Malware Analysis Report

2024-09-11 12:19

Sample ID 240617-s193psvfpd
Target aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe
SHA256 71913f4406474f1c89fd6dc25aa56c747bed809bd347e84ed205313e616136cb
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71913f4406474f1c89fd6dc25aa56c747bed809bd347e84ed205313e616136cb

Threat Level: Known bad

The file aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

UAC bypass

Sality

Windows security bypass

Disables Task Manager via registry modification

Disables RegEdit via registry modification

UPX packed file

Windows security modification

Checks computer location settings

Checks whether UAC is enabled

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

System policy modification

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 15:36

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 15:36

Reported

2024-06-17 15:39

Platform

win7-20240611-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe"

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe
PID 2356 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe
PID 2356 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe
PID 2356 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 204

Network

N/A

Files

memory/2356-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 15:36

Reported

2024-06-17 15:39

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1372 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1372 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1372 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1372 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1372 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1372 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1372 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1372 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1372 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1372 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1372 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1372 wrote to memory of 5460 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1372 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1372 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1372 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1372 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1372 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1372 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1372 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1372 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1372 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1372 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1372 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1372 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3764 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3764 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1372 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1372 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1372 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1372 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1372 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1372 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1372 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1372 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1372 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1372 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1372 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1372 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1372 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\System32\Conhost.exe
PID 1372 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1372 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe C:\Windows\SysWOW64\NOTEPAD.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.ini"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.ini

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/1372-0-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/1372-1-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-4-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-5-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-9-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/1372-14-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1372-13-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-12-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1372-6-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-7-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-8-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1372-10-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-11-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-18-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-19-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-20-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-21-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-22-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-23-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-26-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-27-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-28-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-30-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-32-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-35-0x0000000003220000-0x00000000042AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E5772A0_Rar\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe

MD5 ef89f650aa5f28cd5d9a4c98444bf799
SHA1 62c5b30ca858b667e6a85ef40d0840aea62e8ddd
SHA256 ceda224c28ecbdf23a5ea2180e62701fcf73a6d31dd1eccd37f6fbdd9fa99d20
SHA512 87b73666bd042154a544ec9e1d1fa690ca3fdbe5e00d2b6c92210df8a9f7fe5375a5545b14ef3c3b09b59ba5a197235253955a2ed7d6d8f41fd5f7aa56657c88

memory/1372-36-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-45-0x0000000003220000-0x00000000042AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.ini

MD5 0141a67c35dbf34ac8a146bb08a1a101
SHA1 6243844912ee2005ca05d7aa3f1a8ba0c263aac5
SHA256 ed618f7a78c089b0234a4c538dd2c260d66705e1ed071ca05dd2fad2f0680fc4
SHA512 3189d7278fa78d3265fb2e514cdcf6a058c855b13ee187eedab666536faf454dfac57c008a54786454de6bba57004e47bd041663325c848f3d3f82ee9112afee

memory/1372-49-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-50-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-53-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-55-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-56-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/3764-60-0x0000000000920000-0x0000000000921000-memory.dmp

memory/3764-61-0x0000000000910000-0x0000000000912000-memory.dmp

memory/3624-63-0x0000000005700000-0x0000000005701000-memory.dmp

memory/3624-64-0x0000000002DE0000-0x0000000002DE2000-memory.dmp

memory/1372-65-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-66-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-68-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-69-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-72-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-73-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-74-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-76-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-83-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-84-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/1372-92-0x00000000001F0000-0x00000000001F2000-memory.dmp