Malware Analysis Report

2024-09-11 12:59

Sample ID 240612-q7cdxa1cpq
Target 3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe
SHA256 0c8417099a961224b9b23b272b0df04f5dae619ec1430e307c029dd432a04bba
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c8417099a961224b9b23b272b0df04f5dae619ec1430e307c029dd432a04bba

Threat Level: Known bad

The file 3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

UAC bypass

Modifies firewall policy service

Sality

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:53

Reported

2024-06-12 13:56

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e575592 C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4788 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4788 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4788 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4788 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4788 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4788 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4788 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4788 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4788 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4788 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4788 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4788 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4788 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4788 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4788 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4788 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4788 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4788 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4788 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4788 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4788 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4788 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4788 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4788 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4788 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4788 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4788 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4788 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4788 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4788 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Files

memory/4788-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4788-1-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-2-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-5-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-4-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-6-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-19-0x0000000003EA0000-0x0000000003EA2000-memory.dmp

memory/4788-14-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-17-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-20-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-21-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-18-0x0000000003EA0000-0x0000000003EA2000-memory.dmp

memory/4788-13-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-16-0x0000000004870000-0x0000000004871000-memory.dmp

memory/4788-15-0x0000000003EA0000-0x0000000003EA2000-memory.dmp

memory/4788-7-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-22-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-23-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-24-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-25-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-26-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-28-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-29-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-30-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-32-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-33-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-35-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-37-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-40-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-42-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-43-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-44-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-46-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-47-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-54-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-53-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-55-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-57-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-60-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-61-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-63-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-64-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-66-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-67-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-68-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-71-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-73-0x0000000003EA0000-0x0000000003EA2000-memory.dmp

memory/4788-74-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4788-78-0x0000000000780000-0x000000000183A000-memory.dmp

F:\fguntn.exe

MD5 e4dcc19c8cca5813b526b85ddb61eb74
SHA1 02ee660435bf21660ffc92c8f08847af6649a10e
SHA256 02e323063602471e05c255957816421fa464a7ccf67d70be01ef29c14b1c94ac
SHA512 207e26dc45aeb2bc498d57a97619971d426e206a026435df824079c2e632594bb508933d667645e9a959f1a6132ff6f874de1f75b9712da3a8760577dc74c52d

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:53

Reported

2024-06-12 13:56

Platform

win7-20240611-en

Max time kernel

123s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7654d4 C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2996 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2996 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3fb99a67a2368aab7cc16cefd4a07990_NeikiAnalytics.exe"

Network

N/A

Files

memory/2996-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2996-1-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-2-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-4-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-7-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-10-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-6-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-8-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-9-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-5-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-12-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-11-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-30-0x0000000003730000-0x0000000003732000-memory.dmp

memory/2996-29-0x0000000003730000-0x0000000003732000-memory.dmp

memory/2996-28-0x0000000003740000-0x0000000003741000-memory.dmp

memory/2996-26-0x0000000003740000-0x0000000003741000-memory.dmp

memory/2996-22-0x0000000003730000-0x0000000003732000-memory.dmp

memory/1232-15-0x0000000000210000-0x0000000000212000-memory.dmp

memory/2996-32-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-31-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-33-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-34-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-35-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-37-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-38-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-39-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-41-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-43-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-48-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-50-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-52-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-57-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-60-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-63-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-65-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-71-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-73-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-76-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-80-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-81-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2996-84-0x0000000003730000-0x0000000003732000-memory.dmp

F:\nyig.exe

MD5 abb54e76a0a73638fc47f17fcc0abecb
SHA1 0eee1905a32bfa6b578bb8db1868dc4d9c5c7cb6
SHA256 8f9584f4c1a4d5f8bfe2323ee911e7f01e5297e4997b1e61f395a21494127b45
SHA512 77f7240e116301d6f75da89d2b0f6ddc69dd155c5b4ba9b2017e076184f2599b87045a8c7b8e2f0a21062a5cab629cae23051ab6bec6aacb2369d0615b6d8d27