Malware Analysis Report

2024-11-16 10:49

Sample ID 240614-cqyc6avhqk
Target 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe
SHA256 9162b42d29acba7304b15c72248286e2fab156fc71787d4dad94df98f56894d1
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9162b42d29acba7304b15c72248286e2fab156fc71787d4dad94df98f56894d1

Threat Level: Known bad

The file 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:17

Reported

2024-06-14 02:20

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\swchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\userinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\swchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\userinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\swchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\system\udsys.exe \??\c:\windows\userinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\userinit.exe C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\spoolsw.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe N/A
File opened for modification \??\c:\windows\userinit.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\swchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2436 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2436 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2436 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe \??\c:\windows\userinit.exe
PID 2348 wrote to memory of 2160 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2348 wrote to memory of 2160 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2348 wrote to memory of 2160 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2348 wrote to memory of 2160 N/A \??\c:\windows\userinit.exe \??\c:\windows\spoolsw.exe
PID 2160 wrote to memory of 2896 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2160 wrote to memory of 2896 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2160 wrote to memory of 2896 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2160 wrote to memory of 2896 N/A \??\c:\windows\spoolsw.exe \??\c:\windows\swchost.exe
PID 2896 wrote to memory of 2760 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2896 wrote to memory of 2760 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2896 wrote to memory of 2760 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe
PID 2896 wrote to memory of 2760 N/A \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"

\??\c:\windows\userinit.exe

c:\windows\userinit.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe SE

\??\c:\windows\swchost.exe

c:\windows\swchost.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe PR

Network

N/A

Files

C:\Windows\userinit.exe

MD5 248632488064c618f792a4f7bdf21c35
SHA1 939d9559dbd3e9877f22a317b17d8a77eca0f2a3
SHA256 65b30f1fe56ef5359e0e8f01ee97007890af8b99a97b28edc9a50b854b49b95f
SHA512 1f9171122ebcae67cf010ad2fc2db2898300fa2da2daf8b8900cc6206385f0901a03a955a1bbba1a1d700a7c8db44510d56ae2f65b5aff6096eac24032906113

C:\Windows\spoolsw.exe

MD5 b11cc491b34331ae5e4488a908e2d8ce
SHA1 db728ab7400dfca011b2350ff7756506d55e1d1f
SHA256 a2ff1bacabadf27ac79358e563b60fa569b2b88232a1275907faef6fbd1bdd89
SHA512 99eeaae5c44904aacee86135893e8ab06c06bbd29383efa3127ab2fd7de00a42444d32d6eec0e0279b84c56df60272958f2f0c42dcd66ee7071c6e7d6c43017d

C:\Windows\swchost.exe

MD5 cef476eb8683e268b3c72455148a470d
SHA1 bd5917d15d500520e8b2dccaa064c193c836cee4
SHA256 2c4ec805f769a7409e37fc9e05646216ee183b1c0b5be88ab7c6f350c539348f
SHA512 ca5bafc90033482fb271c6624c0a015b6616032a01b942fa0a6c266e19c00323ead0297cab4c0661a752187b67835028055964570a3d7c4e1ed7fefb62f67de4

C:\Users\Admin\AppData\Local\mrsys.exe

MD5 6d83a07b32984250bdd1fc2742dc7a5d
SHA1 f485891fdf02e5fc3dc6b6cde471146b325d3fe2
SHA256 a45eab6100e471b06f3d7c9b7c9f8a7576ebd9d4df619760ed6d359e331c5ece
SHA512 2f3710e9c1427b8f2bc6e7de6e35ecd5231c59b21537a2d3aba76c9e0bb0a03024f7bcfb2042f241115d7c1c54f7c7823597fcc633b5682185e994f9d8c614c4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:17

Reported

2024-06-14 02:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" \??\c:\windows\swchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\userinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\swchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\userinit.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" \??\c:\windows\swchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\swchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\userinit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\spoolsw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\userinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" \??\c:\windows\swchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" \??\c:\windows\swchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\system\udsys.exe \??\c:\windows\userinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\swchost.exe N/A
File opened for modification \??\c:\windows\userinit.exe C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\spoolsw.exe \??\c:\windows\userinit.exe N/A
File opened for modification \??\c:\windows\swchost.exe \??\c:\windows\spoolsw.exe N/A
File opened for modification \??\c:\windows\userinit.exe \??\c:\windows\userinit.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A
N/A N/A \??\c:\windows\userinit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\userinit.exe N/A
N/A N/A \??\c:\windows\swchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"

\??\c:\windows\userinit.exe

c:\windows\userinit.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe SE

\??\c:\windows\swchost.exe

c:\windows\swchost.exe

\??\c:\windows\spoolsw.exe

c:\windows\spoolsw.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\userinit.exe

MD5 a71616c6cd99d17a35242f5e539f7039
SHA1 5f116a5d50c0886b66f92c1f2264c6aa67a97ce4
SHA256 3acd48033b9414fa3e0b9b56b58f468ba16808134e5b846b33a52b8a389d3764
SHA512 dfe2177d4976ddaf6806c77206150652db2e667aeaadf7150a553db2d945c910a9e9ef8483fcd200ad01824eb5c11402a3631efe3fcabc81da568e1e0885587b

C:\Windows\spoolsw.exe

MD5 2f41b572e3166aad48c0b91074f410a7
SHA1 5e11eaab54a748f99541b365d0ab5f65e18f7887
SHA256 bd1926b39c7367aabe24c28b8ac099d0178379039780860420accc5e1b5e3c8c
SHA512 9cbfa316906d307fbcba8d44a32d148170b715562ffda2cbfcf6a8f1684f2837a48dde8cfebe0c74cda32924a33434a7c4212ef7742895df4d5242aa8b30d96a

C:\Windows\swchost.exe

MD5 f67c3f86f2fb434cbd8ca3b68272ad3a
SHA1 365dab3078a745635be575733f5b7b9ef283c363
SHA256 a7be9529df1d70eecdd0bbab2a95ad3c81ae8b23afaed7e34c12c4bd30e30b6f
SHA512 8e1c318fa71bfd8d5c0996c62bf9d5718958b1c3e270698bbcc7d700aca2d2a3e64af3131fb07bd2d31ad0903bea554a87b2565d054b0377fc1aa156c39f6fa8

C:\Users\Admin\AppData\Local\mrsys.exe

MD5 a6ad05ed3ffd6b902158e9f269d3f430
SHA1 ee5adc2c4294cc68c98cc0a42746c0e42c3f1462
SHA256 898960067df5fd6e1e3bb0d6fd06d29cdd465f35af0644f703e68d7e611c249a
SHA512 2ad5186bdcd3db0a370699527685a8587c8fe4a04b43f5c7674e2a271d7be673a499828c908d68ff1020365a0059b043ccf65faca2f411c0c6f1fc6ed76225f1