Malware Analysis Report

2025-01-06 11:18

Sample ID 240603-e8zp2sbf5w
Target 9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe
SHA256 cd0e51ba7193321712a8052927061bc54d88be46e0fb94b10c29f4d4f61f214e
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd0e51ba7193321712a8052927061bc54d88be46e0fb94b10c29f4d4f61f214e

Threat Level: Known bad

The file 9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Control Panel

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:39

Platform

win7-20240221-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ = "AddressLists" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ = "_OlkInfoBar" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\ = "OutlookBarGroup" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\ = "_NavigationGroup" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ = "_UserDefinedProperties" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ = "_Rules" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\ = "_OlkDateControl" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ = "NavigationPaneEvents_12" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\ = "_Inspectors" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ = "_Conversation" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ = "_OlkTimeControl" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3000 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3000 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3000 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3000 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3000 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3000 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3000 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3000 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3000 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3000 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3000 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding

Network

N/A

Files

memory/3000-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/3000-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3000-4-0x0000000000401000-0x0000000000427000-memory.dmp

memory/3000-3-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3000-2-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 9bccf2661d8cba99d3b07dfdbce1bcd0
SHA1 1bde34be4e86ba91e32a44ab9598950895a081d1
SHA256 cd0e51ba7193321712a8052927061bc54d88be46e0fb94b10c29f4d4f61f214e
SHA512 48e42bc8c8689c605115eb65187fd321ef842a077555257115ec24df75d1f1b2631ef0850c123f2d61f6307a83879327d5ac51f3c6596ed011e5300bca04e16d

C:\Windows\xk.exe

MD5 3940c0e0609916c8a09a813863ff2ccd
SHA1 2853c494c5d9745931a8eafc35d79ecf9085e877
SHA256 ec268a629f37b010c7bee36ac8b102cee9efbcfa3c6e827501c4dd22462a01ba
SHA512 879b401dd927fac32ce8cfa61fb7355d0a85b92637dae99d8b9dfd93b8b4233c2856c44c583ee436da83f0ae1b882d5456382bcc2701ecd7324353fa17676990

memory/3000-113-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/1644-115-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1644-116-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3000-114-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/1644-118-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1644-121-0x0000000000400000-0x000000000042C000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 bda82da331852715a8aa0be0592ee233
SHA1 c5d61f60af531e8f0a155039da943a7410fac256
SHA256 b90c1a4de91050dbd8d48e429bb13e5e2ced0d113e8994a0769fa6c2fb6c1acc
SHA512 bc265ee71e64f848ca978f1deb059d6e3f703a2d8a2dc01710bd2d667959f3be5babb310b6072e2c486f21ff448f695747fe8ba67985d37f836df722b02a481d

memory/3000-123-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/2804-131-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2804-130-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2804-132-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2804-136-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 a9bc824326d8c1a3411ca13ca0e417e8
SHA1 37559bf0f2a6a3f4275697316e9bf472049b357f
SHA256 17333fc691e24fffa4aecee86071d1d16909801d9d03c57ba0466074d323ce05
SHA512 a37b105c52a2e15a333d30e395f6791af3d24f77aade12d8622d08d23793f225c9a21ce8ae4b088a67b84d944258fd253c536e2a7b666f9383057f4543c2b307

memory/3000-145-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/3000-144-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/3000-146-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2944-147-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3000-151-0x0000000000401000-0x0000000000427000-memory.dmp

memory/2944-152-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 02946e26f2824552fabc244c4d97e994
SHA1 8d266f747f3b3f042cba256d9a69561ca755c0d5
SHA256 88b69a32d0f4cff7bff3dba0bba3a559f212b4090317123c13d17aea0568780a
SHA512 0fbb1515c25e886a3e768be9d1e6b33654900983bf3b263b759d9ec8b205f2132d69b2d7e3cb7ea5bd3ea3b414636fb20b8c5f5808dae2f5ed33da2df1156c99

