Malware Analysis Report

2024-09-11 11:46

Sample ID 240614-btawlazcla
Target 96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe
SHA256 06d503197e777bff6302a1f329f0a5dc81cf24c3991f68ef6bfc86ab2a95d86e
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06d503197e777bff6302a1f329f0a5dc81cf24c3991f68ef6bfc86ab2a95d86e

Threat Level: Known bad

The file 96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:25

Reported

2024-06-14 01:28

Platform

win7-20240508-en

Max time kernel

125s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761c38 C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe"

Network

N/A

Files

memory/1676-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1676-2-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-10-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-4-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-24-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

memory/1676-21-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

memory/1676-6-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-20-0x0000000003BA0000-0x0000000003BA2000-memory.dmp

memory/1676-8-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-7-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-5-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-12-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-11-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-9-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1056-13-0x00000000003A0000-0x00000000003A2000-memory.dmp

memory/1676-30-0x0000000003BA0000-0x0000000003BA2000-memory.dmp

memory/1676-31-0x0000000003BA0000-0x0000000003BA2000-memory.dmp

memory/1676-33-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-32-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-34-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-35-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-36-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-38-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-39-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-40-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-42-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-45-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-50-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-51-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-53-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-55-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-60-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-64-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-66-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-67-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-69-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-71-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1676-91-0x0000000003BA0000-0x0000000003BA2000-memory.dmp

F:\adsq.exe

MD5 562fe6e22f2ec3ae641b20f2ba82d215
SHA1 0c3dfb11a0b746f27aff7add4caa7c362375b9ce
SHA256 01c90848bb423db0a02a6f79bd66835c20c670fb0a64bcd4786c1d049a95a65a
SHA512 bb57bf8874d9afa4905cef8c0a2a764b589f93afab13bd7b0fa0ad1cc3bd0ea0c7e7bab01d8da91d4db869d06b3288329719c04957d9283bf7d2e6825230b976

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:25

Reported

2024-06-14 01:28

Platform

win10v2004-20240611-en

Max time kernel

122s

Max time network

94s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e572bf2 C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3984 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3984 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3984 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3984 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3984 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3984 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3984 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3984 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3984 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3984 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3984 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3984 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3984 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3984 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3984 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3984 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3984 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3984 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3984 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3984 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3984 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3984 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3984 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3984 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3984 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3984 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3984 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3984 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3984 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3984 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3984 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3984 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\96e04fb0fe44fd7d2639be979d43ae00_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 89.43.201.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3984-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3984-1-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-8-0x0000000001A90000-0x0000000001A91000-memory.dmp

memory/3984-18-0x0000000000680000-0x0000000000682000-memory.dmp

memory/3984-15-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-4-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-7-0x0000000000680000-0x0000000000682000-memory.dmp

memory/3984-17-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-5-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-3-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-10-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-6-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-16-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-21-0x0000000000680000-0x0000000000682000-memory.dmp

memory/3984-20-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-19-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-22-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-23-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-24-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-26-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-25-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-28-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-29-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-30-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-32-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-33-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-35-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-36-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-39-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-41-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-44-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-46-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-48-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-49-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-55-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-56-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-58-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-61-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-62-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-64-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-65-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-68-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-69-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-72-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3984-73-0x0000000000680000-0x0000000000682000-memory.dmp

memory/3984-77-0x0000000000790000-0x000000000184A000-memory.dmp

C:\wffij.exe

MD5 4077f9c6262d4928b7deadf2e68c2a8b
SHA1 566d17c0547a16d40508116e8844d0f84af1db7c
SHA256 57bc65b23e87df29a7d2c8b7ea352afffaacfa9e480f1d4b8656f48e78761c34
SHA512 97f7c87b7105922c309440e9f9ceb745e07dfc4b85e8c63e7a5ebd966aabe1ae5207570e388ea29cad784c74c33c9c174a1ddbde08ad7c8b4a3387a5fbcf5e09