Malware Analysis Report

2025-01-18 14:06

Sample ID 240613-dbkzyssajg
Target 588692ef32964190d1891feb14366750_NeikiAnalytics.exe
SHA256 8324a2a62879ef7f0e12d9fca0749fd8742b6aebe1f19f60364ce8f80e96bafe
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8324a2a62879ef7f0e12d9fca0749fd8742b6aebe1f19f60364ce8f80e96bafe

Threat Level: Known bad

The file 588692ef32964190d1891feb14366750_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:50

Reported

2024-06-13 02:52

Platform

win7-20231129-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\swchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\userinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\swchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\userinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\swchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\udsys.exe \??\c:\windows\userinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\userinit.exe C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\spoolsw.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe N/A
File opened for modification \??\c:\windows\userinit.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\swchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2468 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2468 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2468 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2924 wrote to memory of 2704 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2924 wrote to memory of 2704 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2924 wrote to memory of 2704 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2924 wrote to memory of 2704 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2704 wrote to memory of 2816 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2704 wrote to memory of 2816 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2704 wrote to memory of 2816 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2704 wrote to memory of 2816 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2816 wrote to memory of 2916 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2816 wrote to memory of 2916 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2816 wrote to memory of 2916 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2816 wrote to memory of 2916 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"

\??\c:\windows\userinit.exe

c:\windows\userinit.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe SE

\??\c:\windows\swchost.exe

c:\windows\swchost.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe PR

Network

N/A

Files

C:\Windows\userinit.exe

MD5 b92fbdc5ac17be823446940de8ca664e
SHA1 d0aa971ff7fc553e8e96325f61e23f5cc1569c61
SHA256 82602815f42f82ab0a6cdfb6772f908d814333fc5967b67144a80f5e9f629a88
SHA512 5aec6354eaec023a1bfba9ebbaf4a856b400a37e596173c7da0b3b1bf6095542e3c77dd363f241e5e7590f175e85b5dccd6acf9ce951a61d4b3b519402e274f8

C:\Windows\spoolsw.exe

MD5 d831ce41600566fd40e8653bfa12d7ea
SHA1 c1dde4775aa574f26534e39cb6f1a79a30007a0b
SHA256 82ab3fdce666e7704b17d2a99f9432fc27150a454780d13ebc51fc0554149a1d
SHA512 1b97d375730c7b8259b2df83a83795ae49c198c882f3333a1f688335d2aa263924de2d007a510754a281a42b2466934a745de30dea4a361b3cfc5f81ef381232

C:\Windows\swchost.exe

MD5 eea4dd198fa23140940a73af1ba74aa6
SHA1 406c57f6e416b8580b6314f04225f41788698b8c
SHA256 10c80c3304b93890630977ee540177e765da50502528798e30569a656d2275c6
SHA512 52f3d45fe6df498bb08db8b16f46a7cd168e575d46fc0b2c9630b35803330808027af72f9a561980ce1923e6c93375b4c0805d4ece8bfaf5a8df9e3fc2fb0503

C:\Users\Admin\AppData\Local\mrsys.exe

MD5 97e428a96edebf3b22a66b9f31afe3b5
SHA1 b4f7472bfb2c7432b4ddc9bd0122497cdbf6f2f4
SHA256 0da13314b3aac2b8030cbdcaf8de5855132009c0eba42cefb0b3f20658356a47
SHA512 992a7802bc2696f1c91805124cfdb2b6f6e6508709ef570e86024276ac892381a977fa600889a6181160e47f3dfa52f753e295e7f0f6df1e7bb784cbc809fd7f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:50

Reported

2024-06-13 02:52

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\userinit.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\userinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\swchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\userinit.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\userinit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\swchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\udsys.exe \??\c:\windows\userinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\spoolsw.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\swchost.exe N/A
File opened for modification \??\c:\windows\userinit.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\userinit.exe C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"

\??\c:\windows\userinit.exe

c:\windows\userinit.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe SE

\??\c:\windows\swchost.exe

c:\windows\swchost.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

C:\Windows\userinit.exe

MD5 e8db695048a476743c0203a19a4e9b6f
SHA1 22b9e007bd470ea840002fb22dc0b3c61b2b7e2b
SHA256 6e35040302101914347bd5d73d8687dbca4c8290944d877c07badfe10b018b05
SHA512 5c86ef99c6773c15ca05ca9e0b64c9d05772cb08a4d98dbae67f50e1642342234b150658b115b8b96b0dbfd2bf13c73eb24271e7513bb9f43c6ad61abe5eb6cb

C:\Windows\spoolsw.exe

MD5 5053e13ba2b34d02b82175b013b63694
SHA1 533f9fdcf0ba3ea2b63d6c6846b04e9107ddb02c
SHA256 06616bf5a63c448470b8d90a5b486e4538e38d3ffd2b56287c578b65a87dfb31
SHA512 01b4fcfde7876938be3c240f91f4de22fb969df4073446b93fc8eebb5bc0f1961708073ca8505f26c86867f4545b824971d3a3986a65aaea0aea89a73da4b3f9

C:\Windows\swchost.exe

MD5 c5b59cad1ab2d0eb193d26db4405f5e1
SHA1 748e82bf0783c71c6fb397583e7dad36903ef736
SHA256 d9d560eb1fe30e098f2a5d2e0229e7c35d7825c007366f9cff6575607c5e834f
SHA512 e7b506d4c1969c63043b554139fb215e042507c621970c2768cc766aef9612f2f691877e9a8adc2068426247ac3bc7bd9d63ba6147c7aae3dd30bbba058d0330

C:\Users\Admin\AppData\Local\mrsys.exe

MD5 6cd292c51c478916738af971fb0556e0
SHA1 49d70b9f7d1a0e1ca2704971916fd66656883af6
SHA256 90961c95368a66b6757dae173f484870a6aa12b1daaa558e099c5edcb8a1e468
SHA512 8714fc3b1a1a3e4889553540d09d4b11e12834c03bc6adf6bb303876de3df0e57f4d280c5e3c63bf02e12790ee3f58321d6aa5f75a352f27d67c09e578ed872c