memory/2944-156-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1620-162-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1620-163-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1620-169-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 9de3dc01eb0aae4d87a6abc5eadb3a77
SHA1 720641ca14bca00057d223686fa1aa9dbf870135
SHA256 9320140556fe93fb6401b0f16c3e02126feef611f14c05825a01592b3ff36f22
SHA512 55552d23bc4b9034812850825bf834e6469bc993babab91a608e6ec0e15466abb2da43077be2834b9bb37f564d4235d49b53cb1a2f3d5777e6aa6b200c10c747

memory/3000-175-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/2492-176-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2492-180-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2492-182-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 30f40d932b262faac69722c2a915f6de
SHA1 e7572c6153d0f93950835b2ea788e4f283b212d4
SHA256 4e5e007e902da6a5746e98671bb0954dbba2ee1d3bc6bca74e70934fdd3d1997
SHA512 c2fd6c0d2aad137cc75212a6a8c9fad7c05694c049b31c5adf2182a8b032b00ccf0dfd9d846d6ea9f0f4df69b6b9f62b65f73fd14d15a132c7cef85624277dc5

memory/3000-189-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/1252-191-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1252-196-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 ccbd404a33dcbd200dc88c1b4f08d730
SHA1 16268d96254398b48053d19ab5ef578f72043e56
SHA256 da2904b15eb159f0a1b9940ad3e73b876c72b613cfa2fc40d9f94fc336c5c124
SHA512 5e0df89f8f3b4dd440f5a8789f8468892031a8bfecc0a221b59cac8b3c2a6f5c8fef8002406a2d971e380f527f1430b81c2e32b9f564346a7767637c151fecdb

memory/3000-204-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/3000-205-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/2060-206-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2060-213-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3000-267-0x00000000030E0000-0x000000000310C000-memory.dmp

C:\Windows\xk.exe

MD5 eee04581130dc3388560c3fdda7ae482
SHA1 9dabf287c330f07b23284ef914499fd0a92a9975
SHA256 14ddc41bd50fc47acd773dccfaf34426c785ab2092f537988fd2a45ad358de05
SHA512 721cc165ef4c5a166674949c438100d8bdea508ab471cb959b832e4f12b859c267ce7c605fdefa127d659e5bc8d2a3e16de635de4908e55f9dca6eb92c174fad

memory/3000-268-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/1068-270-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1068-277-0x0000000000400000-0x000000000042C000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 7641f61bf8e7a1d6022f6e114ce1a813
SHA1 93fb737f618f17576f8ac30e76aab26e8d913c7a
SHA256 3c8d14823bf79d27b74c27e636eb387b8d40f9ed0287d30a9bca7b579d83d597
SHA512 abf196bf89e7c0d367fe548c4d3b35800c9cd618d49434635bf6a20cf268e43d35fdb2780c923a5b00b0b7532a1f525d14439c419cda2921d1cb5fcef48ffa1e

memory/2068-283-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2068-288-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 190853043af655d1dcc34179d9fdafac
SHA1 42fec23d8334804059ae78748997e9484d9ec100
SHA256 7e20258986399164156c81d4cab0ba30f118ec0cf02efd10b88411f3806258a3
SHA512 d25496190672866227f612d759f62b199b94570019c7a515a2825594aa12bce580e2e4ddaafdfbb5be66d933c2867903489baeee6524a38d327daad65227fbb5

memory/3000-296-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/2116-297-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2116-304-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 394f0adb472e49955acd6774dabf61a9
SHA1 086e4e608f4a6989201222c1acc99f388ce01846
SHA256 218334c5ba4bfe14c0c51d11a9c1dbf252ebb5a79bd3b55d98f3af3587767635
SHA512 b3267913da4c85658b36180bf87009c3b7d2086b178bd7325f648ac2fb8ddad41bc129847cf13055752734f71575cfa552244e3393480e2d9376ccb775197566

