Malware Analysis Report

2024-09-11 12:54

Sample ID 240611-eg214atbrh
Target 26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe
SHA256 36a8937f5f80b8cb4b74693085b754fe38aea21a42102e4193e85bc0f8d28b0d
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36a8937f5f80b8cb4b74693085b754fe38aea21a42102e4193e85bc0f8d28b0d

Threat Level: Known bad

The file 26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies firewall policy service

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Windows security bypass

Sality

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Deletes itself

UPX packed file

Windows security modification

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:55

Reported

2024-06-11 03:58

Platform

win7-20240508-en

Max time kernel

18s

Max time network

16s

Command Line

"taskhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\G: \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2416 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2416 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2416 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2516 wrote to memory of 1108 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhost.exe
PID 2516 wrote to memory of 1172 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\Dwm.exe
PID 2516 wrote to memory of 1200 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 2580 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 2516 wrote to memory of 2580 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 2416 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2416 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2416 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2416 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2416 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2516 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2460 wrote to memory of 2580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 860 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2580 wrote to memory of 1920 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2516 wrote to memory of 1108 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhost.exe
PID 2516 wrote to memory of 1172 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\Dwm.exe
PID 2516 wrote to memory of 1200 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 2580 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 2516 wrote to memory of 2580 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2416-0-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-9-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-13-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/1108-15-0x00000000020F0000-0x00000000020F2000-memory.dmp

memory/2416-11-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-6-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-5-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-26-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2416-23-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2416-22-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2416-12-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-10-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-8-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-7-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-30-0x0000000002460000-0x0000000002462000-memory.dmp

C:\Windows\system\explorer.exe

MD5 65712ae7ecd4036be2969166bac6bcd1
SHA1 69335d499ddc4f98bd8ff8b57556c4dc82d5ae25
SHA256 bab652dd4b70d68f17bd47df32594d601ebb2f4b185a716ecd04985b7341598c
SHA512 38bad365d2879d4f7a0b9f9d800225e0e2d0995354890076978306353c4addae1e8b3c04e53ccdd1396251d4db9a65e3be16bcae6afa4aed2ead6910fcb4e79b

memory/2416-40-0x0000000004FD0000-0x0000000005012000-memory.dmp

memory/2416-29-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2416-28-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-27-0x00000000026C0000-0x000000000374E000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 c432d1eb9c216dbaf4abe55e07747ec3
SHA1 6d2513e109b08a1c002d496127e3630d209297ef
SHA256 5b9ca2851b2018175bd1c075824dd58f8fe88becd2d7c5f9d4ee2a7c3b487a47
SHA512 99c10397f42acbe7a0ec1b2c58eb5e566f8d0f9f65cd7bac9544b16a78f3753593892d8a7f8278c14a49afb17a2797379e91fa243bb49408a713a0fdb763cb28

memory/2460-54-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\system\svchost.exe

MD5 0d415fb3ed22c1b42891f752276d87f9
SHA1 176b7e59d3759bec40f4df9e48e3201da5c7eaa5
SHA256 69c2a6ce6c30a6241d74b5237f73645b25caef7d0e7fb272356f10641fcb8778
SHA512 bec816770a4e4ab96252e22c3274a6dc0176d0c86c5071a01d8aa1490fbb63fd6d38824c6f4b0b09517d8b42d77b222bd85be0617c8f64e5ac72b8dfa8b0de56

memory/2460-67-0x0000000003220000-0x0000000003262000-memory.dmp

memory/2580-70-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-69-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/860-83-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-95-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2460-84-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-85-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-99-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 c130a46acd6d8b75afb3174288cb2348
SHA1 e1cae6ff4724fab2eaf1f2d263923a630722c479
SHA256 14edf4b9971e363cb2117fe382bd7f0664eed7939c9950750726b392f44483fe
SHA512 abcb87c0066c892c7ad8589d1480a27a2178c597fa77c249430ae0d8432f5e58def27ba171c9b5b17dbc2439497694b8571940eebc4294a378730ff16adb4b3d

C:\Windows\SYSTEM.INI

MD5 c37360b0f80963e47f89662e697222de
SHA1 ae6d5bb076bd6b2f0aba419774de45647ddbbd0c
SHA256 16447e9e324820d4c218a554d971b088b2fe2e812ffb19c6b470590a2a73ed6b
SHA512 0522d1f2a74d98117ebd0accd6fe139f6defd376ede8882748469359ef367ebd718376884f358e5b714a6c03fa9d3ba592cef70b8ee86ec73fbb6e750cde704c

memory/2516-105-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-107-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-101-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-109-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-108-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-106-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-104-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-103-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2580-127-0x0000000000720000-0x0000000000721000-memory.dmp

memory/2516-121-0x0000000002880000-0x0000000002881000-memory.dmp

C:\yavtd.exe

MD5 85be3ec71903c0bbc139c90d4813832e
SHA1 5eda14ecf51d26e845703220ab9d05aa626810f7
SHA256 81b1fd2124cf9aa3f64159ac738159b935094b0dc010fad9d011d95f3a8e7b6c
SHA512 5090ac1afab78693db29549b037222edf055eea091a9ca47351b0fc3326917d091cafec90644937ff421adadc919e13f44e2e23f043e08b42ea5131d1f434b71

memory/2416-0-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-9-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-13-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/1108-15-0x00000000020F0000-0x00000000020F2000-memory.dmp

memory/2416-11-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-6-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-5-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-26-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2416-23-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2416-22-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2416-12-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-10-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-8-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-7-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-30-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2416-40-0x0000000004FD0000-0x0000000005012000-memory.dmp

memory/2416-29-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2416-28-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-27-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2460-54-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2460-67-0x0000000003220000-0x0000000003262000-memory.dmp

memory/2580-70-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-69-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/860-83-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-95-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2460-84-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2416-85-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2416-99-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2516-105-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-107-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-101-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-109-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-108-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-106-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-104-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2516-103-0x00000000034B0000-0x000000000453E000-memory.dmp

memory/2580-127-0x0000000000720000-0x0000000000721000-memory.dmp

memory/2516-121-0x0000000002880000-0x0000000002881000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:55

Reported

2024-06-11 03:58

Platform

win10v2004-20240426-en

Max time kernel

28s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\G: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\H: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\I: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\J: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\K: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\L: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3992 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3992 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3992 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3992 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3992 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3992 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3992 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3992 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3992 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3992 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3992 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3992 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3992 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3008 wrote to memory of 2260 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3008 wrote to memory of 2260 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3008 wrote to memory of 2260 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2260 wrote to memory of 3616 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2260 wrote to memory of 3616 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2260 wrote to memory of 3616 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3616 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3616 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3616 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3616 wrote to memory of 6088 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3616 wrote to memory of 6088 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3616 wrote to memory of 6088 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3008 wrote to memory of 776 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 3008 wrote to memory of 780 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 3008 wrote to memory of 316 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\dwm.exe
PID 3008 wrote to memory of 2684 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\sihost.exe
PID 3008 wrote to memory of 2704 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 3008 wrote to memory of 2976 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhostw.exe
PID 3008 wrote to memory of 3432 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE
PID 3008 wrote to memory of 3548 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 3008 wrote to memory of 3740 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\DllHost.exe
PID 3008 wrote to memory of 3828 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3008 wrote to memory of 3896 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3008 wrote to memory of 3996 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3008 wrote to memory of 2304 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3008 wrote to memory of 64 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3008 wrote to memory of 4108 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3008 wrote to memory of 3616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 3008 wrote to memory of 3616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 3008 wrote to memory of 776 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 3008 wrote to memory of 780 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 3008 wrote to memory of 316 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\dwm.exe
PID 3008 wrote to memory of 2684 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\sihost.exe
PID 3008 wrote to memory of 2704 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 3008 wrote to memory of 2976 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhostw.exe
PID 3008 wrote to memory of 3432 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE
PID 3008 wrote to memory of 3548 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 3008 wrote to memory of 3740 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\DllHost.exe
PID 3008 wrote to memory of 3828 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3008 wrote to memory of 3896 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3008 wrote to memory of 3996 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3008 wrote to memory of 2304 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3008 wrote to memory of 64 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3008 wrote to memory of 4108 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\26c29641f7e9368c68a6913dc848d8b0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3992-0-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3992-1-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-3-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-9-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-7-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-10-0x0000000002100000-0x0000000002102000-memory.dmp

memory/3992-8-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-6-0x0000000002160000-0x0000000002161000-memory.dmp

