Malware Analysis Report

2025-01-06 10:34

Sample ID 240601-en6b4ahh93
Target 8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe
SHA256 b90111a97bfd5e013060cec2d8cf8ef00ece7676836271fb812752844ccf5872
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b90111a97bfd5e013060cec2d8cf8ef00ece7676836271fb812752844ccf5872

Threat Level: Known bad

The file 8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:06

Reported

2024-06-01 04:08

Platform

win7-20240221-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\ = "_OlkPageControl" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ = "_Column" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ = "MAPIFolder" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ = "Action" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ = "FormDescription" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\ = "ResultsEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ = "_OlkCategory" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ = "_Rules" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2900 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2900 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2900 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2900 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2900 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2900 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2900 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2900 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2900 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding

Network

N/A

Files

memory/2900-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8cdc492b31061a999cf86eb0f978d880
SHA1 800287dd3af289ddc2cd4ac4a6554c9718c9fc69
SHA256 b90111a97bfd5e013060cec2d8cf8ef00ece7676836271fb812752844ccf5872
SHA512 7415f910bd141b9d9f7a61476e9225c1e03ea99fd049018f814a9037b1b927c3aa47d22430c01dfc64702d2bfa6e088c973823063d4866dd6c6c18be1c8d2301

C:\Windows\xk.exe

MD5 4790f23b3bf355bd4645447055308f81
SHA1 dbef2477078464c3d29abda649e403e70805917c
SHA256 cfdad4df576b09c43aa60c4cd25a027472fad6f0f867b8399d586692c3ba6ca5
SHA512 1d6a055746dc7f929c12d3ced9b0ac9751bd57ca4728b305664d1fdb74427043ba4c5a3748a2a17d24a5f57891c611487c41d958e70c73a0bc3cc52547adc4cd

memory/2900-111-0x0000000000350000-0x000000000037E000-memory.dmp

memory/1484-112-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2900-110-0x0000000000350000-0x000000000037E000-memory.dmp

memory/1484-116-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 b377850c7cb3baae16756d66e7c83d70
SHA1 fb148cb8a2495e2fbd68a62cb4dd19dbac950499
SHA256 2afd764ecc103511814331865874150eb8394cb16b1b4534258b8a580b07910e
SHA512 039472370e62afd333ba15cf64dffb350999d16c732b36132c2f446277b9e10f91884691c71fbec7bb0b0723f2a549126d56543bac643cd947d9ba254b5d6a52

memory/2900-118-0x0000000000350000-0x000000000037E000-memory.dmp

memory/2180-128-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 757d9290c888bfd8a47f807957759d8e
SHA1 5b1514e4a888d5db07c6c366e7b0a3807dc89bef
SHA256 b97d1eef685e6e0f05018bf5f98ceddf9c51b3a793e87ceb3550a50e43758762
SHA512 0ed83543cb2274df228a6a36328b4d63546df2810966c8c317f1abc0a519b28d178ef5dc499627d2f2a2969ce593cfb81d249258a3e7c177478e06e8a303db3d

memory/2632-139-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 561bfddb1ebbb8bd132f79e959778bd0
SHA1 412c81f0699a23e559a12bf88d39e7afc83be042
SHA256 6193f9f3e2340d661024c0ea2a2f145aa33a801e29f2e1ab1e7eeb800859a880
SHA512 7ee51a30b1f6b46689af67404bece272de191338dfce8e03e5e1ed2edb161935c7e6dea58235d2f5eb8123e805fa24db884551ab4b66974a07c5ef0d6be10b92

memory/2900-147-0x0000000000350000-0x000000000037E000-memory.dmp

memory/1948-151-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 47cd12d9ca951a0bbf81504f5fd16002
SHA1 b18a239e149a47d15e77122dc64cf10d87a1671f
SHA256 f32662feb85513e7be4b8a4b21fa129a2b2791a5512f41627343f6cc580d51de
SHA512 b9530b1825be830f79d6d6b57214e42202e0749138f1b16481a193dd0601a0eb2dff4cb35d134131713b86a0b8571af1d6672bc38ef21b67ced2df6909250c13

memory/2900-160-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2900-159-0x0000000000350000-0x000000000037E000-memory.dmp

memory/2320-164-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 5571bb1a3a3764d367fcd464eaf09417
SHA1 05c2c7aafa5299f6f5a5dd0dfe2222a2a79d9c4e
SHA256 c3779b4d742b4a40364f449c7b31bd0f3056b8249a31dbbb1392a3d4e6e04b87
SHA512 f71605bad9bb9ac3192b0332f41ac67fab5e6a83f1a78227399257bc63451d29c3fa2ba42704b91a3f786c1de9f1de138ff7fd90bc21f7a16e6e82b2509e46ba

