Malware Analysis Report

2024-10-10 12:08

Sample ID 240613-qdcgtazenf
Target 7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
SHA256 4a85fab0d7cb264c9fe4dd3acb7c9b2d5ec2a20cc9da0a92c44dcea89201a553
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4a85fab0d7cb264c9fe4dd3acb7c9b2d5ec2a20cc9da0a92c44dcea89201a553

Threat Level: Shows suspicious behavior

The file 7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:08

Reported

2024-06-13 13:10

Platform

win7-20240611-en

Max time kernel

148s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gopro studio.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Gopro studio.exe\is-OMAQI.tmp C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Gopro studio.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2912 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2928 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2928 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2928 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2928 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2928 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2928 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2928 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2956 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe
PID 2956 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe
PID 2956 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe
PID 2956 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe
PID 2956 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe
PID 2956 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe
PID 2956 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp" /SL5="$7011C,1969978,832512,C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe" /SILENT /PASSWORD=5678223599

C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MBVIJ.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp" /SL5="$8011C,1969978,832512,C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe" /SILENT /PASSWORD=5678223599

C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp" /SL5="$5015A,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe"

Network

N/A

Files

memory/2912-2-0x0000000000401000-0x00000000004B7000-memory.dmp

memory/2912-0-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-TJR2U.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp

MD5 74106a003f587b94d70cec3c2d49849b
SHA1 465225c8e9903df33c014561fbf577a71f2638b6
SHA256 050678481d1d4332672bd3e0134a920c166a673e6c2a357238fccf5a03c911cd
SHA512 b0d870c6eee4797e81c7ca48d3420a437754957e4cb86b6db1b699eb520a585fe7ddf33f99be0545a27fad71c3273f1a74b958aec84da0fd247ecc54cef6de9c

memory/2556-10-0x0000000000400000-0x000000000071C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BILRD.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2912-20-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2556-18-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2928-15-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CEVQI.tmp\662a62034fe92_pe.exe

MD5 8124e2a889b87b6c581f5f579c94c147
SHA1 ea97850baaf8d7c4b65871cfcb06fed60559c939
SHA256 9e0c74485420650fb1514f38cc16d96e5be740322ab4abda04171af97a2e9935
SHA512 c9d6bb9085f1e39db5b4f5fa647ccb09b213483201c3488e11af72db30f2172658f7c08bb9bc8226eeba8576e703ab3c89816d23cf0b539d9430934e26d07eef

memory/2816-40-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-H3O2H.tmp\662a62034fe92_pe.tmp

MD5 6f50923d347ca60def3068dcc281c759
SHA1 52fe4cde697e0769d4a19f44d5841b2dff2081a9
SHA256 83e1c9917f46a8c967f85f04c9771c8e921aa1b808bbbc46a2b8cc79e6d99754
SHA512 c6d2f4e1ca5c351aa2f201a75f7d2a9d0af7750590990be45eed28f1fcada78c678c2041969723189f9d38cfba837a05e1b9bfcf46a3dc53978c01c6cfb66558

\Users\Admin\AppData\Local\Temp\is-KUUB5.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2928-53-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2956-54-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2816-55-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2744-56-0x0000000000400000-0x000000000071C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:08

Reported

2024-06-13 13:10

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gopro studio.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A
File created C:\Program Files (x86)\Gopro studio.exe\is-UG639.tmp C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A
File opened for modification C:\Program Files (x86)\Gopro studio.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 5040 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 5040 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2240 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2240 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2240 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe
PID 2532 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2532 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 2532 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp
PID 4060 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe
PID 4060 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe
PID 4060 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe
PID 3420 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-O61SH.tmp\662a62034fe92_pe.tmp
PID 3420 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-O61SH.tmp\662a62034fe92_pe.tmp
PID 3420 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe C:\Users\Admin\AppData\Local\Temp\is-O61SH.tmp\662a62034fe92_pe.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp" /SL5="$A01D0,1969978,832512,C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe" /SILENT /PASSWORD=5678223599

C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HLSA6.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp" /SL5="$701FA,1969978,832512,C:\Users\Admin\AppData\Local\Temp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.exe" /SILENT /PASSWORD=5678223599

C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe

"C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe"

C:\Users\Admin\AppData\Local\Temp\is-O61SH.tmp\662a62034fe92_pe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O61SH.tmp\662a62034fe92_pe.tmp" /SL5="$30200,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/5040-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5040-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7JHHU.tmp\7e9b6602c5db909c095db229752b05a0_NeikiAnalytics.tmp

MD5 74106a003f587b94d70cec3c2d49849b
SHA1 465225c8e9903df33c014561fbf577a71f2638b6
SHA256 050678481d1d4332672bd3e0134a920c166a673e6c2a357238fccf5a03c911cd
SHA512 b0d870c6eee4797e81c7ca48d3420a437754957e4cb86b6db1b699eb520a585fe7ddf33f99be0545a27fad71c3273f1a74b958aec84da0fd247ecc54cef6de9c

memory/2240-6-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SF9O2.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2532-13-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2532-15-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2240-17-0x0000000000400000-0x000000000071C000-memory.dmp

memory/5040-19-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4060-27-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SKLRT.tmp\662a62034fe92_pe.exe

MD5 8124e2a889b87b6c581f5f579c94c147
SHA1 ea97850baaf8d7c4b65871cfcb06fed60559c939
SHA256 9e0c74485420650fb1514f38cc16d96e5be740322ab4abda04171af97a2e9935
SHA512 c9d6bb9085f1e39db5b4f5fa647ccb09b213483201c3488e11af72db30f2172658f7c08bb9bc8226eeba8576e703ab3c89816d23cf0b539d9430934e26d07eef

memory/3420-36-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O61SH.tmp\662a62034fe92_pe.tmp

MD5 6f50923d347ca60def3068dcc281c759
SHA1 52fe4cde697e0769d4a19f44d5841b2dff2081a9
SHA256 83e1c9917f46a8c967f85f04c9771c8e921aa1b808bbbc46a2b8cc79e6d99754
SHA512 c6d2f4e1ca5c351aa2f201a75f7d2a9d0af7750590990be45eed28f1fcada78c678c2041969723189f9d38cfba837a05e1b9bfcf46a3dc53978c01c6cfb66558

C:\Users\Admin\AppData\Local\Temp\is-CMESA.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2532-47-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4060-48-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2016-50-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3420-49-0x0000000000400000-0x00000000004D8000-memory.dmp