e210714cf9ad0c8ce1abf38c9a941d0a87a9c79233966b23caf364c0d424b734

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Size

64KB
MD5

59a06761c0708e67d2cc04b03f85f2a0
SHA1

0b3629f9ec11a96b2368ea0720a6266b383f2f09
SHA256

e210714cf9ad0c8ce1abf38c9a941d0a87a9c79233966b23caf364c0d424b734
SHA512

738281fbddcee37fae3cc168a02780cbf4bf5f80713a686361b822f0125126b92751648ba6e9e8c9f108916b596c7ad29347e9996a6826d618a342205a83474f
SSDEEP

192:ObOzawOs81elJHsc45HcRZOgtSWcWaOT2QLrCqwgY04/CFxyNhoy5tm:ObLwOs8AHsc4pMfwIKQLrou4/CFsrdm

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe{0C58675B-0545-475d-A744-9AF1A789E834}.exe{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe{AF8BB187-43AA-4833-A605-D81533358E9B}.exe{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DCB60A-D6CA-4274-BF3A-66EEB167770A}\stubpath = "C:\\Windows\\{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe"	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138E5281-B04E-4f2f-B37F-D39D0E211A95}\stubpath = "C:\\Windows\\{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe"	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A31781-B95A-4791-B6B8-62AC3CF9F476}\stubpath = "C:\\Windows\\{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe"	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF8BB187-43AA-4833-A605-D81533358E9B}	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DCB60A-D6CA-4274-BF3A-66EEB167770A}	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}\stubpath = "C:\\Windows\\{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe"	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}\stubpath = "C:\\Windows\\{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe"	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A31781-B95A-4791-B6B8-62AC3CF9F476}	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}\stubpath = "C:\\Windows\\{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe"	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF8BB187-43AA-4833-A605-D81533358E9B}\stubpath = "C:\\Windows\\{AF8BB187-43AA-4833-A605-D81533358E9B}.exe"	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}\stubpath = "C:\\Windows\\{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe"	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C58675B-0545-475d-A744-9AF1A789E834}	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C58675B-0545-475d-A744-9AF1A789E834}\stubpath = "C:\\Windows\\{0C58675B-0545-475d-A744-9AF1A789E834}.exe"	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}\stubpath = "C:\\Windows\\{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe"	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138E5281-B04E-4f2f-B37F-D39D0E211A95}	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}\stubpath = "C:\\Windows\\{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe"	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}\stubpath = "C:\\Windows\\{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}.exe"	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe

Executes dropped EXE 12 IoCs

Processes:

{0C58675B-0545-475d-A744-9AF1A789E834}.exe{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe{AF8BB187-43AA-4833-A605-D81533358E9B}.exe{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}.exe

pid	process
4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
700	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
5516	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
5260	{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}.exe

Drops file in Windows directory 12 IoCs

Processes:

59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe{AF8BB187-43AA-4833-A605-D81533358E9B}.exe{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe{0C58675B-0545-475d-A744-9AF1A789E834}.exe{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe

description	ioc	process
File created	C:\Windows\{0C58675B-0545-475d-A744-9AF1A789E834}.exe	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
File created	C:\Windows\{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
File created	C:\Windows\{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
File created	C:\Windows\{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
File created	C:\Windows\{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
File created	C:\Windows\{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
File created	C:\Windows\{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
File created	C:\Windows\{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
File created	C:\Windows\{AF8BB187-43AA-4833-A605-D81533358E9B}.exe	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
File created	C:\Windows\{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
File created	C:\Windows\{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
File created	C:\Windows\{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}.exe	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe{0C58675B-0545-475d-A744-9AF1A789E834}.exe{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe{AF8BB187-43AA-4833-A605-D81533358E9B}.exe{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4896	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
Token: SeIncBasePriorityPrivilege	2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
Token: SeIncBasePriorityPrivilege	3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
Token: SeIncBasePriorityPrivilege	388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
Token: SeIncBasePriorityPrivilege	4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
Token: SeIncBasePriorityPrivilege	3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
Token: SeIncBasePriorityPrivilege	3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
Token: SeIncBasePriorityPrivilege	4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
Token: SeIncBasePriorityPrivilege	1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
Token: SeIncBasePriorityPrivilege	700	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
Token: SeIncBasePriorityPrivilege	5516	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4896 wrote to memory of 4968	4896	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
PID 4896 wrote to memory of 4968	4896	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
PID 4896 wrote to memory of 4968	4896	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	{0C58675B-0545-475d-A744-9AF1A789E834}.exe
PID 4896 wrote to memory of 1612	4896	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	cmd.exe
PID 4896 wrote to memory of 1612	4896	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	cmd.exe
PID 4896 wrote to memory of 1612	4896	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	cmd.exe
PID 4968 wrote to memory of 2456	4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
PID 4968 wrote to memory of 2456	4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
PID 4968 wrote to memory of 2456	4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
PID 4968 wrote to memory of 2432	4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe	cmd.exe
PID 4968 wrote to memory of 2432	4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe	cmd.exe
PID 4968 wrote to memory of 2432	4968	{0C58675B-0545-475d-A744-9AF1A789E834}.exe	cmd.exe
PID 2456 wrote to memory of 3052	2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
PID 2456 wrote to memory of 3052	2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
PID 2456 wrote to memory of 3052	2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
PID 2456 wrote to memory of 4724	2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe	cmd.exe
PID 2456 wrote to memory of 4724	2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe	cmd.exe
PID 2456 wrote to memory of 4724	2456	{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe	cmd.exe
PID 3052 wrote to memory of 388	3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
PID 3052 wrote to memory of 388	3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
PID 3052 wrote to memory of 388	3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
PID 3052 wrote to memory of 1904	3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe	cmd.exe
PID 3052 wrote to memory of 1904	3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe	cmd.exe
PID 3052 wrote to memory of 1904	3052	{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe	cmd.exe
PID 388 wrote to memory of 4872	388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
PID 388 wrote to memory of 4872	388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
PID 388 wrote to memory of 4872	388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
PID 388 wrote to memory of 4720	388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe	cmd.exe
PID 388 wrote to memory of 4720	388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe	cmd.exe
PID 388 wrote to memory of 4720	388	{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe	cmd.exe
PID 4872 wrote to memory of 3264	4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
PID 4872 wrote to memory of 3264	4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
PID 4872 wrote to memory of 3264	4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
PID 4872 wrote to memory of 5272	4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe	cmd.exe
PID 4872 wrote to memory of 5272	4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe	cmd.exe
PID 4872 wrote to memory of 5272	4872	{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe	cmd.exe
PID 3264 wrote to memory of 3744	3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
PID 3264 wrote to memory of 3744	3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
PID 3264 wrote to memory of 3744	3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
PID 3264 wrote to memory of 3740	3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe	cmd.exe
PID 3264 wrote to memory of 3740	3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe	cmd.exe
PID 3264 wrote to memory of 3740	3264	{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe	cmd.exe
PID 3744 wrote to memory of 4640	3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
PID 3744 wrote to memory of 4640	3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
PID 3744 wrote to memory of 4640	3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
PID 3744 wrote to memory of 1604	3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe	cmd.exe
PID 3744 wrote to memory of 1604	3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe	cmd.exe
PID 3744 wrote to memory of 1604	3744	{AF8BB187-43AA-4833-A605-D81533358E9B}.exe	cmd.exe
PID 4640 wrote to memory of 1576	4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
PID 4640 wrote to memory of 1576	4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
PID 4640 wrote to memory of 1576	4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
PID 4640 wrote to memory of 5428	4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe	cmd.exe
PID 4640 wrote to memory of 5428	4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe	cmd.exe
PID 4640 wrote to memory of 5428	4640	{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe	cmd.exe
PID 1576 wrote to memory of 700	1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
PID 1576 wrote to memory of 700	1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
PID 1576 wrote to memory of 700	1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
PID 1576 wrote to memory of 5640	1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe	cmd.exe
PID 1576 wrote to memory of 5640	1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe	cmd.exe
PID 1576 wrote to memory of 5640	1576	{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe	cmd.exe
PID 700 wrote to memory of 5516	700	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
PID 700 wrote to memory of 5516	700	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
PID 700 wrote to memory of 5516	700	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe	{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
PID 700 wrote to memory of 1916	700	{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\{0C58675B-0545-475d-A744-9AF1A789E834}.exe
C:\Windows\{0C58675B-0545-475d-A744-9AF1A789E834}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
C:\Windows\{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
C:\Windows\{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
C:\Windows\{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
C:\Windows\{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
C:\Windows\{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
C:\Windows\{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
C:\Windows\{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
C:\Windows\{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
C:\Windows\{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
C:\Windows\{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5516