memory/908-310-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/908-315-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 486d570bafa4282e1a3cd7241f860824
SHA1 774b56496538156316527d61672ec2652b7c1cac
SHA256 aee003ba7224fa4dfa674a99a4345f7f07748226089fe4be6ebdb4268f227ce2
SHA512 ac2b3f95a9591ad3bd61cf7ae35c51c188d5a8c1d1d4bb24ae381774c33e35461c1c64886194b8b9f988b2049566e0ad4c5bff97a44704ecb410f52b149fb580

memory/3000-323-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/2336-324-0x0000000072940000-0x0000000072A93000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 3c78540672713afc61ebc674c43c3d62
SHA1 d08e8f99770b5cf06da0e6e9a3c73def70f4512f
SHA256 bd66ccce00dc9cda57481970f73779ddf04b7e902074866347da9a035f0231ed
SHA512 2e45ca76a54580da4316beecf5be9bdfb78993f1ad76a13e4073e29d0ba3bd123d77753504891303960929fa88fa1ba57cea0f88eae3f0f2a584f565b855c5b5

memory/2336-329-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3000-338-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/3000-337-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/1188-339-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 cb039316625856002b843f033529c7b6
SHA1 de4461dd77c44fda0f91a0cc550277b1420c9b93
SHA256 7e8a44df821aee51462ac83fe2e509877985c8629b7f5bcc0ce593d113c5d717
SHA512 1a64f4badf1e9a0ce23088d11d4c366fd37c76ed1e3cce46c642b43fd6927292e38f4c07ac1a34d7b2c165d1b4f899ec0392b7b9edaba1e4c30fb668ccdc7f75

memory/3000-351-0x00000000030E0000-0x000000000310C000-memory.dmp

memory/1188-346-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2188-353-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2188-357-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2628-382-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 2273d2273e28d3c7c0c744a0a5f758b7
SHA1 1316ee5edc68ccbc33fa4a5aef53758bcf3b1ca6
SHA256 fd0520f5ec299afdf0b55a027155207a58d09579ac2568b7f02412a5ffc5d5a1
SHA512 96131ce61f1cac937ab0dcf93c7f862bb841f1be2eacc41c6b2dd253bfcbddc7b5ed41e53e20c58627c0d5f0916f0e61647ae7aa325a0d1477d0d06b35bd53b4

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 9134f736c3208fc03c3f3d04eca609d1
SHA1 fd38e9b40e1ff93cad299cb3b0650093c5ddfa44
SHA256 ba46e96ede42b3630c0e8f0abe748b3fe3259038a2290de4e464f547fccdada1
SHA512 12a784f55ea5af5f12a03b9d61b47a290094efb2520a65ca8db575f04bbd034f9a6b929382ab47ef173e7245c11831c10f6761af7a0480c81a589600f499bf44

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

memory/3000-507-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:39

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4172 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4172 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4172 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4172 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4172 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4172 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4172 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4172 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4172 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4172 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4172 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4172 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4172 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4172 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4172 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4172 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4172 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4172 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4172 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4172 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 4172 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4172 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4172 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4172 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4172 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4172 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4172 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4172 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4172 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4172 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4172 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4172 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4172 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4172 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4172 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9bccf2661d8cba99d3b07dfdbce1bcd0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

memory/4172-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4172-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4172-3-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4172-2-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/4172-6-0x0000000000401000-0x0000000000427000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 9bccf2661d8cba99d3b07dfdbce1bcd0
SHA1 1bde34be4e86ba91e32a44ab9598950895a081d1
SHA256 cd0e51ba7193321712a8052927061bc54d88be46e0fb94b10c29f4d4f61f214e
SHA512 48e42bc8c8689c605115eb65187fd321ef842a077555257115ec24df75d1f1b2631ef0850c123f2d61f6307a83879327d5ac51f3c6596ed011e5300bca04e16d

C:\Windows\xk.exe

MD5 16fa9dfffe6de49d7ad6a165abf5c5b4
SHA1 30387796448b5084c24f7ca0752786b2c18525a9
SHA256 ce10a0c3887bc4e22dcbda12c099a16e3767c81665eee211bbe0f2caced5df3a
SHA512 1fa5b8aee2f67e6c52488fc17c7264a339e840151c18b237240f040b74b0456349be258b9fa17eacec3449e7c99572e13d9ade41a3d9aea56e9a4061b88c0e7c

memory/4820-111-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4820-115-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4820-113-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/4820-120-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 29a7905eac27db8aee5da44be71c55d1
SHA1 e82fa14f5c84048bc635a6ac0067b96b11e247f6
SHA256 0464b8bbeadd5f523f3d0d7d5538f5e4b7c325f10729855b1566ff147e4adaec
SHA512 af49a454ddaebbbc459d8c57e8dcfa99057cfe7d7d5d3ae286e851c4eaaaf910c12fc4cadbde59161d7623ffd54cc3fad9b158c1dc136bf2df0776822af82d07

memory/1276-123-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/1276-130-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

MD5 f56fa58b9b8cc7bd128ebb0e4b163136
SHA1 cb45f6c2f2e62636f78ed58a9778e4b353b27779
SHA256 9126a7c0d7b2eb3f186b598d816b6be07278b4b45b01eba0bb218f2084861d99
SHA512 8539add3021da1708ae6a9de988bd9b676b903b685c08277a18643b1772f43191bc4d2fb39cf62cb4feffdff311b46527345d654c717e70022894c69c1956439

memory/4412-132-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/4412-137-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 acd56b470af982852b88844224facf1a
SHA1 7a8a8ab43abf1c1cea8f2cd08f0a05d7637f6e6d
SHA256 fbf3d88624fe3153681bd85582f8161282afcf7754297e49b18bdcda3ddedf0e
SHA512 d938964b6606bb2a922f67302a9251d7383c03c072b12cd5a0960ed81c7acff7aa29024f58e529ce64dc569b285c882b99e0a3d852306b2ca3c45904bf8193ab

memory/2620-141-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2620-147-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2620-142-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/4544-153-0x0000000075050000-0x00000000751AD000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

MD5 4f7a6598eebaf520e78e1f414f104eff
SHA1 82d1c0b79405adcfe2ffee199effdbe2f8bf0347
SHA256 c3c611150f23f4e0a0f770c7ae67dbd7ffd58e55c7a5998f8a210c257f3f42b1
SHA512 3996bd2b6ce087755afba6df20aeaedde691ec870c827489baf28f59e7865b7e455b60b79d43dd29107c6397122568d8af862ae5bb10fa7bd5c350fc86bd11d0

memory/4544-158-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 b37063046333efd1ccf6bc68b72a9ac6
SHA1 52dcba2a61ffe9785d24c9f4124569c9d645ee44
SHA256 7c8fcae8d9671d4d62aa350725cc0de86df7bb83629a8da25dfe34b7a0887780
SHA512 7ccee29c5e58b50c18692954c7dbac1b9fa5d73f5b18e18bf16df4f5256b8ce121133054749fefc5e37b6566917af3dfe94d8b5d3782f15fb87c966d99daa637

memory/4508-162-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/4508-167-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

MD5 99178e7fb8a885add85464482681325c
SHA1 5b21ecb7cb01c19181940ecbbb4800d5253e2c0c
SHA256 7ee8f1eb87f8c08724fbd6a727dec38037e38ef4d8efd70e7665211a936d3b0a
SHA512 024ce4377d244ff80057b4235a3837be9ef7345f03cd3ae4876c7a8f9c19b13907f8e755cdffc056f0365c4e94879fae0df6e440a8bfa558231d25391d9b805f

memory/2620-149-0x0000000000400000-0x000000000042C000-memory.dmp

memory/224-171-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/4172-146-0x0000000000401000-0x0000000000427000-memory.dmp

