Malware Analysis Report

2025-01-06 11:48

Sample ID 240603-ecqr9sbe82
Target 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe
SHA256 fe9e0b6dc44da1531a24b7868c24a970788ccd393d4882227bc8d156aa0625ef
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe9e0b6dc44da1531a24b7868c24a970788ccd393d4882227bc8d156aa0625ef

Threat Level: Known bad

The file 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:47

Reported

2024-06-03 03:50

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2924 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2636 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 3000 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1724 wrote to memory of 3000 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1724 wrote to memory of 3000 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1724 wrote to memory of 3000 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2636 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1412 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1412 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1412 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1412 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2892 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2892 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2892 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2892 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:50 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:51 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:52 /f

Network

N/A

Files

memory/352-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 0fb2d4655bc6d3372b582ff3399c9972
SHA1 859a39cc6775ff8c301b2e3f49f5e305fc23ecf8
SHA256 fd2495958e36b91d6c52635fbc0d5020638591ea6e3f08190cf4da6d6eafb0ec
SHA512 0eab38189c1cc1517fee9d038911f975d0aad8ad7ff394b7ebad307711bbd9cd247b040f7b1eae08df9e538cdf1985709aae1ebbaf90b38482c40668b15b9f3a

memory/352-10-0x0000000000320000-0x000000000033F000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 cf9122c79b5cf8b1711643d9a50ce79f
SHA1 cedba3344596f0e934c2b73af54994b05d868ceb
SHA256 115cf6e17d50d955e2eee29a0fa2f6fd6ff8c9623be0c9c62c8c75c2e6bdfc1d
SHA512 e2b4ea0f96526e1c1ba87776d3760fdf3a4202826c3fe7bffcb6e81775f357ec293a15fd544672864a2f85933b3ce2adaf843043df9003dbd577e7cdf610d017

C:\Windows\Resources\svchost.exe

MD5 f12a628f29a00f809e6da37838ad4600
SHA1 c7ba0d36dec3d7a777614ef9fade14b5d22c879c
SHA256 51e03a872659ab577ff89a10d576d213ff6f1d7078bd4be0407563e67adfbb2f
SHA512 f047b51f3d724f9cb7c9a64bfc4dc1be08e6e536d8241dd701cc7c73060b4005d9efc9683fc56f0109184b4240f46fd66488f22ce812cb48189eb6dfcc9f4975

memory/2636-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2924-31-0x0000000000370000-0x000000000038F000-memory.dmp

memory/2924-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2712-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/352-44-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:47

Reported

2024-06-03 03:50

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2652 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2652 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 228 wrote to memory of 116 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 228 wrote to memory of 116 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 228 wrote to memory of 116 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 116 wrote to memory of 3292 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 116 wrote to memory of 3292 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 116 wrote to memory of 3292 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3292 wrote to memory of 3528 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3292 wrote to memory of 3528 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3292 wrote to memory of 3528 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/2652-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 c216c7d60686343eff64c8ab263bbe6f
SHA1 77a374e509955f18c369556fb79fd6051e8fe757
SHA256 db93b3756895313684b6ccf2b6b5244c16a33a9b9868afc4d67bd92b4ae121da
SHA512 7fdf2c65ea5798c796a51c470073165820f219a76c84d2eecc406e7a6fb0e7cba4370692709f7f3c32920aa19f5b8a0da1d7f1d24ef2ea2e668987fad971ec65

C:\Windows\Resources\spoolsv.exe

MD5 253ba7287bc811d8fc5c517af07279eb
SHA1 295e9bcd97d0282e12be925217afffa091b81b00
SHA256 d455bdbfba1f131f2cc23e623a99dc4eeb97e4dd1f82832e6eb03cbfa5bf0fb9
SHA512 afffc75b5ac418067794108ec0649161d91b97d50b11731b5733ead9da1cccdaf865011c289c8cde8107760cc2323c55189ba0ab6aec48ed1581b23de709ce68

memory/116-17-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 69e680a7a0d6503694afd21ba509c439
SHA1 1a138348baeface0216d5a1129173a464809781f
SHA256 7937e4871cfb738ab322478e19f491316b1b7a7467afa8867e107951c3be605a
SHA512 3e4e99cf0920e48faeb59cb664c2009128b5d6682d1388d96157ad908bfc54a6f04c984acb25af6b0d92a3e32ab6ace4830f44231e1152ae9d691979fa8bc9bd

memory/3528-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/116-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2652-35-0x0000000000400000-0x000000000041F000-memory.dmp