Note: The two detections by the antivirus engine are based on heuristics.











            Upon analysis, it's determined that the file is packed using the Nullsoft packer, which can be unpacked
            using 7zip.















            Process Tree

            Once executed, the Nikki stealer drops a second payload named nikki.exe inside the temp folder, which
            is the main executable file.











            The below snippet shows the folder where the executable is stored.










            Modifying process features and prefetch settings could be used to manipulate system behavior or evade
            detection by security software. For example, disabling certain features might help the malware to avoid
            detection or hinder analysis by security tools.











                                                                                                            116