C:\Windows\{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}.exe
C:\Windows\{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}.exe
13⤵
- Executes dropped EXE
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2BD16~1.EXE > nul
13⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C19D0~1.EXE > nul
12⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C7EDF~1.EXE > nul
11⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5AEE~1.EXE > nul
10⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF8BB~1.EXE > nul
9⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16A31~1.EXE > nul
8⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{138E5~1.EXE > nul
7⤵
PID:5272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DB630~1.EXE > nul
6⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E69F4~1.EXE > nul
5⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{14DCB~1.EXE > nul
4⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0C586~1.EXE > nul
3⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59A067~1.EXE > nul
2⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C58675B-0545-475d-A744-9AF1A789E834}.exe
Filesize
64KB

MD5
d5a3602994bf70ca744b24e386fb5066

SHA1
0fe394f04eccdc12963bc2b420e4fac6750d5b56

SHA256
d7e3e0551760de08b79b21150bd5a280ec39e74a2ff95c18351e67ca360e6afd

SHA512
1f2a71036ca2fd95f551cf07de34647c2e8efd52f0d5758eef65d7ddfc16cef15ae375f3cb7beb44db927cf872251e45a84d34688f308d62ad80cbb4e7c67548

Download Submit
C:\Windows\{138E5281-B04E-4f2f-B37F-D39D0E211A95}.exe
Filesize
64KB

MD5
9e9ea5aba4d67412eeec552b0d9d566b

SHA1
eac374aa7d1ed77e59aeab52a53ea18ea5781701

SHA256
0c0e90037c1c0dee59f3e5f525b2dfaebec4df4ec7af91f06301e4992076089c

SHA512
dd2d27fbc4a7c5c2921f9cb14faf777ec0f23f8622ef17d01a9be4adb9eedaeff006a08fe07416c534da08cae152026e838ce5356e6bbfe307a7fe95e5ca4eee

Download Submit
C:\Windows\{14DCB60A-D6CA-4274-BF3A-66EEB167770A}.exe
Filesize
64KB

MD5
897feb442c8a3ce80855bc24cde37aba

SHA1
177dfb143b8633baaf0972002c2b67eca3274518

SHA256
ce72a4f6ee8b80b07ffe58b26d5607847146a4cf89258c42d84509d98d843cce

SHA512
bbcb52e0e66cb85d761734afc19c1319c74ae0db4a096b805c947622a038b02e72df113c556792cf9c54c1d239efc6d15dc56696325e866f072b1964404c7567

Download Submit
C:\Windows\{16A31781-B95A-4791-B6B8-62AC3CF9F476}.exe
Filesize
64KB

MD5
ad532adfdd3a696a3a49e4458ce26f0d

SHA1
141acd18dac2e240ae195cb12d45976585a9996c

SHA256
e73a043e5a1a4913320b924e05df111c6b6f3313ec2d738c7de69ba48483b2c8

SHA512
9a0fc5bf85cc3c0818aaf30b90dbbe6f5f66ac001f08f649900869c0e6d4876f84860a894e03d957f31bb6741ec539389afea73bcaf5e4dcebfe2e1896a05f87

Download Submit
C:\Windows\{2BD16E3F-3388-48ae-9410-2DB54A4C73DD}.exe
Filesize
64KB

MD5
04816547f95d67d68d92bc1d2122417b

SHA1
9bea9cdb14c490ed32efe9a20ccee8b7dcb37c3a

SHA256
d43d28e9f10c7d67700e5cf7f39ab4e920811f325e78ee4cf36a517daea95fa2

SHA512
3af1f4d2f0fb2f305838c5b3c63f1a9dbea6fda2649e0c6e4868319fe681f5da44b35aca651246d78d7e96efb4a71e9368d452415fe07890cf43c4e2fc6cba4d

Download Submit
C:\Windows\{4FB6B281-BCB4-4c15-8B20-8C1190FDC9F6}.exe
Filesize
64KB

