071b1e99af09b93b9f174003adf19545eeca982d2cfa94da8f2276fd0a99c889

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
Size

3.0MB
MD5

709277220bb33f317b3fab7202799cb0
SHA1

b8f279be36a365c6ca1f14b84a94d46a7d2e1b02
SHA256

071b1e99af09b93b9f174003adf19545eeca982d2cfa94da8f2276fd0a99c889
SHA512

6e545146971f3423dca871c4b1f32a71c50875689dd9be54fe2fedda07c4bc900bf39f3a7579024865986ba0d90c901dee4dd90039e9d742747d47c510feaccc
SSDEEP

49152:sNKCNMzi/hUtlii+e1W2MczIxkNe8DZ93RQAYPENeG9/cPROKsoMn:yKuMzi/hKliu1Ux0e8DZbzd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2868	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
2648	icsys.icn.exe
2532	explorer.exe
2600	spoolsv.exe
2512	svchost.exe
2900	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
2648	icsys.icn.exe
2532	explorer.exe
2600	spoolsv.exe
2512	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Program Files directory 36 IoCs

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1976	schtasks.exe
2564	schtasks.exe
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2532	explorer.exe
2512	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	709277220bb33f317b3fab7202799cb0_neikianalytics.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
2648	icsys.icn.exe
2648	icsys.icn.exe
2532	explorer.exe
2532	explorer.exe
2600	spoolsv.exe
2600	spoolsv.exe
2512	svchost.exe
2512	svchost.exe
2900	spoolsv.exe
2900	spoolsv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2868	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2868	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2868	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2868	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2868	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2868	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2868	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2648	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 2648	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 2648	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 2648	1192	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	29
PID 2648 wrote to memory of 2532	2648	icsys.icn.exe	30
PID 2648 wrote to memory of 2532	2648	icsys.icn.exe	30
PID 2648 wrote to memory of 2532	2648	icsys.icn.exe	30
PID 2648 wrote to memory of 2532	2648	icsys.icn.exe	30
PID 2532 wrote to memory of 2600	2532	explorer.exe	31
PID 2532 wrote to memory of 2600	2532	explorer.exe	31
PID 2532 wrote to memory of 2600	2532	explorer.exe	31
PID 2532 wrote to memory of 2600	2532	explorer.exe	31
PID 2600 wrote to memory of 2512	2600	spoolsv.exe	32
PID 2600 wrote to memory of 2512	2600	spoolsv.exe	32
PID 2600 wrote to memory of 2512	2600	spoolsv.exe	32
PID 2600 wrote to memory of 2512	2600	spoolsv.exe	32
PID 2512 wrote to memory of 2900	2512	svchost.exe	33
PID 2512 wrote to memory of 2900	2512	svchost.exe	33
PID 2512 wrote to memory of 2900	2512	svchost.exe	33
PID 2512 wrote to memory of 2900	2512	svchost.exe	33
PID 2532 wrote to memory of 1932	2532	explorer.exe	34
PID 2532 wrote to memory of 1932	2532	explorer.exe	34
PID 2532 wrote to memory of 1932	2532	explorer.exe	34
PID 2532 wrote to memory of 1932	2532	explorer.exe	34
PID 2512 wrote to memory of 1976	2512	svchost.exe	35
PID 2512 wrote to memory of 1976	2512	svchost.exe	35
PID 2512 wrote to memory of 1976	2512	svchost.exe	35
PID 2512 wrote to memory of 1976	2512	svchost.exe	35
PID 2512 wrote to memory of 2564	2512	svchost.exe	40
PID 2512 wrote to memory of 2564	2512	svchost.exe	40
PID 2512 wrote to memory of 2564	2512	svchost.exe	40
PID 2512 wrote to memory of 2564	2512	svchost.exe	40
PID 2512 wrote to memory of 1800	2512	svchost.exe	42
PID 2512 wrote to memory of 1800	2512	svchost.exe	42
PID 2512 wrote to memory of 1800	2512	svchost.exe	42
PID 2512 wrote to memory of 1800	2512	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- \??\c:\users\admin\appdata\local\temp\709277220bb33f317b3fab7202799cb0_neikianalytics.exe
  c:\users\admin\appdata\local\temp\709277220bb33f317b3fab7202799cb0_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:2868
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2600
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:10 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1976
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:11 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2564
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:12 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1800
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\install_tips.png

