Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-mllhxaad9z
Target b2c530383049901ba8715981c0c79cb0_NeikiAnalytics
SHA256 0a2af68859bc99d653c9a97fa617e77ad71c81dfa3c3789ef9366459ec9cab46
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a2af68859bc99d653c9a97fa617e77ad71c81dfa3c3789ef9366459ec9cab46

Threat Level: Known bad

The file b2c530383049901ba8715981c0c79cb0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:33

Reported

2024-05-13 10:35

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\swchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\userinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\swchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\userinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\userinit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\system\udsys.exe \??\c:\windows\userinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\userinit.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\swchost.exe N/A
File opened for modification \??\c:\windows\userinit.exe C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\spoolsw.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2380 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2380 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2380 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2680 wrote to memory of 2464 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2680 wrote to memory of 2464 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2680 wrote to memory of 2464 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2680 wrote to memory of 2464 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2464 wrote to memory of 2484 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2464 wrote to memory of 2484 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2464 wrote to memory of 2484 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2464 wrote to memory of 2484 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2484 wrote to memory of 2568 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2484 wrote to memory of 2568 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2484 wrote to memory of 2568 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2484 wrote to memory of 2568 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"

\??\c:\windows\userinit.exe

c:\windows\userinit.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe SE

\??\c:\windows\swchost.exe

c:\windows\swchost.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe PR

Network

N/A

Files

C:\Windows\userinit.exe

MD5 9c1ae662767d607a1ac1516ccc255bdf
SHA1 8eb80f87c9fe2b184463b2293bb348e292b266ad
SHA256 921d46774098333a45b83927d84fb4bd20b792addbb653cf3d0456f80f367182
SHA512 cda67be30853478e4643c08f13870ec9643afe825be45da6e7e344d28f187ffdc2f808bd5d040e9983302653c966a2ccbfa725f1df953a5ff53d1ab3afa5910d

C:\Windows\spoolsw.exe

MD5 1b7ff2bd5000b1be9156f49ea4e3d0fb
SHA1 edf3201517c68d01b87c386b39abf1fe348a59ed
SHA256 c0d15ad23bba837089278744a36de232200d3b7265b684f17ff7e8339e9370c8
SHA512 549b6895f24a2214d82e43962c58ba8a14e5242029adf14686c4c0cd503b5a9ffb1d28f62d41ba4ae2f36acba9e672314a3ed0c56bb30a0bbc95e3086efb21e2

C:\Windows\swchost.exe

MD5 cc6d664b3ac515d0e91528330dd29ecc
SHA1 97df29ec0d697991a2639b4d2ca48880a42c0f78
SHA256 893e4a3414bb68e74e5ba508416fae76db7528f5448a843475a06ed184a1d346
SHA512 e9c3d91d4b954181380642159853d83f9f1853042a2a1a5b99810c7e631eeff0d53352b53bdd6a78a03b303ddaf388cdadc9fc89341e360b7065060a4569e119

C:\Users\Admin\AppData\Local\mrsys.exe

MD5 e55dcbc8ae55ae5e72b70cf8608f6522
SHA1 34db31aae0160437e17525c47aa95fe9f9305f23
SHA256 3cd9f82eeb7e349e0a7aeec8022c24346163ab021673e023340e8101efa13006
SHA512 6916b6275b6d1c763d41157d3ca60c3ca015b9169080502dc6597541044a2ed7cea9e7649750a55dcdaad947a2da35c6d471bfb2f11cb57df68cc16bdf85b6e9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:33

Reported

2024-05-13 10:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\swchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\userinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\swchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\userinit.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\swchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\system\udsys.exe \??\c:\windows\userinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\spoolsw.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe N/A
File opened for modification \??\c:\windows\userinit.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\swchost.exe N/A
File opened for modification \??\c:\windows\userinit.exe C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"

\??\c:\windows\userinit.exe

c:\windows\userinit.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe SE

\??\c:\windows\swchost.exe

c:\windows\swchost.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe PR

Network

Country Destination Domain Proto
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Windows\userinit.exe

MD5 c652131cd6352ca47ca11c8ce59bce4c
SHA1 3aee04ba3fc8f978d1425b8b906d496a4a5d078c
SHA256 972fef7cf9e6c6102baf0412b787ae759287d52973dbc3e36d8d9f5d0a6a7e3c
SHA512 f0fed52968864bf6cf8a64ac97ce9555f6c4068e604d39aa62cd3c0204188cebeeedfcf0d50f4991fe1be8f2f8f719bd09147309ab448490fea70e264e7c8df7

C:\Windows\spoolsw.exe

MD5 59ed49ba1acfdfdf9b00e35582deac13
SHA1 1393a03b9c5c1c3e6c7783e21256f94241e11ef7
SHA256 602e11e780ac05d18b6c5eda633516b374aa5a55b34057b17984080e4cf10f9f
SHA512 111113a3ed3291680dd2469efe2ab1ef451ca0ae4882d2da0e38f694062dd310fda50d7ac3d9d18b75f06a8ed18e1b4b5882c1ccdaaf5185a43cf000d4571690

C:\Windows\swchost.exe

MD5 0fd53134d6b9a1456389aa60bf43ecc7
SHA1 f86f2881b2b3b082cb2a9b5fe14b8a0c9b942705
SHA256 4b05a005064b9f01fe889438816e18c3752a73c784ccfcca7be5d2b4a1aae37e
SHA512 91b5cb4f95e8eeeb20c98c399518fbcbbce08379c6ff964f28d5647453e356568ef52a013778662919dcf43bef4f8c3711b93ce6d4053d6176e7bad730187ace

C:\Users\Admin\AppData\Local\mrsys.exe

MD5 14e8b89fae8537e2bdc541301f1ce044
SHA1 5b1296a1c1f665ff154c39da7dd9d1998f14090a
SHA256 89b090b537221f2c3f9c524a56265d3f8d7a2c048b1083407601ef81cf817002
SHA512 249eaf4e5b577b9b2cfef40d52e20c50019ee3621881e1734444ece56264748efec7bd0da6ed99accdfb1813f6cfa7e84c09006573066c081d330787a1bf4193