f300dd2ebccab58de976d51cd8705ee7e11408378166fb4acb7156951d47e2f2

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Size

244KB
MD5

c8871e4f53594292e29559ad58e817c0
SHA1

0b52fce6a0ca683d57bcf04cc893a93ac763144b
SHA256

f300dd2ebccab58de976d51cd8705ee7e11408378166fb4acb7156951d47e2f2
SHA512

235577bfc78f6029fe55aea00b0d0c0d4d3af58d0bd5c53dd36dc982438b87156620cd8a5baeac763c752f7dcd784ceb5ba6df41ae537406a91b9a4238e0aa6a
SSDEEP

6144:X42FMaP+6+tT/JBnjBE3XwfSZ4sXRzQI6F:IKbGlJBjBEnwuEI6

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2972	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
4792	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
5024	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
2412	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
4384	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
2872	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
1484	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
3252	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
1132	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
3712	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
1152	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
2696	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
4956	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
2324	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
4752	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
4772	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
3536	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
4948	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
1940	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
2744	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
1644	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
3376	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
4724	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
2256	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
2128	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
4536	c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3044-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/files/0x0007000000023298-3.dat	upx
behavioral2/memory/3044-9-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2972-15-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2972-20-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4792-19-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4792-29-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/5024-30-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/5024-39-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4384-54-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2412-48-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4384-58-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2872-67-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1484-76-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3252-85-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1132-91-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1132-95-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3712-96-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3712-105-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1152-113-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2696-123-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/files/0x0007000000023423-130.dat	upx
behavioral2/memory/2324-133-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4956-132-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4752-143-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2324-142-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4772-153-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4752-151-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4772-161-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3536-171-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4948-172-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4948-181-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1940-187-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1940-196-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2744-197-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2744-201-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1644-209-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3376-219-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4724-220-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4724-228-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2256-238-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2128-246-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4536-248-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 34c4904ad7ff88b5	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2972	3044	c8871e4f53594292e29559ad58e817c0_NEIKI.exe	83
PID 3044 wrote to memory of 2972	3044	c8871e4f53594292e29559ad58e817c0_NEIKI.exe	83
PID 3044 wrote to memory of 2972	3044	c8871e4f53594292e29559ad58e817c0_NEIKI.exe	83
PID 2972 wrote to memory of 4792	2972	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe	84
PID 2972 wrote to memory of 4792	2972	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe	84
PID 2972 wrote to memory of 4792	2972	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe	84
PID 4792 wrote to memory of 5024	4792	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe	85
PID 4792 wrote to memory of 5024	4792	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe	85
PID 4792 wrote to memory of 5024	4792	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe	85
PID 5024 wrote to memory of 2412	5024	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe	86
PID 5024 wrote to memory of 2412	5024	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe	86
PID 5024 wrote to memory of 2412	5024	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe	86
PID 2412 wrote to memory of 4384	2412	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe	87
PID 2412 wrote to memory of 4384	2412	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe	87
PID 2412 wrote to memory of 4384	2412	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe	87
PID 4384 wrote to memory of 2872	4384	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe	88
PID 4384 wrote to memory of 2872	4384	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe	88
PID 4384 wrote to memory of 2872	4384	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe	88
PID 2872 wrote to memory of 1484	2872	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe	89
PID 2872 wrote to memory of 1484	2872	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe	89
PID 2872 wrote to memory of 1484	2872	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe	89
PID 1484 wrote to memory of 3252	1484	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe	90
PID 1484 wrote to memory of 3252	1484	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe	90
PID 1484 wrote to memory of 3252	1484	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe	90
PID 3252 wrote to memory of 1132	3252	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe	91
PID 3252 wrote to memory of 1132	3252	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe	91
PID 3252 wrote to memory of 1132	3252	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe	91
PID 1132 wrote to memory of 3712	1132	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe	92
PID 1132 wrote to memory of 3712	1132	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe	92
PID 1132 wrote to memory of 3712	1132	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe	92
PID 3712 wrote to memory of 1152	3712	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe	93
PID 3712 wrote to memory of 1152	3712	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe	93
PID 3712 wrote to memory of 1152	3712	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe	93
PID 1152 wrote to memory of 2696	1152	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe	94
PID 1152 wrote to memory of 2696	1152	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe	94
PID 1152 wrote to memory of 2696	1152	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe	94
PID 2696 wrote to memory of 4956	2696	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe	96
PID 2696 wrote to memory of 4956	2696	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe	96
PID 2696 wrote to memory of 4956	2696	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe	96
PID 4956 wrote to memory of 2324	4956	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe	97
PID 4956 wrote to memory of 2324	4956	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe	97
PID 4956 wrote to memory of 2324	4956	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe	97
PID 2324 wrote to memory of 4752	2324	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe	99
PID 2324 wrote to memory of 4752	2324	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe	99
PID 2324 wrote to memory of 4752	2324	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe	99
PID 4752 wrote to memory of 4772	4752	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe	100
PID 4752 wrote to memory of 4772	4752	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe	100
PID 4752 wrote to memory of 4772	4752	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe	100
PID 4772 wrote to memory of 3536	4772	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe	102
PID 4772 wrote to memory of 3536	4772	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe	102
PID 4772 wrote to memory of 3536	4772	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe	102
PID 3536 wrote to memory of 4948	3536	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe	103
PID 3536 wrote to memory of 4948	3536	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe	103
PID 3536 wrote to memory of 4948	3536	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe	103
PID 4948 wrote to memory of 1940	4948	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe	104
PID 4948 wrote to memory of 1940	4948	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe	104
PID 4948 wrote to memory of 1940	4948	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe	104
PID 1940 wrote to memory of 2744	1940	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe	105
PID 1940 wrote to memory of 2744	1940	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe	105
PID 1940 wrote to memory of 2744	1940	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe	105
PID 2744 wrote to memory of 1644	2744	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe	106
PID 2744 wrote to memory of 1644	2744	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe	106
PID 2744 wrote to memory of 1644	2744	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe	106
PID 1644 wrote to memory of 3376	1644	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe	107

C:\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
  c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
    c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
      c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5024
    - - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3376
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4724
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2256
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2128
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe

Filesize
244KB

MD5
ca17472888fdf374db3b7847c834d34c

SHA1
9fe21da88460efc2a9281a3bb25b946808b5a024

SHA256
fb6fd25e6529183369e9e59be8c9abf632fa676904ff8bd52d668a87e177a6b1

SHA512
3590ce0985109d282c9a52959923967dee034a45512d17dc3365f57ddb6735c373c0f2e39acd01954caebc85487ce5d4ab909e811cc6ca96a51e2bc8a95bdc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe

Filesize
244KB

MD5
b0ada67dcb6763d92ba66ff79fea95e3

SHA1
a42997600111c86b5d6a7f952449db4c5640b84a

SHA256
71a4d1719dfa577a0220e92b55424acc6fe8123501f027c5ea7a402ff67b1703

SHA512
1cd75b876931239f8908704b86cf409883e9c1ef28ce84a06ae1bc2c463ae229a459b4e25eb23e05c4b56cca115e3799f5e45524ad0ce76c58e18e05b44d72a4

Download Submit
memory/1132-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1152-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3252-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3376-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3712-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3712-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4724-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4724-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4772-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4772-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4792-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4792-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5024-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe\""	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads