7422a67af827a1d9eb3bdb8f2d8ac212cbcd34d9a1281f1103ee3805111bc116

Analysis

max time kernel
151s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe
Size

98KB
MD5

4a89b703a79a6a8a29ee3f5967cfa130
SHA1

c9dbac1a73e89e6a00cc78b63d2e6b7b4ff07ce4
SHA256

7422a67af827a1d9eb3bdb8f2d8ac212cbcd34d9a1281f1103ee3805111bc116
SHA512

ed8e245702d34cee39fbe232d0697549d0b0ff0186ade671f463e8e5b07e0781ce03a7947bf5d616b88c9ba389d78cc4b713ea74225f503de8638b11b39c2b8b
SSDEEP

768:5vw9816uhKiroZ4/wQNNrfrunMxVFA3b7glw6:lEGkmoZlCunMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe{C709F019-1935-4c50-A320-056B45B524F3}.exe{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E277FABF-845E-4bff-9E37-73170C88BFE5}\stubpath = "C:\\Windows\\{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe"	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99386F73-1EB1-4276-910F-915C9ADD8E9A}\stubpath = "C:\\Windows\\{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe"	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}\stubpath = "C:\\Windows\\{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe"	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A50F6DA-F192-4311-9BE7-B167C0C47F21}	{C709F019-1935-4c50-A320-056B45B524F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A50F6DA-F192-4311-9BE7-B167C0C47F21}\stubpath = "C:\\Windows\\{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe"	{C709F019-1935-4c50-A320-056B45B524F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{374B3F6B-28B9-4107-A45C-0198EDDD790C}	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}\stubpath = "C:\\Windows\\{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe"	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E277FABF-845E-4bff-9E37-73170C88BFE5}	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C709F019-1935-4c50-A320-056B45B524F3}	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{374B3F6B-28B9-4107-A45C-0198EDDD790C}\stubpath = "C:\\Windows\\{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe"	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{078AC107-C04E-4e35-A7DE-4649D1B181B6}	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E7E3C97-0043-4158-B49A-1A947B1A5809}\stubpath = "C:\\Windows\\{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe"	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}\stubpath = "C:\\Windows\\{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe"	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99386F73-1EB1-4276-910F-915C9ADD8E9A}	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C709F019-1935-4c50-A320-056B45B524F3}\stubpath = "C:\\Windows\\{C709F019-1935-4c50-A320-056B45B524F3}.exe"	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08954AD1-D498-4f74-9317-BBF5D3FDB996}	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08954AD1-D498-4f74-9317-BBF5D3FDB996}\stubpath = "C:\\Windows\\{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe"	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{078AC107-C04E-4e35-A7DE-4649D1B181B6}\stubpath = "C:\\Windows\\{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe"	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E7E3C97-0043-4158-B49A-1A947B1A5809}	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe

Executes dropped EXE 11 IoCs

Processes:

{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe{C709F019-1935-4c50-A320-056B45B524F3}.exe{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe

pid	process
1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe
5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
1128	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
1020	{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe

Drops file in Windows directory 11 IoCs

Processes:

{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe{C709F019-1935-4c50-A320-056B45B524F3}.exe{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe

description	ioc	process
File created	C:\Windows\{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
File created	C:\Windows\{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
File created	C:\Windows\{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
File created	C:\Windows\{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
File created	C:\Windows\{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
File created	C:\Windows\{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe
File created	C:\Windows\{C709F019-1935-4c50-A320-056B45B524F3}.exe	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
File created	C:\Windows\{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe	{C709F019-1935-4c50-A320-056B45B524F3}.exe
File created	C:\Windows\{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
File created	C:\Windows\{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
File created	C:\Windows\{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe{C709F019-1935-4c50-A320-056B45B524F3}.exe{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1368	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
Token: SeIncBasePriorityPrivilege	1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe
Token: SeIncBasePriorityPrivilege	5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
Token: SeIncBasePriorityPrivilege	964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
Token: SeIncBasePriorityPrivilege	1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
Token: SeIncBasePriorityPrivilege	3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
Token: SeIncBasePriorityPrivilege	1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
Token: SeIncBasePriorityPrivilege	3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
Token: SeIncBasePriorityPrivilege	3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
Token: SeIncBasePriorityPrivilege	1128	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1368 wrote to memory of 1556	1368	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
PID 1368 wrote to memory of 1556	1368	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
PID 1368 wrote to memory of 1556	1368	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
PID 1368 wrote to memory of 4232	1368	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe	cmd.exe
PID 1368 wrote to memory of 4232	1368	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe	cmd.exe
PID 1368 wrote to memory of 4232	1368	4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe	cmd.exe
PID 1556 wrote to memory of 1128	1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe	{C709F019-1935-4c50-A320-056B45B524F3}.exe
PID 1556 wrote to memory of 1128	1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe	{C709F019-1935-4c50-A320-056B45B524F3}.exe
PID 1556 wrote to memory of 1128	1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe	{C709F019-1935-4c50-A320-056B45B524F3}.exe
PID 1556 wrote to memory of 4184	1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe	cmd.exe
PID 1556 wrote to memory of 4184	1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe	cmd.exe
PID 1556 wrote to memory of 4184	1556	{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe	cmd.exe
PID 1128 wrote to memory of 5076	1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
PID 1128 wrote to memory of 5076	1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
PID 1128 wrote to memory of 5076	1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
PID 1128 wrote to memory of 916	1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe	cmd.exe
PID 1128 wrote to memory of 916	1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe	cmd.exe
PID 1128 wrote to memory of 916	1128	{C709F019-1935-4c50-A320-056B45B524F3}.exe	cmd.exe
PID 5076 wrote to memory of 964	5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
PID 5076 wrote to memory of 964	5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
PID 5076 wrote to memory of 964	5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
PID 5076 wrote to memory of 4868	5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe	cmd.exe
PID 5076 wrote to memory of 4868	5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe	cmd.exe
PID 5076 wrote to memory of 4868	5076	{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe	cmd.exe
PID 964 wrote to memory of 1244	964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
PID 964 wrote to memory of 1244	964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
PID 964 wrote to memory of 1244	964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
PID 964 wrote to memory of 4720	964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe	cmd.exe
PID 964 wrote to memory of 4720	964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe	cmd.exe
PID 964 wrote to memory of 4720	964	{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe	cmd.exe
PID 1244 wrote to memory of 3212	1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
PID 1244 wrote to memory of 3212	1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
PID 1244 wrote to memory of 3212	1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
PID 1244 wrote to memory of 4836	1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe	cmd.exe
PID 1244 wrote to memory of 4836	1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe	cmd.exe
PID 1244 wrote to memory of 4836	1244	{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe	cmd.exe
PID 3212 wrote to memory of 1352	3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
PID 3212 wrote to memory of 1352	3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
PID 3212 wrote to memory of 1352	3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
PID 3212 wrote to memory of 3704	3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe	cmd.exe
PID 3212 wrote to memory of 3704	3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe	cmd.exe
PID 3212 wrote to memory of 3704	3212	{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe	cmd.exe
PID 1352 wrote to memory of 3720	1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
PID 1352 wrote to memory of 3720	1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
PID 1352 wrote to memory of 3720	1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
PID 1352 wrote to memory of 3372	1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe	cmd.exe
PID 1352 wrote to memory of 3372	1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe	cmd.exe
PID 1352 wrote to memory of 3372	1352	{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe	cmd.exe
PID 3720 wrote to memory of 3256	3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
PID 3720 wrote to memory of 3256	3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
PID 3720 wrote to memory of 3256	3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
PID 3720 wrote to memory of 1356	3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe	cmd.exe
PID 3720 wrote to memory of 1356	3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe	cmd.exe
PID 3720 wrote to memory of 1356	3720	{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe	cmd.exe
PID 3256 wrote to memory of 1128	3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
PID 3256 wrote to memory of 1128	3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
PID 3256 wrote to memory of 1128	3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
PID 3256 wrote to memory of 2232	3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe	cmd.exe
PID 3256 wrote to memory of 2232	3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe	cmd.exe
PID 3256 wrote to memory of 2232	3256	{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe	cmd.exe
PID 1128 wrote to memory of 1020	1128	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe	{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe
PID 1128 wrote to memory of 1020	1128	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe	{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe
PID 1128 wrote to memory of 1020	1128	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe	{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe
PID 1128 wrote to memory of 2444	1128	{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a89b703a79a6a8a29ee3f5967cfa130_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
  C:\Windows\{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\{C709F019-1935-4c50-A320-056B45B524F3}.exe
    C:\Windows\{C709F019-1935-4c50-A320-056B45B524F3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
      C:\Windows\{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
        
