Malware Analysis Report

2024-09-11 12:21

Sample ID 240614-jk11esvarl
Target adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe
SHA256 a00af6e093523e54d079c468dd68b5f5dde341190b4e3ebae177ed4f45bae50e
Tags
sality backdoor evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a00af6e093523e54d079c468dd68b5f5dde341190b4e3ebae177ed4f45bae50e

Threat Level: Known bad

The file adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence spyware stealer trojan upx

Sality

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies WinLogon for persistence

UAC bypass

Modifies firewall policy service

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Sets file execution options in registry

Deletes itself

UPX packed file

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:44

Reported

2024-06-14 07:46

Platform

win7-20240611-en

Max time kernel

20s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O75857Z\\TuxO75857Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M46040\\Ja167042bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O75857Z\\TuxO75857Z.exe\"" C:\Windows\M46040\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M46040\\Ja167042bLay.com\"" C:\Windows\M46040\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O75857Z\\TuxO75857Z.exe\"" C:\Windows\M46040\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M46040\\Ja167042bLay.com\"" C:\Windows\M46040\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O75857Z\\TuxO75857Z.exe\"" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M46040\\Ja167042bLay.com\"" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M46040\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M46040\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M46040\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M46040\smss.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M46040\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M46040\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M46040\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M46040\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46040\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M46040\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M46040\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46040\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46040\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46040\smss.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M46040\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
N/A N/A C:\Windows\M46040\smss.exe N/A
N/A N/A C:\Windows\M46040\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T57Z384 = "C:\\Windows\\sa-76400.exe" C:\Windows\M46040\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1460400TT4 = "C:\\Windows\\system32\\238408756174l.exe" C:\Windows\M46040\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T57Z384 = "C:\\Windows\\sa-76400.exe" C:\Windows\M46040\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1460400TT4 = "C:\\Windows\\system32\\238408756174l.exe" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T57Z384 = "C:\\Windows\\sa-076400.exe" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1460400TT4 = "C:\\Windows\\system32\\238408756174l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T57Z384 = "C:\\Windows\\sa-76400.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1460400TT4 = "C:\\Windows\\system32\\238408756174l.exe" C:\Windows\M46040\smss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\q: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\i: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\j: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\v: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\z: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\t: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\o: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\p: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\s: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\t: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\o: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\z: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\m: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\q: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\l: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\u: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\h: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\l: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\u: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened (read-only) \??\h: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\e: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Windows\M46040\EmangEloh.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened (read-only) \??\i: C:\Windows\M46040\smss.exe N/A
File opened (read-only) \??\m: C:\Windows\M46040\EmangEloh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\238408756174l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X72456go\Z238408cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\238408756174l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\238408756174l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X72456go\Z238408cie.cmd C:\Windows\M46040\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\238408756174l.exe C:\Windows\M46040\EmangEloh.exe N/A
File created \??\c:\Windows\SysWOW64\IME\shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\SysWOW64\238408756174l.exe C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\238408756174l.exe C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M46040\EmangEloh.exe N/A
File created \??\c:\Windows\SysWOW64\IME\shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\238408756174l.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\238408756174l.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\X72456go\Z238408cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X72456go\Z238408cie.cmd C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\238408756174l.exe C:\Windows\M46040\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\238408756174l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\X72456go\Z238408cie.cmd C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Program Files\DVD Maker\Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Program Files\Common Files\Microsoft Shared\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M46040 C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\M46040\Ja167042bLay.com C:\Windows\M46040\EmangEloh.exe N/A
File opened for modification C:\Windows\Ti756174ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\Downloads\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\M46040\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\M46040\Ja167042bLay.com C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\sa-076400.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\M46040\smss.exe C:\Windows\M46040\EmangEloh.exe N/A
File created C:\Windows\M46040\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\Ti756174ta.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\Ti756174ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\M46040\Ja167042bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\sa-76400.exe C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\M46040\EmangEloh.exe C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\M46040\EmangEloh.exe C:\Windows\M46040\EmangEloh.exe N/A
File opened for modification C:\Windows\[TheMoonlight].txt C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification C:\Windows\M46040 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\M46040\Ja167042bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\M46040\Ja167042bLay.com C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\M46040\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\M46040\EmangEloh.exe C:\Windows\M46040\EmangEloh.exe N/A
File created C:\Windows\sa-76400.exe C:\Windows\M46040\EmangEloh.exe N/A
File opened for modification C:\Windows\[TheMoonlight].txt C:\Windows\M46040\EmangEloh.exe N/A
File created C:\Windows\M46040\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification C:\Windows\Ti756174ta.exe C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\M46040\Ja167042bLay.com C:\Windows\M46040\smss.exe N/A
File created C:\Windows\sa-76400.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification C:\Windows\M46040\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Windows\SoftwareDistribution\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\M46040\smss.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\sa-076400.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M46040\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Ti756174ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\[TheMoonlight].txt C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\M46040 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification C:\Windows\M46040\Ja167042bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\Ti756174ta.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M46040\Ja167042bLay.com C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Windows\Downloaded Program Files\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\sa-76400.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\sa-76400.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification C:\Windows\Ti756174ta.exe C:\Windows\M46040\EmangEloh.exe N/A
File created C:\Windows\Ti756174ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\Downloaded Program Files\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File opened for modification \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\M46040\Ja167042bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
File created \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M46040 C:\Windows\M46040\smss.exe N/A
File opened for modification C:\Windows\M46040 C:\Windows\M46040\EmangEloh.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M46040\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M46040\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M46040\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M46040\smss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
N/A N/A C:\Windows\M46040\smss.exe N/A
N/A N/A C:\Windows\M46040\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2644 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2644 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2644 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe
PID 2644 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\smss.exe
PID 2644 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\smss.exe
PID 2644 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\smss.exe
PID 2644 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\smss.exe
PID 2644 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\EmangEloh.exe
PID 2644 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\EmangEloh.exe
PID 2644 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\EmangEloh.exe
PID 2644 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M46040\EmangEloh.exe
PID 2644 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe
PID 2644 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe
PID 2644 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe
PID 2644 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe
PID 2840 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Windows\system32\taskhost.exe
PID 2840 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Windows\system32\Dwm.exe
PID 2840 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Windows\Explorer.EXE
PID 2840 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Windows\M46040\smss.exe
PID 2840 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Windows\M46040\smss.exe
PID 2840 wrote to memory of 948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Windows\M46040\EmangEloh.exe
PID 2840 wrote to memory of 948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Windows\M46040\EmangEloh.exe
PID 2840 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe
PID 2840 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\service.exe"

C:\Windows\M46040\smss.exe

"C:\Windows\M46040\smss.exe"

C:\Windows\M46040\EmangEloh.exe

"C:\Windows\M46040\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O75857Z\winlogon.exe"

Network

N/A

Files

memory/2644-0-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2644-1-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2644-12-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-6-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-7-0x00000000005C0000-0x000000000164E000-memory.dmp

C:\Windows\M46040\EmangEloh.exe

MD5 adf9b89250646ad68a494f6b5bbff340
SHA1 7bc5beddbe247519437a751921e4d55255a75523
SHA256 a00af6e093523e54d079c468dd68b5f5dde341190b4e3ebae177ed4f45bae50e
SHA512 f9b106bc2899c7e66faaf8972fcfb4467032f6b751d9c941f6d39d8206b0d2b4294ee6c5165992bbd623d6278ecb919202cb7f833907e6e045bc2ff56493084c

memory/2644-4-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-5-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-9-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-48-0x0000000003980000-0x0000000003981000-memory.dmp

memory/2644-10-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-45-0x0000000003980000-0x0000000003981000-memory.dmp

memory/2644-55-0x0000000003920000-0x0000000003922000-memory.dmp

memory/2644-56-0x0000000003920000-0x0000000003922000-memory.dmp

memory/2644-44-0x0000000003920000-0x0000000003922000-memory.dmp

memory/1192-37-0x0000000002090000-0x0000000002092000-memory.dmp

memory/2644-8-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-11-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-58-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/2644-59-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2840-69-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2644-62-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2840-70-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2948-79-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2948-82-0x00000000001B0000-0x00000000001B2000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2644-67-0x0000000005B70000-0x0000000005BA2000-memory.dmp

memory/2644-116-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2644-121-0x0000000006810000-0x0000000006842000-memory.dmp

memory/2644-117-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/948-122-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/2644-135-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2644-136-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/1236-142-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2644-140-0x0000000006810000-0x0000000006842000-memory.dmp

memory/2644-139-0x0000000006810000-0x0000000006842000-memory.dmp

memory/2644-170-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b45893df06098cf54d5d3d5bec75e150
SHA1 3ffd66d2d75b791b9d8eacf744f2e8f14e396626
SHA256 3298898b8e9b4d9172322c0988e14c6917784c2ad34fbbbcd9d733b0a27bc377
SHA512 6b746f055138e14f46e9bc9ad1836cdb6fc85ee5ec1934756442a4b61d1c63130078eeccca00e6b71c13183c55bd8229b378e8b753bd86b9080fcbaad8cce177

memory/2840-213-0x0000000003C00000-0x0000000004C8E000-memory.dmp

memory/2840-216-0x0000000003C00000-0x0000000004C8E000-memory.dmp

memory/2948-234-0x0000000002800000-0x0000000002801000-memory.dmp

memory/2840-228-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2840-268-0x0000000000220000-0x0000000000222000-memory.dmp

memory/948-429-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 07:44

Reported

2024-06-14 07:47

Platform

win10v2004-20240508-en

Max time kernel

28s

Max time network

66s

Command Line

"fontdrvhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\"" C:\Windows\M68162\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M68162\\Ja178153bLay.com\"" C:\Windows\M68162\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\"" C:\Windows\M68162\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M68162\\Ja178153bLay.com\"" C:\Windows\M68162\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M68162\\Ja178153bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M68162\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M68162\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M68162\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M68162\smss.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M68162\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M68162\EmangEloh.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M68162\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M68162\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M68162\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M68162\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M68162\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M68162\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M68162\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M68162\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M68162\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M68162\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
N/A N/A C:\Windows\M68162\smss.exe N/A
N/A N/A C:\Windows\M68162\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187410.exe" C:\Windows\M68162\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1681410TT4 = "C:\\Windows\\system32\\340510867285l.exe" C:\Windows\M68162\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187410.exe" C:\Windows\M68162\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1681410TT4 = "C:\\Windows\\system32\\340510867285l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187410.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1681410TT4 = "C:\\Windows\\system32\\340510867285l.exe" C:\Windows\M68162\EmangEloh.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\g: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\j: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\x: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\l: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\u: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\h: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\z: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\k: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\q: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\w: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\u: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\i: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\i: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\N: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\z: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\g: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\r: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\N: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\t: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\v: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\x: C:\Windows\M68162\smss.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\q: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\r: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened (read-only) \??\p: C:\Windows\M68162\EmangEloh.exe N/A
File opened (read-only) \??\v: C:\Windows\M68162\EmangEloh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\IME\SHARED\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\SysWOW64\340510867285l.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\340510867285l.exe C:\Windows\M68162\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\340510867285l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\340510867285l.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\X73557go\Z340510cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X73557go\Z340510cie.cmd C:\Windows\M68162\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\X73557go\Z340510cie.cmd C:\Windows\M68162\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\340510867285l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\340510867285l.exe C:\Windows\M68162\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\X73557go\Z340510cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M68162\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\SysWOW64\X73557go\Z340510cie.cmd C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\340510867285l.exe C:\Windows\M68162\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\340510867285l.exe C:\Windows\M68162\smss.exe N/A
File created C:\Windows\SysWOW64\340510867285l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M68162\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\340510867285l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\dotnet\shared\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\Updates\Download\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\Updates\Download\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\Common Files\microsoft shared\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files\dotnet\shared\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Windows\SoftwareDistribution\Download\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\Ti867285ta.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\M68162\Ja178153bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification \??\c:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\sa-187410.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\SystemResources\Windows.ShellCommon.SharedResources\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\sa-187410.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\M68162\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created C:\Windows\Ti867285ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\Downloaded Program Files\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\M68162\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File created C:\Windows\sa-187410.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\M68162\Ja178153bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\Ti867285ta.exe C:\Windows\M68162\smss.exe N/A
File created \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created C:\Windows\Ti867285ta.exe C:\Windows\M68162\EmangEloh.exe N/A
File created C:\Windows\M68162\smss.exe C:\Windows\M68162\smss.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\Ti867285ta.exe C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\M68162\Ja178153bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File opened for modification C:\Windows\M68162\EmangEloh.exe C:\Windows\M68162\EmangEloh.exe N/A
File opened for modification C:\Windows\sa-187410.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M68162\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M68162\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M68162\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M68162\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
N/A N/A C:\Windows\M68162\EmangEloh.exe N/A
N/A N/A C:\Windows\M68162\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3444 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3444 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3444 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3444 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3444 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3444 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3444 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3444 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3444 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3444 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3444 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3444 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3444 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3444 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3444 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3444 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe
PID 3444 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe
PID 3444 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe
PID 3444 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M68162\smss.exe
PID 3444 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M68162\smss.exe
PID 3444 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M68162\smss.exe
PID 3444 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M68162\EmangEloh.exe
PID 3444 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M68162\EmangEloh.exe
PID 3444 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Windows\M68162\EmangEloh.exe
PID 3444 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
PID 3444 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
PID 3444 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
PID 2416 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 2416 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 2416 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\dwm.exe
PID 2416 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\svchost.exe
PID 2416 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\sihost.exe
PID 2416 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\taskhostw.exe
PID 2416 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\Explorer.EXE
PID 2416 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\svchost.exe
PID 2416 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\DllHost.exe
PID 2416 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2416 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 2416 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2416 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 2416 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2416 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 2416 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\M68162\smss.exe
PID 2416 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\M68162\smss.exe
PID 2416 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\M68162\EmangEloh.exe
PID 2416 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\M68162\EmangEloh.exe
PID 2416 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
PID 2416 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
PID 2416 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 2416 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 2416 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 2416 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 2416 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\dwm.exe
PID 2416 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\svchost.exe
PID 2416 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\sihost.exe
PID 2416 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\taskhostw.exe
PID 2416 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\Explorer.EXE
PID 2416 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\svchost.exe
PID 2416 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\system32\DllHost.exe
PID 2416 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2416 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 2416 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2416 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\adf9b89250646ad68a494f6b5bbff340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe"