memory/2900-172-0x0000000000350000-0x000000000037E000-memory.dmp

memory/1440-176-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2900-234-0x0000000000350000-0x000000000037E000-memory.dmp

memory/2900-233-0x0000000000350000-0x000000000037E000-memory.dmp

C:\Windows\xk.exe

MD5 f4f3b090c41e1d71f5c5e0ab46c1feb9
SHA1 ffe8d063495439e717d1bba6d2979313094d3bac
SHA256 641512dd6c33ee0e78ccd9d0858628fffc62c472bf0c3fea379cf6a00d1d1ac1
SHA512 2bd9b9ae3833092b0e55d60b7d4fca303aada28c76be8b5f9f084f6865149001f18d0f150f2140241d2c1ae21cbfdbeaeb7655ec27ff908845112a027fc34198

\Windows\SysWOW64\IExplorer.exe

MD5 43f86c0425ede554b11c427f3f85a76a
SHA1 b0f6b76d65404b03cbeea19e0b49da63f79e199a
SHA256 04674e214c8bc02940ee26cfb9ac3aae7c2d1451c8e1617162a95cda9dc5c320
SHA512 add849a1166f4df5a330264cd966ba4e020b138147946e59b713c82ebb1ebf79b63eebae40410c26b72da0ce06ccae80cbaf28c954a662f4fb6657ea01cde9e2

memory/768-237-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2900-245-0x0000000000350000-0x000000000037E000-memory.dmp

memory/2900-248-0x0000000000350000-0x000000000037E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 983737fe1ede713fc198260f3db1b681
SHA1 ed00452750a0f1bec858e7d6cbf57c4403b8c790
SHA256 e5bf5cc4ac2f1e38cec3a2fb0ac21f50307a1d067d6952858794472c25a8d60c
SHA512 5f36bbf9b510f8ee920c682559e246fc183172f5242f61de519271b40281049c2a99bfa8929fe4bebebb90c19e287dbcce84d757eaccb4f15b704d83ad36858c

memory/672-256-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2900-259-0x0000000000350000-0x000000000037E000-memory.dmp

memory/2900-258-0x0000000000350000-0x000000000037E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 de9df8a2124c7d3eb2ff7f964350cefc
SHA1 5a63e0e54ca1c145b16cc7b7d5eee29bb39e313f
SHA256 aad5c3c6725061d9ea5b8dfd6d8ff17ac9e6362fa58203bc3becce40c0472c7c
SHA512 6cd4121bb0e420ba6f21aa1b9007e486a72de892fba3e189eea9d8ec9be04fc0e90786c3e8c96a2e87d350b0012071e29daa0337b964a6bfe72a3099f2b89227

memory/2900-271-0x0000000000350000-0x000000000037E000-memory.dmp

memory/2112-265-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 8995abe399f6c929429604f2785fbbfa
SHA1 787a878a78b1a36236ede1d86c1d0aa7af089847
SHA256 07552b46fe500e5919da5caa6a93c2b77da0914e78f06dd0e156f0831aa85d82
SHA512 4c7e3e45ec95465268a8e9e76f35a0de9876c4338cd8a55933a26041640a03578c4bae29ed6792b04cdaf1288720fbdc0f976719360e910deb8a01180feec6a9

memory/1672-276-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 4136c90ae2e9d8b3bea0640692cd971f
SHA1 055419fa7441a399f957ae39ae96d4a1a4c23d67
SHA256 439ce4b105f23af17eff0fffaa0d69cf84eabd5edbf91304cc3ffe51f5716183
SHA512 c4e7bf863a124e3979c037bf729d0a0c0c711670c0620fb411a42a984fbbee70861f111b3d1720fb61dae8b3aea1f419f07d9de7a9ffbf569682c438ca162f4c

memory/1072-298-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1072-296-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1288-293-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 479a03c3dce62cf4f928a888f23a6f65
SHA1 769b3abe614b16428cdc4e52411a419a40d285ae
SHA256 b064512d7543ab5a905d51fd7a9c7884873451e3e40cc667f1e82337b485e813
SHA512 c151c56792e06b7ed675a4cdf107f412e0232322e97f5ab8ede185fad671997fd62da11a2cfc1fe7917632857bf8c501dc8867bff6ceb7dced4f7a8f13e97f74

memory/1156-311-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2452-334-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 ba7f80a31c4685b5dda1d5c3ff819c57
SHA1 afbdea9f5d12078650ff078f9533f08eb4be4ca2
SHA256 b3d61aa9befcdb7f170cf827db5f1ce02258ae730174ec734e3f350deaaa4d83
SHA512 785b0c95a8f33d8bf7cab6e913700d117859398b19aab55a547915302d3dd053bec0b9dfb98814f319818d1928ec1351e625861877f82b7436a46d755c4e20e2

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 6612ca171f37fee05e4985c874abde44
SHA1 b7c172752c3e19893b8fea11b38f19953435c105
SHA256 d26a44b43f9d38f3856ab28dc374ae1fe5fff1668fde686b6ed70b3dfc3ce9bd
SHA512 326aec9f1f838b75b69078bcdd8fd97336275896afbd0226f1e698d7f6eb6fd71a2611384318677e88e7c211c86ea93ec96fff7142dfdbdf32bec37febd5c7de

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

memory/2900-459-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:06

Reported

2024-06-01 04:08

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4764 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4764 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4764 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4764 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4764 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4764 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4764 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4764 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4764 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4764 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4764 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4764 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4764 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4764 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4764 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4764 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4764 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4764 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4764 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4764 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8cdc492b31061a999cf86eb0f978d880_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

memory/4764-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8cdc492b31061a999cf86eb0f978d880
SHA1 800287dd3af289ddc2cd4ac4a6554c9718c9fc69
SHA256 b90111a97bfd5e013060cec2d8cf8ef00ece7676836271fb812752844ccf5872
SHA512 7415f910bd141b9d9f7a61476e9225c1e03ea99fd049018f814a9037b1b927c3aa47d22430c01dfc64702d2bfa6e088c973823063d4866dd6c6c18be1c8d2301

C:\Windows\xk.exe

MD5 84bcd79bb1e89711918acb3ff52a7967
SHA1 b7f98e5f755bcdf9391eca0463045cc72ae9f6fa
SHA256 268592f95b1f1339b0608dfec171868c295725ab1fedaf65e73039ddeef59229
SHA512 3a0a0302e04f36d93805ed58f2c772845ad0752a2634667673c030fc5d0e5279fed643c6b35840144fd6ad0250865c812882d28203502188465609b281f22332

memory/2388-113-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 e18fd3e924e569db21dcad53320979d1
SHA1 4d7ce025436b3b675ab494c2fcdbb59c8109720d
SHA256 c1046939bcaeebbd37d30c88344ba89b60ef6a9f3eb358a1cb003448d8c623d5
SHA512 d858a9f49936a755613c177d2d69bb9ae5ca24efa88f8197895e847753d07121a028cb1f21d03bed35245b11eb65e78e08c082e0bbaa225fed03b968e768f3fe

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 3a5b336564e7587756957851e325c826
SHA1 23de1efd83414b1f88fa099d1b1d2283fc45d6a3
SHA256 cbd094f1efdf4885eb07f2f7150f7f28655264fd29b47550a9545f05ce563cbf
SHA512 c1e85061bbb3f25c3cbc4d9083e995770045c1d9da367ef3eb0b8b5c0020e9de38180bf76be8b006d8e53e9f4d20fb381430e1bbe219e39e20d05dbcd028b866

memory/5112-118-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3084-125-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 5a240803e89a8c8b88fe67c5cd6cc316
SHA1 a3ab0baa3e1c7ba545788d666e5da132acaa1a6c
SHA256 ed3ef617be1e80e29fe424e96f4197bee13b9ed9a33df1f519d10e5fdce14e60
SHA512 1233008d6b88c6f22f69bbf8b696aefa430c4f2edb8f251f894665db324805d33844037d21efccf4baa38601b75d885bf01b6384513a95365193e1d35daad71f

memory/3156-132-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 cd34836a0f69f0952ba8b7d60e48823a
SHA1 31d35b6b85a6b908150c5d97d6af0440f8c818f3
SHA256 371084ce7b733d6fb73642c1ceb51a1f3b518a71a821d32725e4baa718952318
SHA512 72df367f62c21d370b268cfef20c51ccd94cc0d594d94f87bee178ae6da94bd1035fc7ecf6ac286a0530c2ff44ea26877d6b4877199b6ed5e0e0e87e776532b6

memory/2980-138-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 1613855035be767142251a8ebda582b7
SHA1 febf56eee8fc6b116a6d216cdc503a26e360e0f2
SHA256 0569e7fd35d9160a1eb4c8199c166d129aec0620ffeb842c474a8c4ad4b9d762
SHA512 ec866c79510a818e14cab208f13cbe127e1ee6b105b1b1491bc46cc4d6440b04be682b4f6edfcd67f694b51cbe341c7b4b4c8f189d46d656d84e06ae37b0be95

memory/3848-144-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 8f853d3c9f61317118bde4199375e57c
SHA1 f6aa08fb1c8fccae31f28a78e6330da2c944be44
SHA256 5d099cfbd09d8a58a4d1a83199e72fa96a099c13713d0be01f50e08558523c22
SHA512 19c8ebd9507001873074cc58b0a546113c2bbec1b757db660aab83f9fbeac73655f90a1d08200fd0ac8d53fe45ea02c1d4c31d32744bbfe845eadda986daf396

memory/4776-151-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4764-153-0x0000000000400000-0x000000000042E000-memory.dmp