bfa0cbe00741010d61ce077ecf63a4a7e5455375fd9817fa1ac9f3ccc94f
SHA512 1f006dc41bc3aef461b4d26614451e5351581900c6b73ba460c84f015ac8616d595262c3521174bc96d9290e8d87c17a07415479fefd25dccf686726f4302f30

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 3d1a186bb8e9f17300df9ecb04e1617f
SHA1 4b3848f3cf43d80f468e7e15b4ec7cba4529d0dc
SHA256 d7b6bfd2aeba125441dde40b13ffe95fac0c9c17fd3443036d5d1041ecb5f230
SHA512 96951946e57fbfe45470f6c1709e1ec4c1fc9b61997225aa2fdb8149aa64f64515217814fef121136b10804f32a84c209da7cd2607d1e550c1e860f6243c52ec

C:\Windows\SysWOW64\shell.exe

MD5 cf60e2f9cebc828575125c68ddbd106a
SHA1 506380afc378b29aced025d05abecadacd9351fd
SHA256 78118668735635081af03a88d32a19c9722af1fc69654ff69a259fb33075cef7
SHA512 bb5b13f6faa5a84840a164ac6eee8d9fca8ccf80e1754dca648214fe8eab16d190f146dc0d4b18a71060037a9429ecb0b3586b304bcfb727c8ca2986b4cd714a

memory/2420-296-0x0000000000400000-0x0000000000423000-memory.dmp

C:\4k51k4.exe

MD5 9a3aff244d5e3828aee4d64ee18d9fb3
SHA1 5a5a0a6c30abb4f5ac41d6104584ef252a390013
SHA256 f70c6d6a6b9168f7872cf7430fe4ba23e9bec4cebb7b95e750835614805abf40
SHA512 2719d23e524770c6abdcd5de986df1b9d100f05551954b96a8ce07cc6d42fff229b01fb83443232fc23e36babe732dab9dd937754b9e1aa736b4afa462d77d70

C:\Windows\SysWOW64\MrHelloween.scr

MD5 8b74c71f06b8c10a43df5f338beb3852
SHA1 4f04c9712abdd68089f7e04cec96bf4992f05032
SHA256 b04b5c519245d38bad0403471127fa45972f25047c5a087042df55e1bc8ecd23
SHA512 8d5d9b11eeb217ead6090354c920d28f4201504876d133e620b14f4a01db216483f7a7b3fae6bce0811f63904ec56aab654f3b46ced721d6d2d1d2ecd36a2acb

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 4c2958054d5c23e603e1621be8b2457c
SHA1 6f0810a815d207c98a66249754e38f82b89f6a2b
SHA256 19a4b6789165a62d2d52af5a5c8b317dce51a8d4866a164b3be3ced381f98b90
SHA512 08376acad7129dcd461128a77e141aaf5693a017ec1a4e2280944aa23ba9ff8376c9a72134baf1719c3e3badcfd480d3b9edd98fd5d90cd6a096a40adb55113e

C:\Windows\SysWOW64\MrHelloween.scr

MD5 44420f206c3da33898d8476fd9ce24a5
SHA1 9eff89b58ac646c70e74123d035620720fc36a8c
SHA256 313d6a61b173fa211bf5e9ac44a6c801117ca2abb93cc5dedac0ca2b5193122d
SHA512 696879a8e0084094f3eed65f1bfe5d6bcc7686ef3bb3d0524cc4d33392b8b1531b69ba0c8f20071a797f2dc8a977d0c60d977de3542ea5ef2108640381af7ad8

C:\4k51k4.exe

MD5 ee6a9fa20d6cae8d3dc86f5998057f66
SHA1 4593272829a104705dc3f5d37edcdebeabcfa62c
SHA256 166d2ac4a0f27ffd01d31c5f2ece6d155f0a3a4c7c36223d1fb6c3abfc871ae0
SHA512 16d11c3e0466c5d3c677863de7099e436af46a6379845acede65aff4ccc3d94f9af056838da0e9d3fda483d5bfd77be1585888c80588c180a409effd85fe724d

memory/4468-308-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3648-310-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4508-305-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1316-303-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1948-314-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1948-323-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4924-326-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4196-324-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3564-341-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4996-367-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3564-364-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4284-370-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4860-362-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4384-379-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3956-384-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4556-388-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3956-390-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1832-396-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2928-400-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2928-404-0x0000000000400000-0x0000000000423000-memory.dmp

memory/720-415-0x0000000000400000-0x0000000000423000-memory.dmp

memory/836-425-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2468-428-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3716-429-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1236-438-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4476-437-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3888-441-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4980-447-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1264-448-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2532-453-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1836-455-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3220-461-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1464-463-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4708-477-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3316-482-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3044-483-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3044-487-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1272-492-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-494-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1672-497-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3780-501-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1436-505-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1000-511-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4508-515-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2420-514-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4136-512-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2280-510-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3624-509-0x0000000000400000-0x0000000000423000-memory.dmp

memory/396-513-0x0000000000400000-0x0000000000423000-memory.dmp