        C:\Windows\{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Windows\{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
        
        C:\Windows\{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
        
        C:\Windows\{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
        
        C:\Windows\{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
        
        C:\Windows\{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
        
        C:\Windows\{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
        
        C:\Windows\{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe
        
        C:\Windows\{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99386~1.EXE > nul
        12⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E7E3~1.EXE > nul
        11⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{078AC~1.EXE > nul
        10⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E277F~1.EXE > nul
        9⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5A02~1.EXE > nul
        8⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{374B3~1.EXE > nul
        7⤵
        
        PID:4836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08954~1.EXE > nul
        6⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A50F~1.EXE > nul
        5⤵
        
        PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C709F~1.EXE > nul
      4⤵
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5085C~1.EXE > nul
    3⤵
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4A89B7~1.EXE > nul
  2⤵
  PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{078AC107-C04E-4e35-A7DE-4649D1B181B6}.exe

Filesize
98KB

MD5
cc5c287ec98c4f1d6793d7c56fa4c2d0

SHA1
4c6ef840818fbb9190b5088e57ac8ca69ec506e6

SHA256
09fa13abd6004ab1b0bdc3c4d1d47ed78c39a439ddb32eeaafc98f6cab7801b2

SHA512
32cd0374468270b7f4299025d06901b8f085138f6bfea5a9ccf11d1a58a9c095496acfe28caa0c313b01551ba7146eca14b4e11c9ea90f1361138ca022c2dd4e

Download Submit
C:\Windows\{08954AD1-D498-4f74-9317-BBF5D3FDB996}.exe

Filesize
98KB

MD5
3f5930bcd97f3d636140a229f6b6ede4

SHA1
9ed7598437fcd9fd86061163cb21d030529f3512

SHA256
12372faff594f24ec375fd448c979df1f211367d606ca3eeedad59d9ae75b554

SHA512
31f08de81228f95261c3c0354e1cd4e2751cbcc8da762c1a82ee155d0db50bdacc534b84d2143a444534f0b0ed055fb4894893254d9ee97c0e2e5b04ecd2d9f2

Download Submit
C:\Windows\{374B3F6B-28B9-4107-A45C-0198EDDD790C}.exe

Filesize
98KB

MD5
ba2feb7d087d35beb2530de6488abef2

SHA1
85ed95d2e8620ccac89a2b1b011c58feb685522f

SHA256
ec3c521e92fd99d116c1baa372f65f51155611dbf4e5092346c41dd494ba9974

SHA512
4265fe7106c0c96387c08a6e63ddddff6b290f21f08ddb779a438354f60b393a6865f44d4e54cd652203ee6b631d09a68cba5341819892e9211ee76efe6a5c3c

Download Submit
C:\Windows\{5085CC1F-E212-4c92-AA2C-FCF37D48DA0C}.exe

Filesize
98KB

MD5
fa1e523f3f7d89e74b1c7ede6e60366e

SHA1
aad52aa0691b8ebe2952a9edc563bb9d899665e1

SHA256
efd627b48ac4bd005d5eab5d606b50fb60a9d312d434dff66c445ee185e2c4ec

SHA512
f83da84e531508f271cf3fac561eae55a66b49d977496f8c9a7ace6784242f9b86c6f046b947317ba2c84fca265e4044e868291012a36da45ca88215ce84c4ce

Download Submit
C:\Windows\{6A50F6DA-F192-4311-9BE7-B167C0C47F21}.exe

Filesize
98KB

MD5
badf9ed651230bae7bbf163235cf370f

SHA1
f569509af57968ebaf3155a7ace5e8f05af35f73

SHA256
416f7d69ef0a5e1330e8f37e1db59e24e62943efdd17dd86c2f30d2071d08ea8

SHA512
5ab14098f595f2a6abbf7e73d875b8587ef514fbbcca6c28252b0aef4908dbd7b74b2b9ffc2b2172dea059ca87833c11a2c1d1590f90e120f0a280f047ceb3cf

