Analysis Overview
SHA256
22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215
Threat Level: Known bad
The file 22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Disables RegEdit via registry modification
Adds policy Run key to start application
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 23:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 23:18
Reported
2024-06-26 23:21
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\npwbhp = "ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe ." | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "apjbupfcutttfiktjla.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "pdwnfzokbzyxikltij.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ctpjebtsmnprfkozrvmic.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "pdwnfzokbzyxikltij.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ndyrlhywppqreilvmpfa.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "pdwnfzokbzyxikltij.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "zlcrhzmgvroluutz.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "gtlbslzukhfdnoovj.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdwnfzokbzyxikltij.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "ndyrlhywppqreilvmpfa.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ndyrlhywppqreilvmpfa.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "zlcrhzmgvroluutz.exe ." | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "zlcrhzmgvroluutz.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ndyrlhywppqreilvmpfa.exe ." | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "apjbupfcutttfiktjla.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "zlcrhzmgvroluutz.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apjbupfcutttfiktjla.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndyrlhywppqreilvmpfa.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ndyrlhywppqreilvmpfa.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "zlcrhzmgvroluutz.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "pdwnfzokbzyxikltij.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfqzjvcqzp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "ctpjebtsmnprfkozrvmic.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttyb = "zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ptcjrbgs = "ndyrlhywppqreilvmpfa.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\adlryhl = "zlcrhzmgvroluutz.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cdjns = "ctpjebtsmnprfkozrvmic.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtlbslzukhfdnoovj.exe" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glvdmxdqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctpjebtsmnprfkozrvmic.exe ." | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ebddehfkkrzhbmwnlvsuuvy.bbi | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File created | C:\Windows\SysWOW64\ebddehfkkrzhbmwnlvsuuvy.bbi | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File created | C:\Windows\SysWOW64\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File created | C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File opened for modification | C:\Program Files (x86)\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ebddehfkkrzhbmwnlvsuuvy.bbi | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File created | C:\Windows\ebddehfkkrzhbmwnlvsuuvy.bbi | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File opened for modification | C:\Windows\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| File created | C:\Windows\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\adlryhl.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
"C:\Users\Admin\AppData\Local\Temp\adlryhl.exe" "-"
C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
"C:\Users\Admin\AppData\Local\Temp\adlryhl.exe" "-"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | hftkbek.info | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | myieye.com | udp |
| FR | 94.23.162.163:80 | myieye.com | tcp |
| US | 8.8.8.8:53 | fgbvvmtc.info | udp |
| US | 8.8.8.8:53 | ywaimgos.com | udp |
| US | 8.8.8.8:53 | fcjzbi.net | udp |
| US | 8.8.8.8:53 | qlqiukflls.net | udp |
| US | 8.8.8.8:53 | vurevaj.com | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | heylzdxbfmj.net | udp |
| US | 8.8.8.8:53 | juzzlqgodtf.info | udp |
| US | 8.8.8.8:53 | vupwbcmwhchx.info | udp |
| US | 8.8.8.8:53 | svfoteb.info | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | misipok.net | udp |
| US | 8.8.8.8:53 | tknysgkzt.net | udp |
| US | 8.8.8.8:53 | redbqzty.net | udp |
| US | 8.8.8.8:53 | gfpinqbmbmx.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | avtkhyrmpe.info | udp |
| US | 8.8.8.8:53 | toheqbql.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | arpnjclox.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | scmqeyswwqog.org | udp |
| US | 8.8.8.8:53 | cebcoetuudr.net | udp |
| US | 8.8.8.8:53 | tuvyvopiiuks.info | udp |
