Malware Analysis Report

2024-09-11 12:18

Sample ID 240619-cen1cawelr
Target 77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe
SHA256 63aabe74b886ff7819f632fe8e901f54635925210d5cb097fed975d61eccef12
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63aabe74b886ff7819f632fe8e901f54635925210d5cb097fed975d61eccef12

Threat Level: Known bad

The file 77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Sality

UAC bypass

Modifies firewall policy service

Windows security modification

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:59

Reported

2024-06-19 02:02

Platform

win7-20240611-en

Max time kernel

126s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1916 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 1916 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 1916 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe"

Network

N/A

Files

memory/1916-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1916-5-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-3-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-6-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-7-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-10-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-11-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-4-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1288-14-0x00000000020F0000-0x00000000020F2000-memory.dmp

memory/1916-12-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-26-0x0000000004D70000-0x0000000004D72000-memory.dmp

memory/1916-25-0x0000000004D70000-0x0000000004D72000-memory.dmp

memory/1916-24-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/1916-22-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/1916-21-0x0000000004D70000-0x0000000004D72000-memory.dmp

memory/1916-9-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-13-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-8-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-27-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-28-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-29-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-31-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-32-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-33-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-35-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-42-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-43-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-45-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1916-46-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-47-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-50-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-51-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-54-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-55-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-58-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-59-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-66-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-67-0x0000000002140000-0x00000000031CE000-memory.dmp

memory/1916-69-0x0000000004D70000-0x0000000004D72000-memory.dmp

F:\fkun.exe

MD5 07165868a4772702169f5e2abf78d479
SHA1 b32fac4710ab0d60c869096f9032a53049bb9ddd
SHA256 a632695d908b12d03bd9af6730de4a69dd05db333e3419fbdbef34f0ed3326ca
SHA512 52e89c5b174b81e6d0b6062c362d19340740026bcd599c0a3c3243dfcd05f9c1efc746384f9e9239b07e2ffb03f4b540467729bd7aad98d2ded0e36033d95e2b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:59

Reported

2024-06-19 02:02

Platform

win10v2004-20240508-en

Max time kernel

123s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3408 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3408 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3408 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3408 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3408 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3408 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3408 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3408 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3408 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3408 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3408 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3408 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3408 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3408 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3408 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3408 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3408 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3408 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3408 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3408 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3408 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3408 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3408 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3408 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3408 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3408 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3408 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3408 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3408 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3408 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\77da93699a35376456421b2ed5e6ce90_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3408-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3408-7-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-8-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-5-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-9-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-14-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3408-13-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3408-11-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/3408-10-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3408-6-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-4-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-3-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-1-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-12-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-15-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-16-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-17-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-18-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-19-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-21-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-22-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3408-23-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-25-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-26-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-27-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-29-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-31-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-33-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-37-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-39-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-42-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-43-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-45-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-46-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-48-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-55-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-56-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-58-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-60-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-61-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-63-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-66-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-68-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-69-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3408-70-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3408-71-0x00000000028E0000-0x000000000396E000-memory.dmp

F:\btjx.exe

MD5 3e71034aa856117859cc886de622af17
SHA1 9137e160a856936b09a3aa44a65677b2376b8d9f
SHA256 61280df2ee3a8665be7c954c7ab4239aeccab2062bb38a1677d35d8a325e92eb
SHA512 cc0ec08e45e9ef9a9e807daf9d9fc6aae154dfecfa04b1178edac4e747c8833de5fbb98971682728872f7c94f8e09e3e717db2b4bd85a90265e8a93f86007ea6