MD5
72529e923bb48c4acab41e2e193cedbb

SHA1
b05babd14c7dfc23bb7cfafa3c57923aeaef1b2f

SHA256
b94dfa0fbf475b5c6d00a65ccd2c2a330cea7a7c6b6d87f6476a99864c3aaa1f

SHA512
523b9976739101f78974f7c9c1f0df0312cf748f83f91e4528a620015783e1bf5a833a88d9b067f8f7c9daba1b6dc71f973befd195e2962d538a19003d12a00f

Download Submit
C:\Windows\{AF8BB187-43AA-4833-A605-D81533358E9B}.exe
Filesize
64KB

MD5
9a33a1d78f5e280ebf979429ace74754

SHA1
8a8f9b3380a173bf6c3de19c6cf27508578db08c

SHA256
d2730c00e9d4c78429531a0c48c36cd38da44304bbb17eb3cd3cf5ebeea43a22

SHA512
501a05395896fababde5b375f3300360c80ae9efeb7195f843ffe0821a91a822b26c2a716d2ebeade52078eaef337a6bdbeea17d4af3f45dbab49ac38394b2fb

Download Submit
C:\Windows\{C19D0F70-0B56-4ff8-9378-C47C0ED5F82B}.exe
Filesize
64KB

MD5
c0251897d593c0677db731ee988ccb46

SHA1
8780dcb2910f02cb40e0b5550c10576a6ca336d4

SHA256
b67f3139c8d93f00acc5b49c78d03f52638635d57714702ebaefe97be424dacf

SHA512
188b3ea4db3cbbd57e93eaf6fb17866a08b702af70c0b1c52bdc3cae2cc65c23521e81d7508942abe31a61df51cbc8b4c2c9448496897071db4c6bb3101d8708

Download Submit
C:\Windows\{C5AEE822-D187-45c2-8AEF-D491BAA0A9FC}.exe
Filesize
64KB

MD5
58b789d6cd5ed8987c302b5d96173dc7

SHA1
d106500f3eec7617b02dd8f72d328ace46491cfc

SHA256
8c9cb9314defbf94eb788bc4ef9dd2aabd477eb7cd0ac5b0c4344ce9038d9b34

SHA512
a89f992b940079305a168c8d7c01940a3485f6aade3d49fe4904e4d4d187b8587486474e0e3db4584042832bc46640a6f21e858e100df9e347a428e2245d8876

Download Submit
C:\Windows\{C7EDF7FB-5BF0-4f4d-865D-C296A5A0AAEE}.exe
Filesize
64KB

MD5
12602bdd44d04f3d387a3797fefe14b0

SHA1
332fece16804c0c9b62a389eaaf36c425f80d03a

SHA256
299bbf37bdef6b9e58726eea04d639826503baece677b449e140364ea095f78b

SHA512
83b1ccde7bb7800fb426f116da4a27b0e1c976d3247e0710999bb44a682b69dfc7368d93a99dda75dbb8e7f36c971f05d8a70111927f76c4810cb0af41491fae

Download Submit
C:\Windows\{DB630DCB-5B2D-41db-ADD6-FA0D12921AA9}.exe
Filesize
64KB

MD5
4a5ecec3e7dec06d63416ca53a5233e3

SHA1
de54068bf91150b468d68b3067a67e7b6ccef7c3

SHA256
956a155113b137dc3adf6dfca6f44510295f8bb4e43c710e17e9d66abdcc2fad

SHA512
93a03cebc6cd4400621c3083ad79ccf867ed5d00c3903295fc2ab0e722036239797cca860892508bb397435e1e3e2a916729f443824a1ca35b7d69072d0f26b6

Download Submit
C:\Windows\{E69F472D-233B-4c5a-8F9E-5774DB6A7D72}.exe
Filesize
64KB

MD5
50bb5782dc31e74459a329c5f2059e5f

SHA1
e397751bf1936bfa49459a04d668d8ea93bc89eb

SHA256
ca8814d714ab4d3d1cfc30bbe80dd89641c57aa2490f1f9ea121f9f47e18a2a2

SHA512
f915eae46fa52dfa36cd5e8e4148520b92c929f7b9cd6081809c5d999494b7fc3a62a0507f65bc244958bdccce482bddc62cc5ba8756e5f259ed5325f91a224a

Download Submit
memory/388-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/388-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/700-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/700-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1576-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1576-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2456-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2456-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3052-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3052-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3264-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3264-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3744-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3744-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4640-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4872-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4872-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4896-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4896-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4968-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4968-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5260-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5516-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5516-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download