Malware Analysis Report

2025-06-16 07:07

Sample ID 240602-befhjadh87
Target 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
SHA256 83a9cf4bc1e1744b3c2bf95577d27932a90befcbc046057797d176047dd34b36
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83a9cf4bc1e1744b3c2bf95577d27932a90befcbc046057797d176047dd34b36

Threat Level: Known bad

The file 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:03

Reported

2024-06-02 01:05

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2492 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2492 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2492 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2700 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2548 wrote to memory of 2688 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2548 wrote to memory of 2688 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2548 wrote to memory of 2688 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2548 wrote to memory of 2688 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2688 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2688 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2688 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2688 wrote to memory of 2656 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2700 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2700 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2700 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2688 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 1032 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 1032 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 1032 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 1032 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2176 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2176 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2176 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2176 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:05 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:06 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:07 /f

Network

N/A

Files

memory/2492-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 339cba64279282af1dd3ad72bffffa7c
SHA1 2faa8976cb86e2f54f2b09326e20d19269933dc9
SHA256 416172f0cb72898af2404b2af83efad3c1896177d4f804dcab1fe46671dd35ee
SHA512 f1a62300de8db115514c0a2aa544bff9e6969b420905adececeeb909d2b30fb6b480cf9902d15276796aa6b8a92be54e19ea0c80325e2c4b51e03741e7fc40fd

C:\Windows\Resources\spoolsv.exe

MD5 df9c902b66eee3069ee20fe85da6e148
SHA1 5bea6d26811c3a9680fc929c6bb52ad73b8c4c42
SHA256 1125e12a89a127e1022e85bd4550302ff8f1ff28517598ea6400e8512b06943c
SHA512 46f7fb0235a90d6372fb3475806132887cd3b9ff9a278fd5cbcf493ac585455181b2388c07a86fd0bd388cc2b4b001f3b1f8ad900e06df1b8ccd59901e334f72

\Windows\Resources\svchost.exe

MD5 f7eabc23ec96c64751a617dac875592c
SHA1 0b10d2a33df4b5722810fec72bac113747f3015f
SHA256 ccdc1192d436e7e4293fc250d9188adfebb744c597d011e239ba51f091d976d8
SHA512 444c97f4ea578a36b6ffaee23fa5ecaeb5b49be3d55b59bf2885a50422d4a7ca8b463d373a4238f332fcd2c294a204dcae83ed82e73ba73973c7010f3c796e66

memory/2548-28-0x0000000000270000-0x000000000028F000-memory.dmp

memory/2656-40-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2548-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2492-42-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:03

Reported

2024-06-02 01:05

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2184 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2184 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2672 wrote to memory of 3640 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 3640 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 3640 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3640 wrote to memory of 4084 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3640 wrote to memory of 4084 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3640 wrote to memory of 4084 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4084 wrote to memory of 3364 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4084 wrote to memory of 3364 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4084 wrote to memory of 3364 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/2184-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 4a4d227abd2c2a2c9af3d142fab9f682
SHA1 54854d21261cb570dc06bcfb470e3114a9c3da95
SHA256 437ab718b194fb70676f02016ab72edcb3f782d89e2a8a9fc4abc8c27112aed6
SHA512 ee96bcf2077f20ff9e251999f1b0e73b90ad0e298806346dbd6a9a442a120b631db4be0780e53d0bc10a3f02009bf47451c3c9561733bfe6d6ae64593932bc11

C:\Windows\Resources\spoolsv.exe

MD5 c656eb4c127146c51d0184c488714b5b
SHA1 db2f25fb002fde9c94a80004979d59296cd86522
SHA256 3f71c53bbb3dea8a5220b7eeba9ad04812cf142e7379c47a3ccbe2d77118a8e8
SHA512 57384ffa5bbe21da72622378c624eefc1f6c8fde69b4706d9da07d81c7197bad3ee4ccd1e0b414597d92f3f3aee3b5d7718e3c6ecea90dae1ca665a8155ee72d

C:\Windows\Resources\svchost.exe

MD5 f717112ad1b8f699797d64d301fd8f99
SHA1 5f1b281d66f0ff3c76d14218c10773e6e0e3ce6a
SHA256 8f6f5078e0e7fe9178cc767db2eb83fde0e71e56774f19c0aeb1b0143b38b540
SHA512 a3a5e1c2d16f8be7559a4ffb52ba9176330979e02e2ad04a483184d6432787b32667b6a0f9cf9fc7c6f5ffbbb558ffa4b48841b5b30c40ed595fbe449fd7a227

memory/3364-32-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3640-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2184-34-0x0000000000400000-0x000000000041F000-memory.dmp