Malware Analysis Report

2024-11-15 05:27

Sample ID 240613-b41vrszcmc
Target 5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
SHA256 78612a2347ca792ae9ee4be9f8b5781d54eba954b9d8575c942f4ebe94152a21
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

78612a2347ca792ae9ee4be9f8b5781d54eba954b9d8575c942f4ebe94152a21

Threat Level: Shows suspicious behavior

The file 5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:42

Reported

2024-06-13 01:45

Platform

win7-20240611-en

Max time kernel

148s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft silverlight.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Microsoft silverlight.exe\is-7GRLH.tmp C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft silverlight.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2052 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2052 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2052 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2052 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2052 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2052 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2500 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 2500 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 2500 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 2500 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 2500 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 2500 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 2500 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 3016 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 3016 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 3016 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 3016 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 3016 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 3016 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 3016 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe
PID 2656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe
PID 2656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe
PID 2656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe
PID 2656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe
PID 2656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe
PID 2656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe
PID 2700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp
PID 2700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp
PID 2700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp
PID 2700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp
PID 2700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp
PID 2700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp
PID 2700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp" /SL5="$70124,1969416,832512,C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe" /SILENT /PASSWORD=84773907

C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9DTCS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp" /SL5="$80124,1969416,832512,C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe" /SILENT /PASSWORD=84773907

C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp" /SL5="$5015C,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe"

Network

N/A

Files

memory/2052-2-0x0000000000401000-0x00000000004B7000-memory.dmp

memory/2052-0-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-DNPAS.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp

MD5 bbebb05d92e93a14043678e8f9a40056
SHA1 8f36fa14fbfe2c770943b9c36295ae6aa892ba6f
SHA256 228c4fd3f5d3ca6166063fbeae54468ab265c33f77c910d5fbd5054176634397
SHA512 828caa44e107bb6d790f12aabe751e9967e697bb5273771dfb8d21c365eb04fa3e0db3f388052efdd6118dd4d98995e67d5b39fc7cbb31684c40bec5112f951b

memory/2500-9-0x0000000000400000-0x000000000071C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-VAM93.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2052-20-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2500-18-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3016-16-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1F17N.tmp\6636252cf2274_pe.exe

MD5 e9ef446b1e8c626e9569255143c6b5dc
SHA1 e302aaf7688348c686fa4d13e4c75ea7a2d99175
SHA256 bdf642628d582643ec75d761c0b8dcfddaf45fb6a4284780b4287955c95a5412
SHA512 245d3962a998fb65f3a4e15dda413eaeb77eaafcd37e90279df697ed7c711e5859dd93fe3960f9c9b5c4f26a10dbb51a433618e1d9b5258e92be9bd440c73b5c

memory/2700-40-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1HLO4.tmp\6636252cf2274_pe.tmp

MD5 347c1bb3f28cafe40233cc462ddc77e3
SHA1 9a35199c2b597d75cf1a15b8dcb677d5c571dc7e
SHA256 c9888ea62f9fe622527fb9c7f3fbfe56a5d30ba47c2416fecf8c9e608817cea5
SHA512 5d3a4222cb140ca629383c6c71319183437a9cc5f3649d3c7390d1590706f29d6564f5a1fa0ddd0be26cd29e821ec50d9fe3627943009adc2807ef070a1ff935

\Users\Admin\AppData\Local\Temp\is-M9JJ2.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/3016-53-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2656-54-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2700-55-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2460-56-0x0000000000400000-0x000000000071C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:42

Reported

2024-06-13 01:45

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft silverlight.exe\is-A6D0U.tmp C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft silverlight.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Microsoft silverlight.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 468 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 468 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 4764 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 4764 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 4764 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe
PID 4548 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 4548 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 4548 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp
PID 2236 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe
PID 2236 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe
PID 2236 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe
PID 3668 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-PH3M3.tmp\6636252cf2274_pe.tmp
PID 3668 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-PH3M3.tmp\6636252cf2274_pe.tmp
PID 3668 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe C:\Users\Admin\AppData\Local\Temp\is-PH3M3.tmp\6636252cf2274_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp" /SL5="$C005E,1969416,832512,C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe" /SILENT /PASSWORD=84773907

C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PLIE0.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp" /SL5="$7021C,1969416,832512,C:\Users\Admin\AppData\Local\Temp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.exe" /SILENT /PASSWORD=84773907

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-PH3M3.tmp\6636252cf2274_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PH3M3.tmp\6636252cf2274_pe.tmp" /SL5="$10240,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/468-1-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/468-3-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L4PD8.tmp\5451c916cc969e469627f1cf9b379cd0_NeikiAnalytics.tmp

MD5 bbebb05d92e93a14043678e8f9a40056
SHA1 8f36fa14fbfe2c770943b9c36295ae6aa892ba6f
SHA256 228c4fd3f5d3ca6166063fbeae54468ab265c33f77c910d5fbd5054176634397
SHA512 828caa44e107bb6d790f12aabe751e9967e697bb5273771dfb8d21c365eb04fa3e0db3f388052efdd6118dd4d98995e67d5b39fc7cbb31684c40bec5112f951b

memory/4764-7-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MOMJH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/468-12-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4764-13-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4548-16-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4548-18-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2236-26-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4764-30-0x0000000000400000-0x000000000071C000-memory.dmp

memory/468-32-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4548-36-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2236-37-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8VR0G.tmp\6636252cf2274_pe.exe

MD5 e9ef446b1e8c626e9569255143c6b5dc
SHA1 e302aaf7688348c686fa4d13e4c75ea7a2d99175
SHA256 bdf642628d582643ec75d761c0b8dcfddaf45fb6a4284780b4287955c95a5412
SHA512 245d3962a998fb65f3a4e15dda413eaeb77eaafcd37e90279df697ed7c711e5859dd93fe3960f9c9b5c4f26a10dbb51a433618e1d9b5258e92be9bd440c73b5c

memory/3668-43-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PH3M3.tmp\6636252cf2274_pe.tmp

MD5 347c1bb3f28cafe40233cc462ddc77e3
SHA1 9a35199c2b597d75cf1a15b8dcb677d5c571dc7e
SHA256 c9888ea62f9fe622527fb9c7f3fbfe56a5d30ba47c2416fecf8c9e608817cea5
SHA512 5d3a4222cb140ca629383c6c71319183437a9cc5f3649d3c7390d1590706f29d6564f5a1fa0ddd0be26cd29e821ec50d9fe3627943009adc2807ef070a1ff935

C:\Users\Admin\AppData\Local\Temp\is-SU27V.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2236-55-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3668-56-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/948-57-0x0000000000400000-0x000000000071C000-memory.dmp