Malware Analysis Report

2024-09-11 12:58

Sample ID 240612-k8xtcaxckc
Target 2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe
SHA256 1619a971f88e30f67b350e80943e937e6e1f4f40c32ffd50e36daf60ff9228b1
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1619a971f88e30f67b350e80943e937e6e1f4f40c32ffd50e36daf60ff9228b1

Threat Level: Known bad

The file 2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Sality

Executes dropped EXE

UPX packed file

Windows security modification

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 09:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 09:16

Reported

2024-06-12 09:19

Platform

win7-20240611-en

Max time kernel

122s

Max time network

125s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2752 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2752 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 c.gj.qq.com udp
HK 43.135.106.184:80 c.gj.qq.com tcp
HK 43.135.106.184:80 c.gj.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp

Files

memory/2752-0-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2752-6-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-3-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-8-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-9-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-5-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-22-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2752-11-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-24-0x0000000000620000-0x0000000000622000-memory.dmp

memory/2752-23-0x0000000000620000-0x0000000000622000-memory.dmp

memory/2752-10-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-4-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-7-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-20-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2752-19-0x0000000000620000-0x0000000000622000-memory.dmp

memory/1188-12-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2752-29-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-30-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-31-0x0000000001E60000-0x0000000002EEE000-memory.dmp

\Users\Admin\AppData\Local\Temp\TencentDownload\~f767aea\QQPCDownload.dll

MD5 45203b800253aed1a31a18257da24618
SHA1 4debc4740d0c53f61ed3f18ecabb3dd0c9f3c3e1
SHA256 af60814b99ebf49e0f9b6f8d2e0e26b593b40302b20714eb74e0c2489c0aaa77
SHA512 c8dbae680a607f26e78cef7a1d047bef4f016212daf5009bd90f2ff3573a447b426d39fbafa2c980bdeed13801c60138e1a0785c65bcfc463d5dc509b751cfdb

memory/2752-38-0x00000000045A0000-0x00000000045A1000-memory.dmp

memory/2752-36-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-39-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-41-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-47-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-48-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-50-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-56-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-58-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-60-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-62-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-64-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-67-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-69-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-70-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-72-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-73-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-81-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-80-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2752-89-0x0000000000620000-0x0000000000622000-memory.dmp

C:\hfvdgt.exe

MD5 0f1095dafdc59d3bf9b5c66330cebf18
SHA1 512f4f31c23db8d888d2ebf6bdce189c35f868ab
SHA256 f41753a0967a31cf9f3bd7211d4466e0fdc0bb2567f5b2581c389c32d2668636
SHA512 23794dfb34221308f190e8de2859f89bf7c5f3d7fc09d25464e0900978b7e8fc81601527f940937ed11a0c834dff271ea83c44d6fff5198c06244d48fa1b7f0f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 09:16

Reported

2024-06-12 09:19

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

160s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4048 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4048 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4048 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4048 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4048 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4048 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4048 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4048 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4048 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4048 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4048 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4048 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4048 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4048 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4048 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4048 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4048 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4048 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4048 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4048 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4048 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4048 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4048 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4048 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4048 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4048 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4048 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4048 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4048 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4048 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4048 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4048 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4048 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4048 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4048 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4048 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4048 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2e604a69e6295f3337f31431dd23f040_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
HK 43.135.106.117:80 c.gj.qq.com tcp
HK 43.135.106.117:80 c.gj.qq.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 117.106.135.43.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4048-0-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4048-7-0x0000000002380000-0x000000000340E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e5804ed\QQPCDownload.dll

MD5 45203b800253aed1a31a18257da24618
SHA1 4debc4740d0c53f61ed3f18ecabb3dd0c9f3c3e1
SHA256 af60814b99ebf49e0f9b6f8d2e0e26b593b40302b20714eb74e0c2489c0aaa77
SHA512 c8dbae680a607f26e78cef7a1d047bef4f016212daf5009bd90f2ff3573a447b426d39fbafa2c980bdeed13801c60138e1a0785c65bcfc463d5dc509b751cfdb

memory/4048-14-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-15-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-13-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-17-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-18-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-20-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-22-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

memory/4048-24-0x0000000003CC0000-0x0000000003CC2000-memory.dmp

memory/4048-21-0x0000000003CC0000-0x0000000003CC2000-memory.dmp

memory/4048-23-0x0000000003CC0000-0x0000000003CC2000-memory.dmp

memory/4048-19-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-16-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-26-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-27-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-29-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-35-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-36-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-38-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-39-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-40-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-42-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-43-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-45-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-47-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-50-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-53-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-54-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-56-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-63-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-65-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-67-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-69-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-71-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-73-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-75-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-77-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-79-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-81-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-83-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-85-0x0000000002380000-0x000000000340E000-memory.dmp

memory/4048-86-0x0000000003CC0000-0x0000000003CC2000-memory.dmp

F:\tjuj.pif

MD5 da7ce0e93c9a02be72ea1d66330a7041
SHA1 cfcffc14529471cde2af29493ab187be30b5a110
SHA256 036e78dc3b64bed2b2201eb456c75e40320b437af14ca6a8d626025edd81fe21
SHA512 ed55be03312fe4bf5cd7bf4a33fb88d7076ef1ec501d007161c666344c3c1bea3fdad048ccc3728b6c9cbd50d365d137faf84aab8afa1f04c2e40fa75908a0b7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 faf79a48399d502194e87a5ad1ba7b8e
SHA1 09cd9d783ac126d33ec37de781beedce9ce6aa51
SHA256 3d1266025af95bdb7b92d17debbf88a1386b19b7f7c2eeb9ced77debb9748e14
SHA512 d84f8e25179e2cee6f95dc95c94a4a70dc56814aaf7f95e38f24f9828e64629cab0c184f5fddd67d834f419703f65d9d0e3a93e54d2730ed63d3d89644babb84