Malware Analysis Report

2025-08-11 01:03

Sample ID 240611-lcgb6asdrl
Target 2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
SHA256 4f5de6cb9593a2ddd762da83476ec5d33d3b7641f02e87991e6826deb7faf2d3
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4f5de6cb9593a2ddd762da83476ec5d33d3b7641f02e87991e6826deb7faf2d3

Threat Level: Likely malicious

The file 2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets file execution options in registry

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 09:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 09:23

Reported

2024-06-11 09:25

Platform

win7-20240221-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows NT\Accessories\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\wmpenc.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\write.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\HelpPane.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\notepad.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\winhlp32.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\Boot\PCAT\memtest.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\fveupdate.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\hh.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\splwow64.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\twunk_16.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\twunk_32.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 712 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 712 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\123.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c assoc .txt = exefile

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f

Network

N/A

Files

memory/2080-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 22678c524e9663590776186a458a821d
SHA1 7ca5f4e49f31b6248998fd508ceb0b4ce06fa93c
SHA256 b0b6ab1c9bfe550d48139e237380679a390b3450cca4f01908fe9a0b4f85020f
SHA512 2def121e168859bb1bf8c6b62208910da1d209aa862a29bc4d88dbad928d9504dd1f0980f033da2eee7ff77e48de2b040798dd748f2fa1714328797d93dba8a0

C:\123.bat

MD5 70170ba16a737a438223b88279dc6c85
SHA1 cc066efa0fca9bc9f44013660dea6b28ddfd6a24
SHA256 d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a
SHA512 37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

memory/2080-1086-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 09:23

Reported

2024-06-11 09:25

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Windows\SysWOW64\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\msoasb.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\msotd.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\123.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c assoc .txt = exefile

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f

Network

Files

memory/4848-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 32cda2390a78f107235fe2dfba13feaa
SHA1 8a8836d4fdc042a2d5613fa2a1b85bd8e099f972
SHA256 0325c385934c9160da3821c87bbd55a4f8dc6c48a93e498b7dc4d09ebf430d3a
SHA512 d9848f83ea1f05ca22ead3f994453ad875cb4e5bb208bf8e091cf37fde9a89dd36dbe5cb92ea1b947ebd6031f8510624a9cf9604c9c46edda705261c8943ed16

C:\123.bat

MD5 70170ba16a737a438223b88279dc6c85
SHA1 cc066efa0fca9bc9f44013660dea6b28ddfd6a24
SHA256 d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a
SHA512 37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

memory/4848-1016-0x0000000000400000-0x000000000042D000-memory.dmp