Malware Analysis Report

2024-09-11 07:35

Sample ID 240613-zblgdazbmc
Target 84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
SHA256 4e78f7ae5e813e34afb558458cca18654169867c536897168024ea039be55b77
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4e78f7ae5e813e34afb558458cca18654169867c536897168024ea039be55b77

Threat Level: Shows suspicious behavior

The file 84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 20:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:35

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Windows\svchost.exe
PID 4588 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Windows\svchost.exe
PID 4588 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Windows\svchost.exe
PID 1172 wrote to memory of 1852 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1172 wrote to memory of 1852 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1172 wrote to memory of 1852 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1852 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 1852 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 1852 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 620 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 620 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 620 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 620 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 620 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 620 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp" /SL5="$60184,1638018,184832,C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im ExtensionHelperAppManager.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im ExtensionHelperApp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\svchost.exe

MD5 9e3c13b6556d5636b745d3e466d47467
SHA1 2ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA256 20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA512 5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

memory/4588-3-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe

MD5 11141bbaef72f897f9e459580914f08a
SHA1 45143405288a4c043620d4fa5785fde29843e513
SHA256 f611196ae83dad900f8170db750781bb30419b5289fba66b883ee9d246c57cd4
SHA512 c3d8c323c0bb4e736a6c3297bd109224462697e9cf554b25bb3bde39b1eaf8bba437ecf03b9ad8d81cd9dc934b6f682148a550bae73c41fa7d9bed67839a18f6

memory/1852-14-0x0000000000401000-0x000000000040C000-memory.dmp

memory/1172-15-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1852-10-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S9M0E.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp

MD5 805bfbce579cd210bd8f130a0d95d47c
SHA1 c677fc6fd9fc799e2fb5134b87f7892918667453
SHA256 f50e379d35c7a6f4530ee1ad74bc55cce0851bcee15986da4d30ccce54a2c19c
SHA512 af751e40c7b830f64b5a597e5c9bbc1a68ab0ce2a3aefcb71d211d6337e933cfa0495e5bdb4f731dc048f0372ba9f78f40f6aa83ab657977bc40d5689699b59d

memory/620-20-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1852-22-0x0000000000400000-0x0000000000434000-memory.dmp

memory/620-24-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2580-23-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2580-35-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2580-38-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:35

Platform

win7-20231129-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\RegisterCopy.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Windows\svchost.exe
PID 3060 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Windows\svchost.exe
PID 3060 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Windows\svchost.exe
PID 3060 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Windows\svchost.exe
PID 1620 wrote to memory of 2520 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1620 wrote to memory of 2520 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1620 wrote to memory of 2520 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1620 wrote to memory of 2520 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1620 wrote to memory of 2520 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1620 wrote to memory of 2520 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 1620 wrote to memory of 2520 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe
PID 2520 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 2520 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 2520 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 2520 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 2520 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 2520 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 2520 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp" /SL5="$5014A,1638018,184832,C:\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im ExtensionHelperAppManager.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im ExtensionHelperApp.exe

Network

N/A

Files

memory/3060-5-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\svchost.exe

MD5 9e3c13b6556d5636b745d3e466d47467
SHA1 2ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA256 20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA512 5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

\Users\Admin\AppData\Local\Temp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.exe

MD5 11141bbaef72f897f9e459580914f08a
SHA1 45143405288a4c043620d4fa5785fde29843e513
SHA256 f611196ae83dad900f8170db750781bb30419b5289fba66b883ee9d246c57cd4
SHA512 c3d8c323c0bb4e736a6c3297bd109224462697e9cf554b25bb3bde39b1eaf8bba437ecf03b9ad8d81cd9dc934b6f682148a550bae73c41fa7d9bed67839a18f6

memory/2520-18-0x0000000000401000-0x000000000040C000-memory.dmp

memory/2520-14-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1620-19-0x0000000000400000-0x000000000040D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-K8JUE.tmp\84a246bb3cd416ef8cc50d8443e77240_NeikiAnalytics.tmp

MD5 805bfbce579cd210bd8f130a0d95d47c
SHA1 c677fc6fd9fc799e2fb5134b87f7892918667453
SHA256 f50e379d35c7a6f4530ee1ad74bc55cce0851bcee15986da4d30ccce54a2c19c
SHA512 af751e40c7b830f64b5a597e5c9bbc1a68ab0ce2a3aefcb71d211d6337e933cfa0495e5bdb4f731dc048f0372ba9f78f40f6aa83ab657977bc40d5689699b59d

memory/1732-28-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2520-29-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1216-30-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1732-31-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/1216-49-0x0000000000400000-0x000000000040D000-memory.dmp