Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-me6khaab7t
Target b2649969cea620ec40e625af91a7c100_NeikiAnalytics
SHA256 2c9cdf610d7ca1a0fe5012ce4d1e892bfc75060965473a5997fb9b5943cfffad
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c9cdf610d7ca1a0fe5012ce4d1e892bfc75060965473a5997fb9b5943cfffad

Threat Level: Known bad

The file b2649969cea620ec40e625af91a7c100_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:23

Reported

2024-05-13 10:26

Platform

win7-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1484 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1484 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1484 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1992 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2560 wrote to memory of 2628 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2560 wrote to memory of 2628 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2560 wrote to memory of 2628 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2560 wrote to memory of 2628 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2628 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2628 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2628 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2628 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1992 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1992 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1992 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2628 wrote to memory of 2556 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2556 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2556 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2556 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2184 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2184 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2184 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2184 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:25 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:26 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:27 /f

Network

N/A

Files

memory/1484-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 8d359accb3d5e82a7842f7e6b4f3dd4e
SHA1 71b179b84ac52c11dcdf226afc6462201a94e81c
SHA256 363689c05cbaba95424d37cdc54a37b41d50ccf5d0d3db08a766ffbee5597aa8
SHA512 b39df8faab8478ee90cfb3066fa0a268c12effcc4a993ab4bfb96a607104fa643ff9abf1c0d970ffb98e6954b92a6eb3d7fd6e17d3743df772074dc72db0678c

C:\Windows\Resources\spoolsv.exe

MD5 1cf504fa108ebf920a06fa566e7cb340
SHA1 acce6d7908dcd95fcd49d3c7dd6be3b0b62eeee0
SHA256 6375cb246ea6f8e2dbda2c5b8f443ba0627c8c004db850bd782169ad244c8dde
SHA512 173649952b6f774b6e6e9dc8bf148a9562d1ca6a51bb1b24ba307ffc676eea6a9157961744a7e552b0d0c8714a9e6ed7c63a3461897fe4ad226019c0e60a5d46

memory/1992-19-0x00000000003C0000-0x00000000003DF000-memory.dmp

\Windows\Resources\svchost.exe

MD5 8a6c194666ba9345d7e7f230901c0d27
SHA1 69e9eafb7da749520340a3889b003ddf59d61dcd
SHA256 415d12baff16d92b99699392339f5a0a997546d9cc999bd9faacbb3a46be0772
SHA512 4a6eb4286db6089e83322f405638eef5fca0c16dd1e10bf3975147a6b4f05b225ae16fe3f7f9eb3a7101f6d8eab5b6d077c148a7972919af90a21e796c6f76c6

memory/2628-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2672-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2560-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1484-43-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:23

Reported

2024-05-13 10:26

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2972 wrote to memory of 2312 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2972 wrote to memory of 2312 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2972 wrote to memory of 2312 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2312 wrote to memory of 5020 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2312 wrote to memory of 5020 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2312 wrote to memory of 5020 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5020 wrote to memory of 4204 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 5020 wrote to memory of 4204 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 5020 wrote to memory of 4204 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/4560-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 612e47efefe6db86d4b82bf03e19930f
SHA1 b11c950ba397e210da5be4ea0cb85e82d42d2630
SHA256 bce25edfbbcf87be7fc5d4ac328813c4da1cb047d397aafcb977aac0d9e1bb84
SHA512 fca821422b0f2c57f016d8e820b991b5eaba7eaab65764f69192b81b96192d87414b4008820b612f366d149a899cc3f82466f67f200dfed1cce9443c9a1c11d9

C:\Windows\Resources\spoolsv.exe

MD5 f1cb45b782cf772160e3b587218e45c6
SHA1 993df975ac87e34ade127fb67a99c1c4b09b4260
SHA256 bbe5a0e2dedb062ac5f27ca369d5c96788f21e322724d087d0a0f459c182b6a4
SHA512 348dd4dde6e954ff88a44627ef6559f980e4b7e2a0e15d6c727265fd7a993b9f6c8b9329530c92db2d92e01f04d6a47b0ec7ccc741aa1e799f00d48e4401e851

C:\Windows\Resources\svchost.exe

MD5 1c41f22562d70dd8f36d98fe858a2815
SHA1 f5885e65babae369ba8442c4c4e648b106656ca1
SHA256 809202f5e4e9f9166bbc813f54edb3a0c08f61daa75c97efd49d7b710194e18d
SHA512 81d878c9baf6059587b8b83d500cc3a1d73b2a956eeb61c2eb34328a4bdb358f34ce3cf64e2cc1a0bbfeee5f0f595e64dbf1c1492910717c0799999ef6d5b506

memory/4204-29-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4204-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2312-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4560-35-0x0000000000400000-0x000000000041F000-memory.dmp