Malware Analysis Report

2025-01-06 11:50

Sample ID 240603-edzfssbf52
Target 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
SHA256 bd9aff70e3b930f399364299a2e997d7ca316e5240be024292d46ec92c8843af
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd9aff70e3b930f399364299a2e997d7ca316e5240be024292d46ec92c8843af

Threat Level: Known bad

The file 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:50

Reported

2024-06-03 03:52

Platform

win7-20240215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2404 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2404 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2404 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 320 wrote to memory of 2912 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 320 wrote to memory of 2912 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 320 wrote to memory of 2912 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 320 wrote to memory of 2912 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2912 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2912 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2912 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2912 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2616 wrote to memory of 2620 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2616 wrote to memory of 2620 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2616 wrote to memory of 2620 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2616 wrote to memory of 2620 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 320 wrote to memory of 2752 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 320 wrote to memory of 2752 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 320 wrote to memory of 2752 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 320 wrote to memory of 2752 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2616 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2492 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 1672 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 1672 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 1672 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 1672 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2164 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2164 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2164 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2164 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:52 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:54 /f

Network

N/A

Files

memory/2404-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 1f53cc134e3add8aa898b4038f36021d
SHA1 a848b6e6f191db8bdc78bb7b2b1dbc8fb35b05c0
SHA256 9abae1f10ff12f11f32b97aabfa40e728e6f87bf19b85888a27161fb145466f8
SHA512 d399ecfc99f6d3c96d7ed8e531dac338ee9f858e8447b235dffb32e59b0ae7023111299e02b1a1f6c7143ca41ca312c69b22508b09c446f6e622c9669cd5ff65

memory/2404-10-0x0000000000560000-0x000000000057F000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 c467bfe5fadf8b990018007375fca8f3
SHA1 f8643cdb3b51ab890fe8e839bea7e02dcc5aa12b
SHA256 e6af4421188a236f7e1598234be1c412f71715ba574b14e31e5eb8f78e345b8e
SHA512 430129ebf673891850c57aa85bbdb21e8c157ade0b4538dfddd3d2712ebd22d841199f05d850caeac296e290e418bec27c1b4e548b743588dcae327cfc7f24e4

memory/320-19-0x0000000002390000-0x00000000023AF000-memory.dmp

\Windows\Resources\svchost.exe

MD5 dcef10cbdc1f9e3b46eb901668eccf17
SHA1 3863d2f1b03d01ef73b4ddaba24ca75e9717a7d9
SHA256 25b8e7935b46a545c72ca914680dc16908290837f2402ec78f26d289bbac6865
SHA512 db245b9e29bf5a4677b31300bd460c2806ca2e2f40adc476fe11c073cf1a9ab811ea4933f73b3a00cfb43689b0d81cb9cb2e34357d27ea710a7847a32f7b368a

memory/2616-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2616-38-0x00000000002B0000-0x00000000002CF000-memory.dmp

memory/2620-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2912-44-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2404-45-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:50

Reported

2024-06-03 03:53

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 3080 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 3080 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 3812 wrote to memory of 800 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3812 wrote to memory of 800 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3812 wrote to memory of 800 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 800 wrote to memory of 488 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 800 wrote to memory of 488 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 800 wrote to memory of 488 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 488 wrote to memory of 1856 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 488 wrote to memory of 1856 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 488 wrote to memory of 1856 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/3080-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 f23d8e37439515064284d785eecd5c94
SHA1 73cef8c63c11346c3fefff4ecb64b6aa429cc06e
SHA256 8a1dcffb3b8aae0724109c519630d9f59a6c27fd568d15dd050b82b3084496d2
SHA512 5f7b10b01e5a2dca7d50e9266d47b5d7cf9fd35e94251d51fe5ca300cac233a7b1958d84d67474a6c2d6f02a0a7f8fa3d434dcdff87c2cbd817d53dde5c96554

C:\Windows\Resources\spoolsv.exe

MD5 b03d84cd3319438f970a3087e08c748a
SHA1 02f36f5e0bbf867bde07773de6b3aa2b4734a5e6
SHA256 caec66a1733d7024c9d313a1c56da28099c2e82bc5db0c7539127a289720427d
SHA512 91eff2c672525fda2b09c8605d031347d1da90655d2bf6d2f11460476280d96c2c53d6d1f28b0f9c6befa39a5545ba5c48646ccc924cf9e0ed6d7e52c09e8aec

C:\Windows\Resources\svchost.exe

MD5 5949ac8ba0f9482bd55ff0d2891d0550
SHA1 edef28b917a9b147cfcceff60e92452ce2017a67
SHA256 538f055799695f27b94294ddc6861eaa0ef91bba02896fc84b7ce1f33d8f8f7d
SHA512 d6b61fd5ba17258a935a14ff5b5ced64359a1c57269712e5f500d56b322cd439f1ccbbee897d7ca3e6cb3c6a2def46d0e42acc99b00f877c24a22a804c19323a

memory/1856-32-0x0000000000400000-0x000000000041F000-memory.dmp

memory/800-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3080-34-0x0000000000400000-0x000000000041F000-memory.dmp