Malware Analysis Report

2024-09-11 12:19

Sample ID 240618-rla5dsxckh
Target 4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe
SHA256 e726dcb3945fdf2f8b114fcba5e83cf319556c68f79f8fc629a55d6c8df19991
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e726dcb3945fdf2f8b114fcba5e83cf319556c68f79f8fc629a55d6c8df19991

Threat Level: Known bad

The file 4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Sality

Modifies firewall policy service

UAC bypass

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 14:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 14:16

Reported

2024-06-18 14:18

Platform

win7-20240419-en

Max time kernel

126s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe"

Network

N/A

Files

memory/1752-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1752-3-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-5-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-9-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-4-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-6-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-26-0x0000000002E40000-0x0000000002E42000-memory.dmp

memory/1752-7-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-10-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-11-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-8-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-25-0x0000000002E40000-0x0000000002E42000-memory.dmp

memory/1752-24-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/1752-22-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/1752-21-0x0000000002E40000-0x0000000002E42000-memory.dmp

memory/1112-12-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/1752-27-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-28-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-29-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-30-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-31-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-33-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-34-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-35-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-37-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-39-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-47-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-49-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-50-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-54-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-55-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-57-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-58-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-61-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-62-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-70-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-71-0x0000000001CE0000-0x0000000002D6E000-memory.dmp

memory/1752-81-0x0000000002E40000-0x0000000002E42000-memory.dmp

F:\sidvs.pif

MD5 65511925e64c8ed51fcc7c3d069b6950
SHA1 c7c6e157d795ac736796299aa318ab6691fcbbd0
SHA256 a5c4bfc44fbd1a262ffe71d50338665f8300707b930ba7749946bfef3a42a653
SHA512 f7f168183af5f5659e86f34bc3c383f0e6594aa143ed420ea77cb30cc7640c7c29fddb65c92af43231b33c823c9db8ac71eaa309d76e6fc1577aa57adac31ac8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 14:16

Reported

2024-06-18 14:18

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

60s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1696 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1696 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1696 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1696 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1696 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1696 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1696 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1696 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1696 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1696 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1696 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1696 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1696 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1696 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1696 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1696 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1696 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1696 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1696 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1696 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1696 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1696 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1696 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1696 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4fa5128c463f6062a8e73260808344e0_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1696-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1696-7-0x0000000000800000-0x0000000000801000-memory.dmp

memory/1696-3-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-12-0x00000000007F0000-0x00000000007F2000-memory.dmp

memory/1696-8-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-5-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-11-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-10-0x00000000007F0000-0x00000000007F2000-memory.dmp

memory/1696-1-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-6-0x00000000007F0000-0x00000000007F2000-memory.dmp

memory/1696-9-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-14-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-15-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-13-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-17-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-16-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-18-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-19-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-20-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-22-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-23-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-24-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-26-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-27-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-28-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-30-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-33-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-37-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-38-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-39-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-45-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-46-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-47-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-48-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-52-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-54-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-55-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-56-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-58-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-59-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-60-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-63-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-65-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-67-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/1696-68-0x00000000007F0000-0x00000000007F2000-memory.dmp

memory/1696-69-0x00000000021B0000-0x000000000323E000-memory.dmp

F:\bgyyxk.exe

MD5 3a22167cb70006e6b39538927bf466cc
SHA1 12236f53dcaf016d4627b79a5baf50e96ea7db28
SHA256 08c8f6471b05c2d0922484e18fc602ca4ccd378940ad8320d82be7af33af17bb
SHA512 69b3e30c8e5192997aa749d2cc94224633d28557742b796ecf88c6a7b7db47dde1ca1dbb162cbc926b9501c107a36e9a90727c89acb9f0c0b8dd44e8fb9aa876