Malware Analysis Report

2025-08-05 20:07

Sample ID 240611-qfkafaycrj
Target 35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe
SHA256 f97337ff70564a40969055924fba0f582d7a49c61eaccadae3d8a1731386fa4d
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f97337ff70564a40969055924fba0f582d7a49c61eaccadae3d8a1731386fa4d

Threat Level: Likely malicious

The file 35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets file execution options in registry

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 13:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 13:12

Reported

2024-06-11 13:14

Platform

win7-20231129-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\wmpenc.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\write.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\hh.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\winhlp32.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\twunk_16.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\twunk_32.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\Boot\PCAT\memtest.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\fveupdate.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\HelpPane.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\notepad.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\splwow64.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\123.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c assoc .txt = exefile

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f

Network

N/A

Files

memory/1364-0-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1364-1-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1364-2-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1364-3-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 58c8464a6b77e2040baddbd5bd911c69
SHA1 8ddaa778c2c9b7f4faa273fa2eed4352f101f70b
SHA256 5b6feaa2616e194f648a6e622fb14fc2df032e738d5b01334e3f2faba6d9e9c9
SHA512 20617d7925ebb2a6adcdddcc051926efb5a8130ea817a581a4e097e4b3bc8e3e191004db01c0af283f2750ba13332c78de1db5563866cf7df233db4364e9a064

C:\123.bat

MD5 70170ba16a737a438223b88279dc6c85
SHA1 cc066efa0fca9bc9f44013660dea6b28ddfd6a24
SHA256 d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a
SHA512 37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

memory/1364-1074-0x0000000000400000-0x00000000004C3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 13:12

Reported

2024-06-11 13:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4372 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\123.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c assoc .txt = exefile

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\35ee6f0dc7c7fd2e6da25e68d6410f90_NeikiAnalytics.exe

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f

Network

Files

memory/2808-0-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2808-1-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2808-2-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2808-3-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 1b7efa2031a6863383f1d258ee331020
SHA1 37621b1e8a87a0cf381698101a21fb3dda34e289
SHA256 00771158e1e618f16c2f19fabb49040d922a3b4d71d4b7fd0b20bc6f87ef2192
SHA512 74948f2b0d59e269a4653644bab58fbad2f459098da4ce4f3693afb07816d37c0603d26a3c3a011c242db316c20c42a30eae0db0d9bf147872e14180156b9e14

C:\123.bat

MD5 70170ba16a737a438223b88279dc6c85
SHA1 cc066efa0fca9bc9f44013660dea6b28ddfd6a24
SHA256 d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a
SHA512 37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

memory/2808-1019-0x0000000000400000-0x00000000004C3000-memory.dmp