Download Submit
C:\Windows\{7E7E3C97-0043-4158-B49A-1A947B1A5809}.exe

Filesize
98KB

MD5
19c46bf24fcff131a16d48dcb1ec5b23

SHA1
99d89b71c58b03b7aa95cfab0b7a44cc58217626

SHA256
452ae9dab8bb3e556b75d95817ce34c8ccf2fe72e5a13b17c4145aa32dde0824

SHA512
080a5161a58b1e86b3bf7f60fdde82d48d8dbfa30acb7493ef7ad093938002752c5b2e457e946143403aada85c5dbe20732bd50e43b3c706e71df15b5990c079

Download Submit
C:\Windows\{99386F73-1EB1-4276-910F-915C9ADD8E9A}.exe

Filesize
98KB

MD5
89f473214f8767885c9a107441f9bda4

SHA1
8ebc4a1b3a43f0cceec414cf3cc502560adf3308

SHA256
30f90ff2491bdea562966afa5f2aeef4085ad473df12c19b7267d354115d4bb9

SHA512
d9401229fbad69e704ca74e8eefbfa6659ad31f256b94bc5bcf54c11dc92ecc075ffbcd07a7ee7691b285641e42c3fb2af4512ae7921fbb56fbfe06a7b727901

Download Submit
C:\Windows\{C709F019-1935-4c50-A320-056B45B524F3}.exe

Filesize
98KB

MD5
3efa6a7cb962913e2d869bde0a5ea600

SHA1
544752d566699302558c5c1e3733a24dc8908c4e

SHA256
49f667512e07aa00a399ead3529e98918c1b84488e17dd3e632bd234b40fdb71

SHA512
be4eac216f71d88ff357e4e0b76579034ad33f29fbc9e09f927d5459fdcb0f7e5622eb0c498bf8c7e6f1979ddce417d8229b220e56ad25d0556b0aed81729661

Download Submit
C:\Windows\{DAAD4F4D-CC6F-4eaa-9E0F-B84521F18F2E}.exe

Filesize
98KB

MD5
68f70ec97f9ca759f993b5328ca46ce3

SHA1
c69fb87d4012fd755444c7d1fd4558ce4c372c63

SHA256
9e39f4f6e671dfed4e4479b71edf760766cc19d1a200df83b140932c8b7fe606

SHA512
af85655cd7cda180d295686db1f9bc1c74058018169b423d05a883e7b4f605e753b96af39239f8d47205a119af19cbf722d0415bcb32eb433c31919acff152b6

Download Submit
C:\Windows\{E277FABF-845E-4bff-9E37-73170C88BFE5}.exe

Filesize
98KB

MD5
4f00e534b3e8e10cd775dd6ca58dff02

SHA1
fb81bee0dfd50ee3afd859c30ded99295773cf5e

SHA256
4707be1a62b0f46ac39038ca412b29dea871abe97e32cbef74829b55f6cf672d

SHA512
a6d8a4e978e3dce1370f15f8f606f9e6fc5a7bd84b5b609e365c3a0b160debfb01636a60e4477920e90201f922b497d39a71ba062cba8ba13a93ac40ff995b38

Download Submit
C:\Windows\{E5A02A0B-13DD-4b82-8AA3-BF8604F9DA9D}.exe

Filesize
98KB

MD5
05b720020252aeb36dbe7626808f63dc

SHA1
bd85119be3677d9ca3be8fbabedbfcf8bd96d432

SHA256
0d2f5d8c7c76af5aa236249175584eb1f93ce8120edb036c2f1e38f5eb40eacc

SHA512
81e871621c60b973578d1e369208c0293b4a0cf6dd71873c8bca095c6e903ea136662a0879f051a12ea0510d880ccd353b727cb929ccbdd1f74c9318294d0227

Download Submit
memory/964-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/964-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1020-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1128-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1128-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1128-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1128-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1244-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1244-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1368-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1368-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1556-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1556-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3212-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3212-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3256-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3256-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3720-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3720-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5076-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5076-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download