Malware Analysis Report

2025-08-11 07:35

Sample ID 240605-jm77hsaa6w
Target 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe
SHA256 ebe8a31d3ff34744fcd2ec79d47b68ac130d206a9c153a1fb97755d1b08ffba9
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebe8a31d3ff34744fcd2ec79d47b68ac130d206a9c153a1fb97755d1b08ffba9

Threat Level: Known bad

The file 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 07:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 07:48

Reported

2024-06-05 07:50

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 352 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2924 wrote to memory of 2596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2596 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2596 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2596 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2596 wrote to memory of 2712 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1724 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1724 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1724 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1724 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2596 wrote to memory of 2784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 1688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 1688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 1688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 1688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:50 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:51 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:52 /f

Network

N/A

Files

memory/352-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 dd56ba6ed051fe45ae4da1161e21c71b
SHA1 2defe0b01952f10091bbb97fcf7716467dce8cbf
SHA256 3f3ead8b77dfa6be320374ba40f4d153436ae0af6a3235f8da0515bdf3e1ff84
SHA512 bf160f1868e0c3318629268396a4f6dcb129c858e0703a8dd8ab0dd4814cbb417128cd868f61175b8ddbf30197b7c7941b21bb711b2f56810811422176b3a842

memory/352-10-0x0000000000310000-0x000000000032F000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 32084c6433ee4141c9fd6100f87b684b
SHA1 676e0420b9170cac46a9fb00a507882c2a36c613
SHA256 52cce42302a584cbb495441fc765e09fd913234e9270131d06f7da6ed7e70753
SHA512 63be0134090266c358a748a3e5a04561265c2793735e837cbc1f695a4b24d8ab25b53f27b59aff9b0cd148112b1ea54d253c0f5bf1b0fe33d49e5bc67dec2153

memory/1724-19-0x0000000000520000-0x000000000053F000-memory.dmp

\Windows\Resources\svchost.exe

MD5 08c8ba5cb8d1ff660640b71e663f40b0
SHA1 985f705bf00268c7780023593cdfa0713c214329
SHA256 d6dc47f29319ed249169c2b7b33d7ccbb07b698b0d9b0c576fc5928517db7557
SHA512 84d4c82cfbcd0579590762476afdff1fba3aec3db04be59b8c70f6efa5e02f85e8fc5c0442a5343e3fcc7959ae98056f3c3ef06a9cd889c07580518175bdef88

memory/2924-32-0x00000000002B0000-0x00000000002CF000-memory.dmp

memory/2712-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2924-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/352-44-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 07:48

Reported

2024-06-05 07:50

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1324 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1324 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4668 wrote to memory of 744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4668 wrote to memory of 744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4668 wrote to memory of 744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 744 wrote to memory of 2372 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 744 wrote to memory of 2372 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 744 wrote to memory of 2372 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2372 wrote to memory of 2884 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2372 wrote to memory of 2884 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2372 wrote to memory of 2884 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/1324-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 515a5a3bbd4e605f42955780ac50d3d9
SHA1 7d268b253b51af859b866aacf0b1568859038dc6
SHA256 73c8089ce33c3ff6fec3f314b60f670cdcc0190a889263e1350295bd9aa4e979
SHA512 d72611cdc18bb73ed9062f75c6f6f8de1d12372c769bb8cc21bca4fa116f74d086200fa9f43e3ea6a97e169c551b4754be129444e71ada6aa9bd0ecd54fb9a55

C:\Windows\Resources\spoolsv.exe

MD5 a79da3266dc1a964d865529d4f3368ef
SHA1 5b6273dfe8d10917b28037aeaea9bcbae4de1873
SHA256 800edafe4af4a3298be26c23f9fd665a1d94983e092f15ac033810f5c89d6ef3
SHA512 e2853c03cad4e122ac2569890321a1e534fd0ba0017a2d37d2a66482a3a507b604fdddd46d4be911d87645fd12cd4591029b5cb6c4e8d2492e76702b785f46af

C:\Windows\Resources\svchost.exe

MD5 259be02d7d07cd9ef0e98dc4becd44d3
SHA1 d10e8b35380d6d4572ce90d4429ae46496ca719e
SHA256 ef66018281e1f391817c1d3bb59752fa9907c44a4a69bebe111b419d6b9db299
SHA512 ec92db1139be5797c82ffbac3e9e34598a49081ae30379cc2069e0c15d1582194ab4d1b8ba168acdf72238ca89ef8b8e482da6dc8ca6f58cac2a57eccd8d6bf7

memory/2884-29-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2884-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1324-35-0x0000000000400000-0x000000000041F000-memory.dmp

memory/744-34-0x0000000000400000-0x000000000041F000-memory.dmp