| US | 8.8.8.8:53 | fkvkpvdy.info | udp |
| US | 8.8.8.8:53 | oibikx.net | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | hxhzjmrgdxx.info | udp |
| US | 8.8.8.8:53 | fyzxwkxan.org | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | ipvokjc.net | udp |
| US | 8.8.8.8:53 | bkjahm.info | udp |
| US | 8.8.8.8:53 | deqsfs.net | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | hmffmzkfcs.net | udp |
| US | 8.8.8.8:53 | tndwdqjhjml.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | ttlkxmgobgh.info | udp |
| US | 8.8.8.8:53 | perayouwii.net | udp |
| US | 8.8.8.8:53 | xwtadyhqm.net | udp |
| US | 8.8.8.8:53 | lvlngpos.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | ykjkjfrskin.info | udp |
| US | 8.8.8.8:53 | uodabbfcp.net | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | nytttxv.net | udp |
| US | 8.8.8.8:53 | aicyyswwcyiq.org | udp |
| US | 8.8.8.8:53 | wyvylyn.info | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | azlzztwjlk.info | udp |
| US | 8.8.8.8:53 | cilztu.net | udp |
| US | 8.8.8.8:53 | qmoucoiugs.com | udp |
| US | 8.8.8.8:53 | laormun.net | udp |
| US | 8.8.8.8:53 | veparavldou.net | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| US | 8.8.8.8:53 | swccfklax.info | udp |
| US | 8.8.8.8:53 | vahqifeusuh.info | udp |
| US | 8.8.8.8:53 | nxyebckfpje.net | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | ribglrrku.com | udp |
| US | 8.8.8.8:53 | oofsicvgk.net | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | toevsnfdpzfz.info | udp |
| US | 8.8.8.8:53 | fqdidqzrtyv.net | udp |
| US | 8.8.8.8:53 | yaeieg.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
| MD5 | 49749a8f6edfe937c4a5663e93baefde |
| SHA1 | 96cc7c74147a8f9c7d9c74883a620454f1343824 |
| SHA256 | d21769621e3c6d8b2d9317a3658beb8a5e86970fbbdd0cd14e14c290e42f32e7 |
| SHA512 | a539196f4cff02544be86c4b1e49e55adcb41d452105cabde009ac6b9d9c00c8a5c06b32b1ff3d829669ec53719d0979a585195a97e682a0900f1b2a3ca1fe7a |
C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | ded9f0a31880a09ed34f5db1ba1d89e1 |
| SHA1 | 2a8a188fa46b6deb795bcb46ae6b9f9abd59f656 |
| SHA256 | 3ba2bd6db8bf7e9683aa70f5f051e7bf68c4dc6e67d9e2fbe0c4149e1fd3b842 |
| SHA512 | 691d7de661fc78fb25868ed4d5e582f2ee180b469e06f4f0a386a27b645bd5b2cec7b7c2c33906f0a0a807297b1e775ee5dea890bf6bbf7f4469017f09d28a3b |
C:\Users\Admin\AppData\Local\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep
| MD5 | 596413d7beaaa24a38703ae57c73756c |
| SHA1 | a801d98a964cd4252ed70e8f543f3be42d536a87 |
| SHA256 | e674292dffd6c9e21dfad5926998d88ca831cdaebc79b844e1a0434a49080f82 |
| SHA512 | 1ab4d0f3a5b22cbc8d289738d29479a743d7a8dbc13213ea6f894e20285013ff9b4f7d364e026f7496b1a62f2be51acd2645e724a4b139d12b0492070e08c01d |
C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | c14409e3dacfc0cfdc6984349dcb40f3 |
| SHA1 | 9904c0e5d8f1480bf8d954147740de91963eb754 |
| SHA256 | 333308d94d1d4ed5fea3a74f8abc3dd1aa3b625eec604cc7e6f746d70de8c1f0 |
| SHA512 | 51576bf46a5392d1371f8c74d3f6c954c41be8d9c3f25ab9fa28ed64caf65a54c078c4c69f1c929a66fe66218dd3d89fee4cf111180229f6fb2e83ac64bfeb92 |
C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | 2d42debf477c254ef115f05543250fde |
| SHA1 | f788aec91522d998cb0d67b1745ff8b628410fc5 |
| SHA256 | d5f7456035de4c36168b57d912b2f9f50c564f2bcc4ceeeeffda00a2a8790275 |
| SHA512 | c0b1b39a57731f318b817be2a7ce553068fd16853749f0e6a56c93d54f7bcfd44098c8638b19e8be7ea4fa42d9aee32fd01066534182353983ba82daa9b3ff95 |
C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | ce9cbfbc784d41c24e2b4f2ff041ff90 |
| SHA1 | a302cf4e18e253e165b1be2fddfbd36dacd9c271 |
| SHA256 | c13bf3898c963710cf660133e187b447a9a2e7172d67ff58bd2443f381ed2a15 |
| SHA512 | 16b098ddf462b62a942c4d3a5e66818c995f8be01be1fefab3a88680b013b9991e9f7d88747bb2fb456082170f556ce2fd69c90938f5174fded0b583af7c21cf |
C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | e258c7a486f4dc322eaf86b343ee0aa3 |
| SHA1 | d8c54b2c5628a85811ece6f0bb8eb35835d75017 |
| SHA256 | 9e7c01fe48cc65a922fa3fd577eb427a6e7a5c30c8bb39553ece5826b7aaee2a |
| SHA512 | 0fe95a7f4b77ba62d73a4231acbf8548ad422cf5545fb8571b07daf156570464b607aa3455e4dd672b9c71678fe31c0abf3a0dbb866f9bf463c1ee9ea0dd1843 |
C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | f03460c10b1089594e3fec9c0c2d5e55 |
| SHA1 | ac2ab13194eb03fbaa2065a8fab6ef7d9a512bac |
| SHA256 | 5c30d62af04a0e8fbdaacb0212ae76a7414cd0712f1e99b782646da843c919b7 |
| SHA512 | 96b0d57dd2957b07a2aeae1d0225a9b1958b5d68227e1befda8ed180dbb81c58014f21f580209b6732fc086260681647dea5e47da23b2b0ca453d8037b273358 |
C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | 5fa30ca03c631191b8791a1d84b6a660 |
| SHA1 | 55c4862850fc10cfdd0da3f62e3a2f4a4eebe9bf |
| SHA256 | cc37eb15adcca28a1d1a9016c31b58d6845f621bac2bc01c6694b0aabda754fa |
| SHA512 | 137585c8e6e44dda3f1d88156b080b54da3ce8ae911cc5c3577321502c7f3c7a148aee6700266dd0536be966a883503383a8df51b56c4f8c186bbfc71beb32b0 |
C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi
| MD5 | 0f21d765675e4deabd3175d41e3d7e8f |