memory/224-183-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\xk.exe

MD5 49e3f019ded27303fbd78e93e4b3f249
SHA1 45bc1c0ca04e18b414e7f6758e46ac968585dc41
SHA256 df62b9f4fd198b94a7a788904a857477f00b72797b85af148249f36973cd5208
SHA512 7b3dd5061b28d3b25af157d44f916b6b41240175a3831032140ea1f57c5a0cf76855fedc197886c7531da153a9075b6f5d09c7ec293f5930ff4493bb078f5395

memory/1012-224-0x0000000075050000-0x00000000751AD000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 6594e37d95dd22daccc8e5a7bcca7b6a
SHA1 43c5b821b43f09fecad93c1da58c92b2d5cf4e99
SHA256 9c13f977a5d55444b5ac9210952ef5676c5c6ec497abeb693f389c1b23476f41
SHA512 0eba1dee6b5e6f8d9ad3e512e46da47888c2011c25c86e8a2b6bc4cc8ee7517f8e8886d7b5717e3638fb5a7f4ceed25dcea34fad604a3d4b6a94782d68b92f85

memory/2384-230-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/1012-233-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 8d12596d008b382b24481975263289c4
SHA1 40da685787d6f87b8998904ceebf68a9f89ef1e3
SHA256 aaef240600b0f5191a2f36315b5e352c06e413fb838a8024cb69dec5643e69c9
SHA512 2b4cd6d8ebc628950a871291e879945507d8f21651ae474182e95e3df13244f7005af13e8ff95116a6749605db6dff9a44c01bd959f388ab6d81a6c490dd3638

memory/2384-239-0x0000000000400000-0x000000000042C000-memory.dmp

memory/936-240-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/936-245-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 14f63fecad41863531ff94710d259c7f
SHA1 de866f3eb2b20b40b2aef6d70101650c13477a73
SHA256 b246eb0013df737c5a71cfea0dff9873fa4c5bac1f8bc86a0b3351bc3e19e856
SHA512 3e264df5542591e5a7b66331410a9cbb0a956698952e400aba2eec37334019628b0a6dba0a990c1096b924cf2ea5b4e875f3460f122812559c4a0acf1185d107

memory/3192-248-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3192-249-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/3192-254-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 07a498ee688d33434c942161d4c3dc77
SHA1 5f92df15dbe94aa6aa4ae1ca2e8abd0e2edf9557
SHA256 11779cdf706137e1beeb4c440b6eb3bf029776474c04f7f9b844a94f7f0ef05d
SHA512 9d353b47cffaa82742b54fbcdcfcfbae22cad6df757bd51264d62b883edd47933b72450dc2a56fa9faebbca5262b288f6f961b835ef6c6e8fe57247426c73769

memory/3108-261-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3108-257-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/3108-263-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 a7bdd8eef31f136604e7dcc8dfa28532
SHA1 c3fc509fd5c538cd2faca084868cb9edbd019766
SHA256 9a9e4f26bf94028ea730e87bd1b20b2bc013f516ccbe90691485e7dd7c82bc11
SHA512 93d2a87e94fa6cf71c2cb9268735e2960f3b1e03a4958f1a27eb61088a5887c48ff626e0431519290198560c585e45b151b732f33a351e9353198355014f34d2

memory/2164-266-0x0000000075050000-0x00000000751AD000-memory.dmp

memory/2164-271-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4952-274-0x0000000075050000-0x00000000751AD000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 06cf82ff91a724dffaccf5d871f6337c
SHA1 ea0f31513bb657d5b553841243cd973cb128a4d5
SHA256 ccb073add20c4ecfb97cb21aca90ccdb9b4e7df1eabaa50f8c66678acced81ee
SHA512 f5f6e880be7fae8c078fbf83bcdc0b63a4f119dde4667907bb4f18beb31654cec0a97e615ae060683520b28a47367a5a718a8d0782d01089d790de9b2e205811

memory/4952-279-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4172-305-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4172-307-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4172-308-0x0000000000401000-0x0000000000427000-memory.dmp