Malware Analysis Report

2025-03-15 00:52

Sample ID 240626-3an3naseml
Target 22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe
SHA256 22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215

Threat Level: Known bad

The file 22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Adds policy Run key to start application

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 23:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 23:18

Reported

2024-06-26 23:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe ." C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "apjbupfcutttfiktjla.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "pdwnfzokbzyxikltij.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ctpjebtsmnprfkozrvmic.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "pdwnfzokbzyxikltij.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ndyrlhywppqreilvmpfa.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "pdwnfzokbzyxikltij.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "zlcrhzmgvroluutz.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "gtlbslzukhfdnoovj.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "ndyrlhywppqreilvmpfa.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ndyrlhywppqreilvmpfa.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "zlcrhzmgvroluutz.exe ." C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "zlcrhzmgvroluutz.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ndyrlhywppqreilvmpfa.exe ." C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "apjbupfcutttfiktjla.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "zlcrhzmgvroluutz.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndyrlhywppqreilvmpfa.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ndyrlhywppqreilvmpfa.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "zlcrhzmgvroluutz.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "pdwnfzokbzyxikltij.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "ctpjebtsmnprfkozrvmic.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "ndyrlhywppqreilvmpfa.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "zlcrhzmgvroluutz.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ctpjebtsmnprfkozrvmic.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe ." C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ebddehfkkrzhbmwnlvsuuvy.bbi C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File created C:\Windows\SysWOW64\ebddehfkkrzhbmwnlvsuuvy.bbi C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File opened for modification C:\Windows\SysWOW64\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File created C:\Windows\SysWOW64\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File opened for modification C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File created C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File opened for modification C:\Program Files (x86)\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ebddehfkkrzhbmwnlvsuuvy.bbi C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File created C:\Windows\ebddehfkkrzhbmwnlvsuuvy.bbi C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File opened for modification C:\Windows\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
File created C:\Windows\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
PID 1244 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
PID 1244 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
PID 1244 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
PID 1244 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
PID 1244 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
PID 1244 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
PID 1244 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\adlryhl.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\adlryhl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\adlryhl.exe

"C:\Users\Admin\AppData\Local\Temp\adlryhl.exe" "-"

C:\Users\Admin\AppData\Local\Temp\adlryhl.exe

"C:\Users\Admin\AppData\Local\Temp\adlryhl.exe" "-"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 hftkbek.info udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 myieye.com udp
FR 94.23.162.163:80 myieye.com tcp
US 8.8.8.8:53 fgbvvmtc.info udp
US 8.8.8.8:53 ywaimgos.com udp
US 8.8.8.8:53 fcjzbi.net udp
US 8.8.8.8:53 qlqiukflls.net udp
US 8.8.8.8:53 vurevaj.com udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 heylzdxbfmj.net udp
US 8.8.8.8:53 juzzlqgodtf.info udp
US 8.8.8.8:53 vupwbcmwhchx.info udp
US 8.8.8.8:53 svfoteb.info udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 misipok.net udp
US 8.8.8.8:53 tknysgkzt.net udp
US 8.8.8.8:53 redbqzty.net udp
US 8.8.8.8:53 gfpinqbmbmx.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 avtkhyrmpe.info udp
US 8.8.8.8:53 toheqbql.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 arpnjclox.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 scmqeyswwqog.org udp
US 8.8.8.8:53 cebcoetuudr.net udp
US 8.8.8.8:53 tuvyvopiiuks.info udp
US 8.8.8.8:53 fkvkpvdy.info udp
US 8.8.8.8:53 oibikx.net udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 hxhzjmrgdxx.info udp
US 8.8.8.8:53 fyzxwkxan.org udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 ipvokjc.net udp
US 8.8.8.8:53 bkjahm.info udp
US 8.8.8.8:53 deqsfs.net udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 hmffmzkfcs.net udp
US 8.8.8.8:53 tndwdqjhjml.info udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 ttlkxmgobgh.info udp
US 8.8.8.8:53 perayouwii.net udp
US 8.8.8.8:53 xwtadyhqm.net udp
US 8.8.8.8:53 lvlngpos.info udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 ykjkjfrskin.info udp
US 8.8.8.8:53 uodabbfcp.net udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 nytttxv.net udp
US 8.8.8.8:53 aicyyswwcyiq.org udp
US 8.8.8.8:53 wyvylyn.info udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 azlzztwjlk.info udp
US 8.8.8.8:53 cilztu.net udp
US 8.8.8.8:53 qmoucoiugs.com udp
US 8.8.8.8:53 laormun.net udp
US 8.8.8.8:53 veparavldou.net udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
US 8.8.8.8:53 swccfklax.info udp
US 8.8.8.8:53 vahqifeusuh.info udp
US 8.8.8.8:53 nxyebckfpje.net udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 ribglrrku.com udp
US 8.8.8.8:53 oofsicvgk.net udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 toevsnfdpzfz.info udp
US 8.8.8.8:53 fqdidqzrtyv.net udp
US 8.8.8.8:53 yaeieg.com udp