Filesize
2KB

MD5
28fbf016e49eed024ebc37a11e1f883a

SHA1
032ee9a583d9482cea6cb617925a8ad0be9b175f

SHA256
78afdaf35fa6173b08621270842b5d8d899b966ffdfa986a9e98f372afd4f419

SHA512
fe250df9f481f5b5e9993834059f707bc51af1f4334fae3e1f0034b802dd25aac4aec1a27478c65e72b4fc353ff49e555bb92d9a51ccd14605c02293baa40cb0

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
134347a595ee88d9787e45537289327d

SHA1
02a6339c6a4ddebfdf4b60d686baba7010bf72d3

SHA256
5007b7a40b99880807cda00274fa8ab84b0047f3d7e7d8df63f6590caa28368e

SHA512
162b44a05cdcecdc7a212e414e482642d079848ea609d215e77bf13a85a85e146dcc02c87b89e8ddb4e128bb956ac1bcaad105ddf3b37659ffcd5e31b55b9ac0

Download Submit
\Users\Admin\AppData\Local\Temp\709277220bb33f317b3fab7202799cb0_neikianalytics.exe

Filesize
2.9MB

MD5
ad3758c00bb6c07b62606343be38c76d

SHA1
6566d1b73f98f3b54880fa75cf0b426ce2f7a31e

SHA256
e7203832d9446b7ce61522da387f59da0880302d6c72616256ef2eb75cd4cbad

SHA512
7eb8633d6b3bb5628d8c9c3d49bcdc549643479f163f679a99da167906cc36e39581da7d3599555a71bf6c8a39d6b77e01d0591beb292c0dd367e528f7698050

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6d56d4d34e638bd2b3b7b6524207a67c

SHA1
fe89f129836bedcea1dc85a0c755122c6790b48f

SHA256
704b6624cf77359f9b5844f7586177623c580167cb57543f4c27e2319bb84375

SHA512
e26753564b3d7d779b247878dfc90eb49f804b21b2e890952fdc5964168caf1a790c2ae848bc59b202eca8a666ae375fd592597eeefa4d5b83e936087a51742e

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
6b3490faff241e2b6ee0c2bbd83c85b9

SHA1
4d095fd7a869bd70afe4fc451e96eafecb49d14a

SHA256
faad1533438b892152a931c545db8a063edf7709b916965d9a816c396ec20666

SHA512
abd328f8529d1f3d684afb4877dbc527e6b1a46c603890b2992cfcedbd7b4de08257674792709fc8fa547b8f981d64fca67486b79f7cb3cdf6652d14cca02768

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
0a557eb1a8fb79ad096380bd4e7fa8b5

SHA1
d3babb916e468689b65c932d4386544aa0a4a842

SHA256
dd4580a077128c7e445269580aa66d7930644bf3286815f0f8a32dbdec742ac3

SHA512
fee1d23fdcf16e9f6b5be5dd87d23f63707c947b1bd2b58632b34d58aaed018a72ae28113b7a327e8328ca00e583e6767fc7371f0dcd62517051d189ac29807f

Download Submit
memory/1192-57-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/1192-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1192-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2600-88-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2648-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-65-0x0000000001B60000-0x0000000001B7F000-memory.dmp

Filesize
124KB

Download
memory/2648-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2900-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2900-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

description	ioc	Process
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\ChineseTW\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\English\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File opened for modification	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\Log\imyfone_down.log	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\German\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Indonesian\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\language.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Spanish\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Swedish\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\German\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Japanese\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Spanish\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Arabic\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\French\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Portuguese\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Portuguese\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Spanish\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Arabic\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\English\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Indonesian\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Japanese\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\productInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Arabic\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\ChineseTW\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\French\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\German\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Japanese\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Portuguese\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Swedish\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\ChineseTW\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\English\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Swedish\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\French\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Indonesian\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe