Malware Analysis Report

2024-11-13 13:25

Sample ID 240613-gak54swcka
Target 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
SHA256 a33485f0cf2a08f8f9856f56a3a998c9973628bd72c94f036422ec281ba11211
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a33485f0cf2a08f8f9856f56a3a998c9973628bd72c94f036422ec281ba11211

Threat Level: Shows suspicious behavior

The file 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:36

Reported

2024-06-13 05:38

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Driver easy.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Driver easy.exe\is-8DJM9.tmp C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Driver easy.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 4000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 4000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 3484 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 3484 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 3484 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 3076 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 3076 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 3076 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1716 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe
PID 1716 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe
PID 1716 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe
PID 4728 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp
PID 4728 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp
PID 4728 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp" /SL5="$801E6,1970021,832512,C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe" /SILENT /PASSWORD=5873333222

C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp" /SL5="$901A4,1970021,832512,C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe" /SILENT /PASSWORD=5873333222

C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp" /SL5="$20224,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4000-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4000-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp

MD5 68c2b3c8acf2cdc4743b5a621661d092
SHA1 be6804961e43b920dadfc915c65db605b9adad04
SHA256 31899d77e7a0eabd17b0a57abfa7a8f8367e45d339369ed831037dda794b64d3
SHA512 04f1e65d9e0d34d5fc28dd3d2216078f01fdacda08ba24df579658ddd734d5e70cd90bc92f0f5a7381d31878815cc8215702c85490c3809901c7f9cca971d3da

memory/3484-6-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H3823.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3076-13-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3484-16-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4000-19-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3076-17-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1716-23-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe

MD5 0e82993b4f4c1a7c8c1c4ef9bcf743b3
SHA1 e13d6eb6d190031fce62c9eeaaafec3506103d1e
SHA256 4ae23d2b1c00f9d89aedcf0700b2ae25acda844821803bbb418a91fafb3e65ca
SHA512 819a4cd30bf4a2a67e0cb5808e52cca789cab2e0cba2f4d5d2744fa06a6d5969aceb26f365de64fd8aa92faa75912c843277ded96f94a68181d1958b0a8b836d

memory/4728-36-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp

MD5 78c037aae046b104980c5274dd9934c6
SHA1 0139073d1c2914ad527ed8ee3a4f5850f8bc09d1
SHA256 c172ced841e0d6abaaf892b3be13ecf430b603230a1d4df51d90285da9e82444
SHA512 f9b1d7feaa50186d6a7f61bea0b71ae68ba24f0a6ac42c88653b4b95a55da57b471f9893860c90a7303db9afecebde85ddb80abfe9caab646c5b50ec55daa92e

C:\Users\Admin\AppData\Local\Temp\is-U2V6L.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/3076-47-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4728-49-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2192-50-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1716-48-0x0000000000400000-0x000000000071C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:36

Reported

2024-06-13 05:38

Platform

win7-20240508-en

Max time kernel

143s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Driver easy.exe\is-GH4G1.tmp C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Driver easy.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Driver easy.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 1936 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp
PID 2604 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe
PID 2604 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe
PID 2604 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe
PID 2604 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe
PID 2604 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe
PID 2604 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe
PID 2604 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp" /SL5="$4010A,1970021,832512,C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe" /SILENT /PASSWORD=5873333222

C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H9JJA.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp" /SL5="$5010A,1970021,832512,C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe" /SILENT /PASSWORD=5873333222

C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp" /SL5="$40178,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe"

Network

N/A

Files

memory/1700-2-0x0000000000401000-0x00000000004B7000-memory.dmp

memory/1700-0-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-M75A3.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp

MD5 68c2b3c8acf2cdc4743b5a621661d092
SHA1 be6804961e43b920dadfc915c65db605b9adad04
SHA256 31899d77e7a0eabd17b0a57abfa7a8f8367e45d339369ed831037dda794b64d3
SHA512 04f1e65d9e0d34d5fc28dd3d2216078f01fdacda08ba24df579658ddd734d5e70cd90bc92f0f5a7381d31878815cc8215702c85490c3809901c7f9cca971d3da

\Users\Admin\AppData\Local\Temp\is-PCNTI.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1936-12-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1936-18-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2684-15-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1700-20-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QPQG1.tmp\66328646efbb0_pe.exe

MD5 0e82993b4f4c1a7c8c1c4ef9bcf743b3
SHA1 e13d6eb6d190031fce62c9eeaaafec3506103d1e
SHA256 4ae23d2b1c00f9d89aedcf0700b2ae25acda844821803bbb418a91fafb3e65ca
SHA512 819a4cd30bf4a2a67e0cb5808e52cca789cab2e0cba2f4d5d2744fa06a6d5969aceb26f365de64fd8aa92faa75912c843277ded96f94a68181d1958b0a8b836d

memory/2624-40-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-13833.tmp\66328646efbb0_pe.tmp

MD5 78c037aae046b104980c5274dd9934c6
SHA1 0139073d1c2914ad527ed8ee3a4f5850f8bc09d1
SHA256 c172ced841e0d6abaaf892b3be13ecf430b603230a1d4df51d90285da9e82444
SHA512 f9b1d7feaa50186d6a7f61bea0b71ae68ba24f0a6ac42c88653b4b95a55da57b471f9893860c90a7303db9afecebde85ddb80abfe9caab646c5b50ec55daa92e

\Users\Admin\AppData\Local\Temp\is-NK7IM.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2684-53-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2804-56-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2624-55-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2604-54-0x0000000000400000-0x000000000071C000-memory.dmp