Files

C:\Users\Admin\AppData\Local\Temp\adlryhl.exe

MD5 49749a8f6edfe937c4a5663e93baefde
SHA1 96cc7c74147a8f9c7d9c74883a620454f1343824
SHA256 d21769621e3c6d8b2d9317a3658beb8a5e86970fbbdd0cd14e14c290e42f32e7
SHA512 a539196f4cff02544be86c4b1e49e55adcb41d452105cabde009ac6b9d9c00c8a5c06b32b1ff3d829669ec53719d0979a585195a97e682a0900f1b2a3ca1fe7a

C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 ded9f0a31880a09ed34f5db1ba1d89e1
SHA1 2a8a188fa46b6deb795bcb46ae6b9f9abd59f656
SHA256 3ba2bd6db8bf7e9683aa70f5f051e7bf68c4dc6e67d9e2fbe0c4149e1fd3b842
SHA512 691d7de661fc78fb25868ed4d5e582f2ee180b469e06f4f0a386a27b645bd5b2cec7b7c2c33906f0a0a807297b1e775ee5dea890bf6bbf7f4469017f09d28a3b

C:\Users\Admin\AppData\Local\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep

MD5 596413d7beaaa24a38703ae57c73756c
SHA1 a801d98a964cd4252ed70e8f543f3be42d536a87
SHA256 e674292dffd6c9e21dfad5926998d88ca831cdaebc79b844e1a0434a49080f82
SHA512 1ab4d0f3a5b22cbc8d289738d29479a743d7a8dbc13213ea6f894e20285013ff9b4f7d364e026f7496b1a62f2be51acd2645e724a4b139d12b0492070e08c01d

C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 c14409e3dacfc0cfdc6984349dcb40f3
SHA1 9904c0e5d8f1480bf8d954147740de91963eb754
SHA256 333308d94d1d4ed5fea3a74f8abc3dd1aa3b625eec604cc7e6f746d70de8c1f0
SHA512 51576bf46a5392d1371f8c74d3f6c954c41be8d9c3f25ab9fa28ed64caf65a54c078c4c69f1c929a66fe66218dd3d89fee4cf111180229f6fb2e83ac64bfeb92

C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 2d42debf477c254ef115f05543250fde
SHA1 f788aec91522d998cb0d67b1745ff8b628410fc5
SHA256 d5f7456035de4c36168b57d912b2f9f50c564f2bcc4ceeeeffda00a2a8790275
SHA512 c0b1b39a57731f318b817be2a7ce553068fd16853749f0e6a56c93d54f7bcfd44098c8638b19e8be7ea4fa42d9aee32fd01066534182353983ba82daa9b3ff95

C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 ce9cbfbc784d41c24e2b4f2ff041ff90
SHA1 a302cf4e18e253e165b1be2fddfbd36dacd9c271
SHA256 c13bf3898c963710cf660133e187b447a9a2e7172d67ff58bd2443f381ed2a15
SHA512 16b098ddf462b62a942c4d3a5e66818c995f8be01be1fefab3a88680b013b9991e9f7d88747bb2fb456082170f556ce2fd69c90938f5174fded0b583af7c21cf

C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 e258c7a486f4dc322eaf86b343ee0aa3
SHA1 d8c54b2c5628a85811ece6f0bb8eb35835d75017
SHA256 9e7c01fe48cc65a922fa3fd577eb427a6e7a5c30c8bb39553ece5826b7aaee2a
SHA512 0fe95a7f4b77ba62d73a4231acbf8548ad422cf5545fb8571b07daf156570464b607aa3455e4dd672b9c71678fe31c0abf3a0dbb866f9bf463c1ee9ea0dd1843

C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 f03460c10b1089594e3fec9c0c2d5e55
SHA1 ac2ab13194eb03fbaa2065a8fab6ef7d9a512bac
SHA256 5c30d62af04a0e8fbdaacb0212ae76a7414cd0712f1e99b782646da843c919b7
SHA512 96b0d57dd2957b07a2aeae1d0225a9b1958b5d68227e1befda8ed180dbb81c58014f21f580209b6732fc086260681647dea5e47da23b2b0ca453d8037b273358

