071b1e99af09b93b9f174003adf19545eeca982d2cfa94da8f2276fd0a99c889

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
Size

3.0MB
MD5

709277220bb33f317b3fab7202799cb0
SHA1

b8f279be36a365c6ca1f14b84a94d46a7d2e1b02
SHA256

071b1e99af09b93b9f174003adf19545eeca982d2cfa94da8f2276fd0a99c889
SHA512

6e545146971f3423dca871c4b1f32a71c50875689dd9be54fe2fedda07c4bc900bf39f3a7579024865986ba0d90c901dee4dd90039e9d742747d47c510feaccc
SSDEEP

49152:sNKCNMzi/hUtlii+e1W2MczIxkNe8DZ93RQAYPENeG9/cPROKsoMn:yKuMzi/hKliu1Ux0e8DZbzd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
4396	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
2452	icsys.icn.exe
780	explorer.exe
3916	spoolsv.exe
3000	svchost.exe
2552	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Program Files directory 36 IoCs

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
2452	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
780	explorer.exe
3000	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4396	709277220bb33f317b3fab7202799cb0_neikianalytics.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
2452	icsys.icn.exe
2452	icsys.icn.exe
780	explorer.exe
780	explorer.exe
3916	spoolsv.exe
3916	spoolsv.exe
3000	svchost.exe
3000	svchost.exe
2552	spoolsv.exe
2552	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 4396	1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	89
PID 1960 wrote to memory of 4396	1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	89
PID 1960 wrote to memory of 4396	1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	89
PID 1960 wrote to memory of 2452	1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	91
PID 1960 wrote to memory of 2452	1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	91
PID 1960 wrote to memory of 2452	1960	709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe	91
PID 2452 wrote to memory of 780	2452	icsys.icn.exe	93
PID 2452 wrote to memory of 780	2452	icsys.icn.exe	93
PID 2452 wrote to memory of 780	2452	icsys.icn.exe	93
PID 780 wrote to memory of 3916	780	explorer.exe	94
PID 780 wrote to memory of 3916	780	explorer.exe	94
PID 780 wrote to memory of 3916	780	explorer.exe	94
PID 3916 wrote to memory of 3000	3916	spoolsv.exe	96
PID 3916 wrote to memory of 3000	3916	spoolsv.exe	96
PID 3916 wrote to memory of 3000	3916	spoolsv.exe	96
PID 3000 wrote to memory of 2552	3000	svchost.exe	97
PID 3000 wrote to memory of 2552	3000	svchost.exe	97
PID 3000 wrote to memory of 2552	3000	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\709277220bb33f317b3fab7202799cb0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- \??\c:\users\admin\appdata\local\temp\709277220bb33f317b3fab7202799cb0_neikianalytics.exe
  c:\users\admin\appdata\local\temp\709277220bb33f317b3fab7202799cb0_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:4396
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2452
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:780
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3916
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\install_tips.png

Filesize
2KB

MD5
28fbf016e49eed024ebc37a11e1f883a

SHA1
032ee9a583d9482cea6cb617925a8ad0be9b175f

SHA256
78afdaf35fa6173b08621270842b5d8d899b966ffdfa986a9e98f372afd4f419

SHA512
fe250df9f481f5b5e9993834059f707bc51af1f4334fae3e1f0034b802dd25aac4aec1a27478c65e72b4fc353ff49e555bb92d9a51ccd14605c02293baa40cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\709277220bb33f317b3fab7202799cb0_neikianalytics.exe

Filesize
2.9MB

MD5
ad3758c00bb6c07b62606343be38c76d

SHA1
6566d1b73f98f3b54880fa75cf0b426ce2f7a31e

SHA256
e7203832d9446b7ce61522da387f59da0880302d6c72616256ef2eb75cd4cbad

SHA512
7eb8633d6b3bb5628d8c9c3d49bcdc549643479f163f679a99da167906cc36e39581da7d3599555a71bf6c8a39d6b77e01d0591beb292c0dd367e528f7698050

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
44317020abbb097a2156cc1d2c6619f3

SHA1
5fbe96ca45ae3f007e547a891f6a04585ed04cbe

SHA256
35e624cbffd69959a441bd863c0534bc2af182ad205f6d294c3dd7e09d763fb2

SHA512
04e79d3a112cfef44011cbb2725960df4d074250d4cac20df7936b0c23a07128d2ed557569a682c4f148abf7290153491e9d2ab0fd9a60c512a048c6f099b2e8

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6d56d4d34e638bd2b3b7b6524207a67c

SHA1
fe89f129836bedcea1dc85a0c755122c6790b48f

SHA256
704b6624cf77359f9b5844f7586177623c580167cb57543f4c27e2319bb84375

SHA512
e26753564b3d7d779b247878dfc90eb49f804b21b2e890952fdc5964168caf1a790c2ae848bc59b202eca8a666ae375fd592597eeefa4d5b83e936087a51742e

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
dc3845b16bf710dd624a34cc8fea63de

SHA1
76481cc43f3147576588049d296ba57d10f8f99e

SHA256
78590b04ffab5a276d4980a951881399a20a460a0f9788764094aaf00952db03

SHA512
00246223f48fc77e106c76f54108ba1a9e8d67caea685cc1943149b044254c3e94eb109ba54c71fcca5245e142b790ac12ad9c81a112ce43552ed3b5faf9726e

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
26df7e4276d7fd0f62f0de46116caef8

SHA1
5e061a7f464151abea339e0f9d72b07d58a3422b

SHA256
133cf8a19226cbcc8c43427a840453377342379106a3d318299f50ffe1e9bbd9

SHA512
24a293d06b1757f058f0303cb51ca3fb7287e3299a02d1d88e08d5f8b86d0b5dea224b07f0ebe19b5c672c861d6bf9e18fa8b299aeed35ed6da2ef786e58bd89

Download Submit
memory/1960-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2552-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3916-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

description	ioc	Process
File opened for modification	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\Log\imyfone_down.log	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\German\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\English\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\English\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Indonesian\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Indonesian\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Arabic\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\ChineseTW\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\ChineseTW\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\English\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Japanese\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Spanish\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Swedish\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\ChineseTW\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\German\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Swedish\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Arabic\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\French\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Japanese\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Japanese\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Portuguese\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Swedish\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\language.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Portuguese\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Spanish\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Spanish\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\French\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Korean\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Portuguese\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\productInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Arabic\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\French\text.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\German\UrlInfo.ini	709277220bb33f317b3fab7202799cb0_neikianalytics.exe
File created	C:\Program Files (x86)\imyfone_down\709277220bb33f317b3fab7202799cb0_neikianalytics\language\Indonesian\install_tips.png	709277220bb33f317b3fab7202799cb0_neikianalytics.exe