C:\Windows\M68162\smss.exe

"C:\Windows\M68162\smss.exe"

C:\Windows\M68162\EmangEloh.exe

"C:\Windows\M68162\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3444-0-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3444-1-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-5-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-47-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/3444-13-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-46-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-48-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-56-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-45-0x00000000007B0000-0x000000000183E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe

MD5 adf9b89250646ad68a494f6b5bbff340
SHA1 7bc5beddbe247519437a751921e4d55255a75523
SHA256 a00af6e093523e54d079c468dd68b5f5dde341190b4e3ebae177ed4f45bae50e
SHA512 f9b106bc2899c7e66faaf8972fcfb4467032f6b751d9c941f6d39d8206b0d2b4294ee6c5165992bbd623d6278ecb919202cb7f833907e6e045bc2ff56493084c

memory/3444-55-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/3444-14-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-4-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/4584-128-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4584-131-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2608-130-0x0000000000550000-0x0000000000552000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/2288-155-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2416-129-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2608-127-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2416-126-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3444-3-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-17-0x0000000001950000-0x0000000001952000-memory.dmp

memory/3444-16-0x0000000003B50000-0x0000000003B51000-memory.dmp

memory/3444-15-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/3444-166-0x00000000007B0000-0x000000000183E000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/3444-205-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3444-190-0x00000000007B0000-0x000000000183E000-memory.dmp

memory/3444-189-0x0000000003A90000-0x0000000003A92000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2414840037464b899eac4f4cc8064e63
SHA1 a65a4bb41f30491db1b85b65e311d4cb83b3d32e
SHA256 19dbd05e358068eba41b4881e6dd05d8feff5c580b572ce47c081e2fb2c27dd6
SHA512 1e872e6daab839e2161e5fd9fee99915310dee35571c5fadf84ceed40bf20d0aef56e91e745350afad37b24150d6eb9bf364537c5e9d9b5353d8651ce381e901

memory/2416-274-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-290-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-289-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-291-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-277-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2288-295-0x00000000020A0000-0x00000000020A2000-memory.dmp

memory/4584-294-0x0000000000620000-0x0000000000622000-memory.dmp

memory/2608-293-0x0000000002590000-0x0000000002592000-memory.dmp

memory/2416-292-0x00000000020E0000-0x00000000020E2000-memory.dmp

memory/2416-288-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-284-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-287-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/4584-283-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/2416-276-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2608-281-0x00000000033F0000-0x00000000033F1000-memory.dmp

memory/2288-286-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2416-279-0x0000000002280000-0x0000000002281000-memory.dmp

memory/2416-296-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2288-301-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4584-299-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2416-297-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-300-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2608-298-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2416-302-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-310-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-309-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-322-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-323-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-324-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2416-325-0x0000000002FA0000-0x000000000402E000-memory.dmp

memory/2608-373-0x0000000000550000-0x0000000000552000-memory.dmp

C:\xrwiik.exe

MD5 2ada34e193574e95d10f9185c3e8868f
SHA1 539eab027338712ca04bf34a16d0eb47bfb720a0
SHA256 db006e8652a5aceeeea5b9b3f13ddb79f4cb7a51bd524f356d7f9508426275d9
SHA512 809cbb50df64d0eaae9088d7ed469a5b1fc3c0b98204cc629f55e30fb36cc7afde9bede3f062425befefe9264d817aad02fc8b28f254289334cb121de3ebdac5