Malware Analysis Report

2024-10-10 12:04

Sample ID 240613-q534va1fqd
Target 818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
SHA256 971ae60d39fd96e30b5d940d1d0846cad688f1f4f0f69c16cb84bc92402f3790
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

971ae60d39fd96e30b5d940d1d0846cad688f1f4f0f69c16cb84bc92402f3790

Threat Level: Shows suspicious behavior

The file 818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:51

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:51

Reported

2024-06-13 13:54

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kiwi X Executor.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Kiwi X Executor.exe\is-759VI.tmp C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Kiwi X Executor.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 4392 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 4392 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 3664 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3664 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3664 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 1248 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1248 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1248 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1180 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe
PID 1180 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe
PID 1180 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe
PID 1120 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-RD1QL.tmp\66357caf8dd5d_pe.tmp
PID 1120 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-RD1QL.tmp\66357caf8dd5d_pe.tmp
PID 1120 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-RD1QL.tmp\66357caf8dd5d_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp" /SL5="$A01BE,1970471,832512,C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe" /SILENT /PASSWORD=5587756325

C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-26ECT.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp" /SL5="$7020E,1970471,832512,C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe" /SILENT /PASSWORD=5587756325

C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-RD1QL.tmp\66357caf8dd5d_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RD1QL.tmp\66357caf8dd5d_pe.tmp" /SL5="$401CC,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe"

Network

Files

memory/4392-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4392-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QHC1A.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp

MD5 fdf835740d3c64e0faaede72648ba767
SHA1 b72763901b2f77013b19cde13930d7c0fae3adc1
SHA256 aa761321b8e6f38bd74006b14e1cff57c46032ddf3343ec6874e36155ab00588
SHA512 9eebee08744f39b5eb6f17442222e2864cbbcc06046ca65a19b808aacaa6fce81641be7b06746bd34cda47899b2d7b849412e20e67ec0d5e5c5066e63fd18de8

memory/3664-6-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LBKLP.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1248-13-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1248-15-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3664-17-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4392-19-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1180-27-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8JKI7.tmp\66357caf8dd5d_pe.exe

MD5 003a7f2a10f6481c3ac993a29702d0d5
SHA1 9e9d0bfd03e223cfb0ebdacb91812e5de681acf9
SHA256 c61c61eaf51034908ec7f483ac73be2bdae87a0fa7919151c207bed94e63826a
SHA512 2dd561afc783bc242354f3cd64a70b5e449ed91352c64f2f597c48f894415dddd0c40d0f33059cf1e839fb0226d949fde0665317ca60d58507b5e1c5c9f05692

memory/1120-36-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RD1QL.tmp\66357caf8dd5d_pe.tmp

MD5 4e0a9a7a0c12d25c6b67c742827ddf8a
SHA1 c92fd154c6186d0e70842cba39404f3fc259458e
SHA256 d8f90eab209c685882975d33b495d7d0e5a120e2234026079df7196c0c971222
SHA512 01af6d10113402eedca03b77da92a8da2aea1f5690a1841328c8f24b3b9a033b24b284a30df4a5265c16f0e8c6ed6116d6d14a47ab4d1ab1585f8059e3a945ae

C:\Users\Admin\AppData\Local\Temp\is-HPOFP.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/1248-47-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1120-49-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1180-48-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2568-50-0x0000000000400000-0x000000000071C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:51

Reported

2024-06-13 13:54

Platform

win7-20240508-en

Max time kernel

143s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Kiwi X Executor.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Kiwi X Executor.exe\is-NT6NO.tmp C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Kiwi X Executor.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 1368 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe
PID 2628 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 2628 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 2628 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 2628 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 2628 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 2628 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 2628 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp
PID 2756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe
PID 2756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe
PID 2756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe
PID 2756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe
PID 2756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe
PID 2756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe
PID 2756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp
PID 2660 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp" /SL5="$5014E,1970471,832512,C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe" /SILENT /PASSWORD=5587756325

C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VCLP1.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp" /SL5="$7011E,1970471,832512,C:\Users\Admin\AppData\Local\Temp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.exe" /SILENT /PASSWORD=5587756325

C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp" /SL5="$4016A,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe"

Network

N/A

Files

memory/1368-2-0x0000000000401000-0x00000000004B7000-memory.dmp

memory/1368-0-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-6TJ32.tmp\818fe26c955a0fcace85445daef88790_NeikiAnalytics.tmp

MD5 fdf835740d3c64e0faaede72648ba767
SHA1 b72763901b2f77013b19cde13930d7c0fae3adc1
SHA256 aa761321b8e6f38bd74006b14e1cff57c46032ddf3343ec6874e36155ab00588
SHA512 9eebee08744f39b5eb6f17442222e2864cbbcc06046ca65a19b808aacaa6fce81641be7b06746bd34cda47899b2d7b849412e20e67ec0d5e5c5066e63fd18de8

memory/3036-8-0x0000000000400000-0x000000000071C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ALIIQ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2628-15-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3036-18-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1368-22-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-K38HC.tmp\66357caf8dd5d_pe.exe

MD5 003a7f2a10f6481c3ac993a29702d0d5
SHA1 9e9d0bfd03e223cfb0ebdacb91812e5de681acf9
SHA256 c61c61eaf51034908ec7f483ac73be2bdae87a0fa7919151c207bed94e63826a
SHA512 2dd561afc783bc242354f3cd64a70b5e449ed91352c64f2f597c48f894415dddd0c40d0f33059cf1e839fb0226d949fde0665317ca60d58507b5e1c5c9f05692

memory/2660-39-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IJKSA.tmp\66357caf8dd5d_pe.tmp

MD5 4e0a9a7a0c12d25c6b67c742827ddf8a
SHA1 c92fd154c6186d0e70842cba39404f3fc259458e
SHA256 d8f90eab209c685882975d33b495d7d0e5a120e2234026079df7196c0c971222
SHA512 01af6d10113402eedca03b77da92a8da2aea1f5690a1841328c8f24b3b9a033b24b284a30df4a5265c16f0e8c6ed6116d6d14a47ab4d1ab1585f8059e3a945ae

\Users\Admin\AppData\Local\Temp\is-GAGQ9.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2628-52-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2136-55-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2660-54-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2756-53-0x0000000000400000-0x000000000071C000-memory.dmp