| SHA1 | 97e223d70da459a1c6d4d09600b25ef5f1035306 |
| SHA256 | 77d5c78dd5d0f712c1b417d264932e93d1645385efe4c93b7e31899fa83139f6 |
| SHA512 | 6f23e8edcf77592137d3584baa74c401393dd4fc072906a797acc129440558ec725f088c878a5db9fffbb491367a9dd437098b5319be39ae6af019eed6979271 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 23:18
Reported
2024-06-26 23:21
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "haconjbxpniylhiggjce.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "haconjbxpniylhiggjce.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "haconjbxpniylhiggjce.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyrukxgtcrd = "wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jqggtdjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "jaakhbrlbxqepjiecd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe ." | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "umnywridurlamhhedfx.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "aqpyuncvkfxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "umnywridurlamhhedfx.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "aqpyuncvkfxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "jaakhbrlbxqepjiecd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpyuncvkfxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "haconjbxpniylhiggjce.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "haconjbxpniylhiggjce.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "jaakhbrlbxqepjiecd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "tigojbphvpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lyuatjvlxpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "jaakhbrlbxqepjiecd.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "wqtggdwtmlhymjlklpjmz.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "umnywridurlamhhedfx.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umnywridurlamhhedfx.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "haconjbxpniylhiggjce.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oczgarevibrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tigojbphvpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "tigojbphvpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcuwlxfrzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haconjbxpniylhiggjce.exe ." | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "wqtggdwtmlhymjlklpjmz.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aizaozgry = "jaakhbrlbxqepjiecd.exe" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwqulzjxhxks = "aqpyuncvkfxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwrwododoftci = "jaakhbrlbxqepjiecd.exe ." | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ywduyzwxuxxsklruzhfmd.ifg | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File created | C:\Windows\SysWOW64\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ywduyzwxuxxsklruzhfmd.ifg | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ywduyzwxuxxsklruzhfmd.ifg | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File created | C:\Program Files (x86)\ywduyzwxuxxsklruzhfmd.ifg | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File created | C:\Program Files (x86)\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File created | C:\Windows\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File opened for modification | C:\Windows\ywduyzwxuxxsklruzhfmd.ifg | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| File created | C:\Windows\ywduyzwxuxxsklruzhfmd.ifg | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\uapoajo.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\uapoajo.exe
"C:\Users\Admin\AppData\Local\Temp\uapoajo.exe" "-"
C:\Users\Admin\AppData\Local\Temp\uapoajo.exe
"C:\Users\Admin\AppData\Local\Temp\uapoajo.exe" "-"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.ebay.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\uapoajo.exe
| MD5 | f14ec017fac3402fed9fc60b9e2559d9 |
| SHA1 | 71ddfa7118d0511256181248d21f1a71887c6867 |
| SHA256 | c5a50168ed1c7108bf16e484a5077da1d6dc23cdcbcb094689a5084e62aa27ff |
| SHA512 | 88379745c41512071d19d6d41640fb3be4f8d8acf1f220a6f3a0c348d037af5d3a31bf0330e4bfd047b6fc1de60a5e1e70cd88533621934ff024c454b27d1618 |
C:\Users\Admin\AppData\Local\ywduyzwxuxxsklruzhfmd.ifg
| MD5 | 4444bca4d3e4c9cc982f15fba95f95a0 |
| SHA1 | 13bbd9a740a19457bf1e9b68880e06722759facc |
| SHA256 | 13cfaa76157912be7a06a4218021d5b8f14df9eb8160693f90dc1d070e89fd65 |
| SHA512 | ed0f67fc035fac836ea9a93505a598526a00b1831ec771003cd87aefba988c94d0c1e908e9bd74a9d8369403470275f142c6b1e3be1c355336186a6b76b2a59b |
C:\Users\Admin\AppData\Local\tcuwlxfrznyehtkyohqikzltfnbmsvhy.cve
| MD5 | 9e3f61f55d8b91f14e407e1dfcae0e9b |
| SHA1 | d9d59ebb75223baad7539c12f84bffe4def18739 |
| SHA256 | b44ea9d36943272fded26afec06a3072c092407c7668ca854d0d5746581d5f5c |
| SHA512 | 731080ae45d5d74790dca6d85058ae899e866d839e2cc8b95652a19f3ded5a340fb31741a2e61268398d6698219d759799348aeb88ed49c605079185796bb224 |