C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 5fa30ca03c631191b8791a1d84b6a660
SHA1 55c4862850fc10cfdd0da3f62e3a2f4a4eebe9bf
SHA256 cc37eb15adcca28a1d1a9016c31b58d6845f621bac2bc01c6694b0aabda754fa
SHA512 137585c8e6e44dda3f1d88156b080b54da3ce8ae911cc5c3577321502c7f3c7a148aee6700266dd0536be966a883503383a8df51b56c4f8c186bbfc71beb32b0

C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

MD5 0f21d765675e4deabd3175d41e3d7e8f
SHA1 97e223d70da459a1c6d4d09600b25ef5f1035306
SHA256 77d5c78dd5d0f712c1b417d264932e93d1645385efe4c93b7e31899fa83139f6
SHA512 6f23e8edcf77592137d3584baa74c401393dd4fc072906a797acc129440558ec725f088c878a5db9fffbb491367a9dd437098b5319be39ae6af019eed6979271

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 23:18

Reported

2024-06-26 23:21

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "haconjbxpniylhiggjce.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "haconjbxpniylhiggjce.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "haconjbxpniylhiggjce.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "jaakhbrlbxqepjiecd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe ." C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "umnywridurlamhhedfx.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "aqpyuncvkfxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "umnywridurlamhhedfx.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "aqpyuncvkfxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "jaakhbrlbxqepjiecd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "haconjbxpniylhiggjce.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "haconjbxpniylhiggjce.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "jaakhbrlbxqepjiecd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "tigojbphvpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "jaakhbrlbxqepjiecd.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "wqtggdwtmlhymjlklpjmz.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "umnywridurlamhhedfx.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "haconjbxpniylhiggjce.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "tigojbphvpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe ." C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "wqtggdwtmlhymjlklpjmz.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "jaakhbrlbxqepjiecd.exe" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "aqpyuncvkfxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "jaakhbrlbxqepjiecd.exe ." C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ywduyzwxuxxsklruzhfmd.ifg C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File opened for modification C:\Windows\SysWOW64\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File created C:\Windows\SysWOW64\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File opened for modification C:\Windows\SysWOW64\ywduyzwxuxxsklruzhfmd.ifg C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ywduyzwxuxxsklruzhfmd.ifg C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File created C:\Program Files (x86)\ywduyzwxuxxsklruzhfmd.ifg C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File opened for modification C:\Program Files (x86)\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File created C:\Program Files (x86)\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File created C:\Windows\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File opened for modification C:\Windows\ywduyzwxuxxsklruzhfmd.ifg C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
File created C:\Windows\ywduyzwxuxxsklruzhfmd.ifg C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\uapoajo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\uapoajo.exe

"C:\Users\Admin\AppData\Local\Temp\uapoajo.exe" "-"

C:\Users\Admin\AppData\Local\Temp\uapoajo.exe

"C:\Users\Admin\AppData\Local\Temp\uapoajo.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.ebay.com udp

Files

C:\Users\Admin\AppData\Local\Temp\uapoajo.exe

MD5 f14ec017fac3402fed9fc60b9e2559d9
SHA1 71ddfa7118d0511256181248d21f1a71887c6867
SHA256 c5a50168ed1c7108bf16e484a5077da1d6dc23cdcbcb094689a5084e62aa27ff
SHA512 88379745c41512071d19d6d41640fb3be4f8d8acf1f220a6f3a0c348d037af5d3a31bf0330e4bfd047b6fc1de60a5e1e70cd88533621934ff024c454b27d1618

C:\Users\Admin\AppData\Local\ywduyzwxuxxsklruzhfmd.ifg

MD5 4444bca4d3e4c9cc982f15fba95f95a0
SHA1 13bbd9a740a19457bf1e9b68880e06722759facc
SHA256 13cfaa76157912be7a06a4218021d5b8f14df9eb8160693f90dc1d070e89fd65
SHA512 ed0f67fc035fac836ea9a93505a598526a00b1831ec771003cd87aefba988c94d0c1e908e9bd74a9d8369403470275f142c6b1e3be1c355336186a6b76b2a59b

C:\Users\Admin\AppData\Local\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve

MD5 9e3f61f55d8b91f14e407e1dfcae0e9b
SHA1 d9d59ebb75223baad7539c12f84bffe4def18739
SHA256 b44ea9d36943272fded26afec06a3072c092407c7668ca854d0d5746581d5f5c
SHA512 731080ae45d5d74790dca6d85058ae899e866d839e2cc8b95652a19f3ded5a340fb31741a2e61268398d6698219d759799348aeb88ed49c605079185796bb224