Analysis Overview
SHA256
ee117623d309bea050333edaa1b873c84ff1b91eb6b15894c89303f0ff90382c
Threat Level: Known bad
The file 9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 04:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 04:37
Reported
2024-06-03 04:40
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
161s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\kiaxaaz.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\kiaxaaz.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /h" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /N" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /v" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /d" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /B" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /y" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /e" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /c" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /X" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /t" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /A" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /x" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /l" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /z" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /Z" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /o" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /F" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /V" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /T" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /Q" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /i" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /r" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /O" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /f" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /W" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /s" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /G" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /H" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /J" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /b" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /I" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /D" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /Y" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /q" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /j" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /k" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /S" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /U" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /a" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /u" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /m" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /w" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /L" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /n" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /p" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /C" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /E" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /P" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /K" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /M" | C:\Users\Admin\kiaxaaz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiaxaaz = "C:\\Users\\Admin\\kiaxaaz.exe /g" | C:\Users\Admin\kiaxaaz.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\kiaxaaz.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | C:\Users\Admin\kiaxaaz.exe |
| PID 2104 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | C:\Users\Admin\kiaxaaz.exe |
| PID 2104 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | C:\Users\Admin\kiaxaaz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe"
C:\Users\Admin\kiaxaaz.exe
"C:\Users\Admin\kiaxaaz.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4324 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.player1253.com | udp |
| US | 8.8.8.8:53 | ns1.videoall.net | udp |
| US | 8.8.8.8:53 | ns1.mediashares.org | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\kiaxaaz.exe
| MD5 | 1407c7873ade818d7e3bfb5412dd1fda |
| SHA1 | c10bb4790d260eb2cf063df5acfc0ffc40644cb5 |
| SHA256 | 950e028763d648ca217c64b77c5a6f05399597f6ae08dba683cf37fe3982977e |
| SHA512 | 03261b4b6880c5db25bc4d38eca9ed13ad25064f89db04b8c3774365a59e476edd4c95f3eabc5fe6b399ca6dc662c14d6c93df691f0ca93c3549e2e8594a4443 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 04:37
Reported
2024-06-03 04:40
Platform
win7-20240221-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\woiig.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\woiig.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /k" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /g" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /q" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /R" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /J" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /W" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /S" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /p" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /V" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /U" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /X" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /E" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /F" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /t" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /l" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /m" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /P" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /Z" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /r" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /M" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /c" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /e" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /z" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /T" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /D" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /Q" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /h" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /Y" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /O" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /u" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /j" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /y" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /b" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /C" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /B" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /d" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /s" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /A" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /N" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /o" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /a" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /H" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /I" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /G" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /w" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /f" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /i" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /v" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /K" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /n" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /L" | C:\Users\Admin\woiig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\woiig = "C:\\Users\\Admin\\woiig.exe /x" | C:\Users\Admin\woiig.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\woiig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1676 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | C:\Users\Admin\woiig.exe |
| PID 1676 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | C:\Users\Admin\woiig.exe |
| PID 1676 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | C:\Users\Admin\woiig.exe |
| PID 1676 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe | C:\Users\Admin\woiig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9bcd3fb70736b5a773c62791860ce490_NeikiAnalytics.exe"
C:\Users\Admin\woiig.exe
"C:\Users\Admin\woiig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1253.com | udp |
| US | 8.8.8.8:53 | ns1.videoall.net | udp |
| US | 8.8.8.8:53 | ns1.mediashares.org | udp |
| US | 104.155.138.21:8000 | ns1.mediashares.org | tcp |
Files
\Users\Admin\woiig.exe
| MD5 | 5c88f2bc0b5f1dc142f2f76c74577974 |
| SHA1 | cba93f191ef25ab003ac0bfe0012e13b4974d5fd |
| SHA256 | db9a8079c7bc685f09173e28666ea3d91200b28c69c5f786b746d9d05f8b92b6 |
| SHA512 | 6e1c9b06f5c1d94cc3ac282e089f02d7480f495c254d0f86aae27deee7f39dce2d28efb76d8f8accb9caa5fc99b080f974c27a84d0429d83c17562876e373699 |