Malware Analysis Report

2024-09-11 00:05

Sample ID 240617-jbnczathnq
Target 61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe
SHA256 5ccb44785bc5cb3c6d06356a9abcf69ac9607c78139ff2c6d2cc75cb50b31ebf
Tags
neshta persistence pyinstaller spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ccb44785bc5cb3c6d06356a9abcf69ac9607c78139ff2c6d2cc75cb50b31ebf

Threat Level: Known bad

The file 61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence pyinstaller spyware stealer

Neshta

Detect Neshta payload

Neshta family

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Modifies system executable filetype association

Drops file in Program Files directory

Drops file in Windows directory

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 07:29

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 07:29

Reported

2024-06-17 07:32

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

MD5 fbf8c7e6d644425df567b6dd9369853e
SHA1 7b4f16dc5d4b95f1df7771b2e1eba889850d6d6b
SHA256 df763e27de3db6dceb6674a423500965241c4e3891b7e28742ebb6c3c1b249f3
SHA512 63adc9cbcacc32d88f5955682709d0b0f6697f631b9236f63222cd1484637677d9e00841a09b890c3369f4af6e68cb21358efe99d337416fdc29d6f442468cba

C:\Users\Admin\AppData\Local\Temp\_MEI19682\python311.dll

MD5 5a5dd7cad8028097842b0afef45bfbcf
SHA1 e247a2e460687c607253949c52ae2801ff35dc4a
SHA256 a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512 e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

C:\Users\Admin\AppData\Local\Temp\_MEI19682\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI19682\base_library.zip

MD5 83b06d6f90f33c512eee102a649279f6
SHA1 96e5734c6d26b9ae9ed3fc3251e8c56ed9d468db
SHA256 1a2fd2bb30f1250cb552cb17839f806602da1559e29adbee5508b6e490306a73
SHA512 3404d4a06e75837b4b3b3bc53141e517feca93362e35cb1a18fee8d3799b4ca2e7c4c4a121d535446d05abd09bb9a0eb5577c748db65c544283575e065e64845

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\Users\Admin\AppData\Local\Temp\_MEI19682\_bz2.pyd

MD5 3859239ced9a45399b967ebce5a6ba23
SHA1 6f8ff3df90ac833c1eb69208db462cda8ca3f8d6
SHA256 a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a
SHA512 030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

C:\Users\Admin\AppData\Local\Temp\_MEI19682\_lzma.pyd

MD5 e5abc3a72996f8fde0bcf709e6577d9d
SHA1 15770bdcd06e171f0b868c803b8cf33a8581edd3
SHA256 1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb
SHA512 b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

C:\Users\Admin\AppData\Local\Temp\_MEI19682\_hashlib.pyd

MD5 4255c44dc64f11f32c961bf275aab3a2
SHA1 c1631b2821a7e8a1783ecfe9a14db453be54c30a
SHA256 e557873d5ad59fd6bd29d0f801ad0651dbb8d9ac21545defe508089e92a15e29
SHA512 7d3a306755a123b246f31994cd812e7922943cdbbc9db5a6e4d3372ea434a635ffd3945b5d2046de669e7983ef2845bd007a441d09cfe05cf346523c12bdad52

C:\Users\Admin\AppData\Local\Temp\_MEI19682\libcrypto-1_1.dll

MD5 e94733523bcd9a1fb6ac47e10a267287
SHA1 94033b405386d04c75ffe6a424b9814b75c608ac
SHA256 f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44
SHA512 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f

C:\Users\Admin\AppData\Local\Temp\_MEI19682\select.pyd

MD5 c97a587e19227d03a85e90a04d7937f6
SHA1 463703cf1cac4e2297b442654fc6169b70cfb9bf
SHA256 c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf
SHA512 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12

C:\Users\Admin\AppData\Local\Temp\_MEI19682\_ssl.pyd

MD5 208b0108172e59542260934a2e7cfa85
SHA1 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a
SHA256 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69
SHA512 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d

C:\Users\Admin\AppData\Local\Temp\_MEI19682\libssl-1_1.dll

MD5 25bde25d332383d1228b2e66a4cb9f3e
SHA1 cd5b9c3dd6aab470d445e3956708a324e93a9160
SHA256 c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13
SHA512 ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa

C:\Users\Admin\AppData\Local\Temp\_MEI19682\_elementtree.pyd

MD5 53ba094149f6fc5f4f7349d4e0019857
SHA1 17f8fb2487d2dedb2bc1595cc8dede2c9bcad4f9
SHA256 edb86a361198e68dfeec10b8bef6937540f43a4578356fd2f13546de03471026
SHA512 10d1714e1cf41981ef7da99713ad5b7c8647a13813a9012a69c4b5bb1542c4f5c170175a2cd49d94d79b5d10f71bbba5732245c1d6df1f35ab6adb79f9a1d6f5

C:\Users\Admin\AppData\Local\Temp\_MEI19682\pyexpat.pyd

MD5 9c21a5540fc572f75901820cf97245ec
SHA1 09296f032a50de7b398018f28ee8086da915aebd
SHA256 2ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045
SHA512 4217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5

C:\Users\Admin\AppData\Local\Temp\_MEI19682\_socket.pyd

MD5 1eea9568d6fdef29b9963783827f5867
SHA1 a17760365094966220661ad87e57efe09cd85b84
SHA256 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117
SHA512 d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09

memory/1232-158-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1232-159-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1232-161-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 07:29

Reported

2024-06-17 07:32

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe
PID 2200 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe
PID 2200 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe
PID 2200 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\61ec7aea1aa9b83d642a4d8beda609d0_NeikiAnalytics.exe

MD5 fbf8c7e6d644425df567b6dd9369853e
SHA1 7b4f16dc5d4b95f1df7771b2e1eba889850d6d6b
SHA256 df763e27de3db6dceb6674a423500965241c4e3891b7e28742ebb6c3c1b249f3
SHA512 63adc9cbcacc32d88f5955682709d0b0f6697f631b9236f63222cd1484637677d9e00841a09b890c3369f4af6e68cb21358efe99d337416fdc29d6f442468cba

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\Users\Admin\AppData\Local\Temp\_MEI22002\python311.dll

MD5 5a5dd7cad8028097842b0afef45bfbcf
SHA1 e247a2e460687c607253949c52ae2801ff35dc4a
SHA256 a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512 e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2932-116-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2932-118-0x0000000000400000-0x000000000041B000-memory.dmp