memory/3992-5-0x0000000002100000-0x0000000002102000-memory.dmp

memory/3992-16-0x0000000002100000-0x0000000002102000-memory.dmp

memory/3992-15-0x00000000029F0000-0x0000000003A7E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 a428e89948396c3a75c2766a1a49007f
SHA1 6c4bb7745f0851b2cbb22c63b82d5c86761dd996
SHA256 a1d774309d14f51e937566eb73f548c5c0c248d293a1fd1551b90f8af13b3d55
SHA512 1ad0af0499d5b9e0caa2289f54749bfa743a7e83caca60b85700b252816633517e1039c3e2971a6c80f7741ec8d91355e3d6bb319fa8d5d98c969e8189b11e7a

memory/3008-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3992-21-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-20-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-14-0x00000000029F0000-0x0000000003A7E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 22c9e020f3f3009b3cc665cf99f24eba
SHA1 23ad08089e4b860c579205492ffb7a593f9ca722
SHA256 a2c2c1b90b68dd5935cdc6c226192f0007d544548024e51f31c070ac67e839c4
SHA512 589ae9a3500f73807f220821df9e703e9dbd909cf57eaa488605a45c7b795f41a7fe2ee3cc550da17df39e91295831cd2d5d4fc77069632b631869994f3cf098

memory/2260-35-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3992-26-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-28-0x00000000029F0000-0x0000000003A7E000-memory.dmp

\??\c:\windows\system\svchost.exe

MD5 9dc37f679f1ecef41ccee069049d827a
SHA1 e520e1d71a012d0450fa3ae09650eea742bce873
SHA256 a06afb625944318a9af543ba3dcda1b9238a49cc00af6e74e5dcb2ceba40bcce
SHA512 3fc16bd44f03dee9f2541324c39f7f1819dd077528234677bacf13ed5479c3a2e4e262daa9f8aa03d45e669f510105d4b4e4390759228ed13a25541e78d2b736

memory/3616-44-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3992-48-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/2604-50-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3992-55-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/3992-54-0x00000000029F0000-0x0000000003A7E000-memory.dmp

memory/2604-57-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2260-60-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3992-76-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3992-77-0x00000000029F0000-0x0000000003A7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 7dcfe400400745855a0f942baff56c3f
SHA1 62aafed0a27fc7745e2244d8ef852d9efed9aa96
SHA256 4a5fb1ef7025449b78779366a716aff35e0cea3f1ae3a20284634e19ca1c9d29
SHA512 7412b9e1e7af65b46ddd6c0860fafe4ec5c3f8ee960ca32d1b5850035414eb6936e0a9b42584b4c0c742c82fe8bc40cbdbaa2645a491126e33f46e8fd871690d

memory/3008-81-0x0000000003560000-0x00000000045EE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 946ff5631a30b23c2e71b1ab80316526
SHA1 0617ab09d30e85ba47456f05f72212a18cb6c522
SHA256 da0dac266a674b396ded7ce9d7afe40595c66571449fd79eb836e5c01fcb3b4b
SHA512 006fb17346521590da4acf06d37045b361f92b36efb6800339616abe4c4e79dad568c405fe88c6892f5c293e3138bdbd6c62c64a29e780c1819c91a2cfc7056d

memory/3008-86-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-85-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3616-94-0x0000000002ED0000-0x0000000002ED2000-memory.dmp

memory/3008-93-0x0000000002A70000-0x0000000002A72000-memory.dmp

memory/3008-88-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-84-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3616-92-0x0000000004010000-0x0000000004011000-memory.dmp

memory/3008-83-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-82-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-90-0x0000000003240000-0x0000000003241000-memory.dmp

memory/3008-79-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-87-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-95-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-96-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-97-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-98-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-99-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-101-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-102-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-104-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-105-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-106-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-108-0x0000000003560000-0x00000000045EE000-memory.dmp

memory/3008-109-0x0000000003560000-0x00000000045EE000-memory.dmp

C:\ltakdp.pif

MD5 f7eff2e03c4f2b57f72f1bc167903507
SHA1 952c27b878981d4441f197f432800a2c80489174
SHA256 a14417fd62ebb49cc56dd591c3170b826c47fb4258f4786ba975a6e607888603
SHA512 0793ddfe97bb063709f5efd9ba65686c80fff465d7daafc786d92faaf8d070c449b201089efa7e08074398a889c20e0043bdb71244b8d8bd5bba700498351b0b