dcffc85e92798a6aa49419dc76c4b7107becae7872eca3c7e0e7db44deb27cbe

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe
Size

88KB
MD5

fc186576f8f0335fd9213a7313da14c0
SHA1

ff55aca52f0f42fca3b54d49c4d8cc429a4e14a2
SHA256

dcffc85e92798a6aa49419dc76c4b7107becae7872eca3c7e0e7db44deb27cbe
SHA512

4b528cdc124c1c304f13844b66628a1075ee5ecb403814716e0b3854becda4f1955655ed8a5aac8caaf84a55c71c9dfd57eaa19aef089f439ac9786f77f2e84e
SSDEEP

768:uvw981E9hKQLrov4/wQDNrfrunMxVFA3r:aEGJ0ovlYunMxVS3r

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41161C5D-0262-4d1d-B495-ABC2429C555A}	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E28559-7B61-4d92-8284-2CCF0EACAE7F}	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E28559-7B61-4d92-8284-2CCF0EACAE7F}\stubpath = "C:\\Windows\\{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe"	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41161C5D-0262-4d1d-B495-ABC2429C555A}\stubpath = "C:\\Windows\\{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe"	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4D95AB-2C7F-4468-A062-028D5C32423F}	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCC9FF0A-C465-4281-935F-BF8A45D497F3}\stubpath = "C:\\Windows\\{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe"	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47261493-F1DA-4912-A6B1-35579C6A4C4B}\stubpath = "C:\\Windows\\{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe"	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}	{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4D95AB-2C7F-4468-A062-028D5C32423F}\stubpath = "C:\\Windows\\{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe"	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCC9FF0A-C465-4281-935F-BF8A45D497F3}	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}\stubpath = "C:\\Windows\\{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe"	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{915645C2-1DC8-4aaa-8581-81DDE4D39060}	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}\stubpath = "C:\\Windows\\{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe"	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}\stubpath = "C:\\Windows\\{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}.exe"	{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}\stubpath = "C:\\Windows\\{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe"	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{915645C2-1DC8-4aaa-8581-81DDE4D39060}\stubpath = "C:\\Windows\\{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe"	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47261493-F1DA-4912-A6B1-35579C6A4C4B}	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}	{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}\stubpath = "C:\\Windows\\{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe"	{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2528 cmd.exe

pid	process
2528	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}.exe

pid	process
2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
644	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
2068	{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe
788	{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe
560	{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}.exe

Drops file in Windows directory 11 IoCs

Processes:

{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exefc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe

description	ioc	process
File created	C:\Windows\{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
File created	C:\Windows\{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
File created	C:\Windows\{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
File created	C:\Windows\{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
File created	C:\Windows\{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
File created	C:\Windows\{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}.exe	{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe
File created	C:\Windows\{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe
File created	C:\Windows\{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
File created	C:\Windows\{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
File created	C:\Windows\{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
File created	C:\Windows\{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe	{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
Token: SeIncBasePriorityPrivilege	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
Token: SeIncBasePriorityPrivilege	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
Token: SeIncBasePriorityPrivilege	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
Token: SeIncBasePriorityPrivilege	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
Token: SeIncBasePriorityPrivilege	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
Token: SeIncBasePriorityPrivilege	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
Token: SeIncBasePriorityPrivilege	644	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
Token: SeIncBasePriorityPrivilege	2068	{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe
Token: SeIncBasePriorityPrivilege	788	{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2944 wrote to memory of 2052	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
PID 2944 wrote to memory of 2052	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
PID 2944 wrote to memory of 2052	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
PID 2944 wrote to memory of 2052	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
PID 2944 wrote to memory of 2528	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	cmd.exe
PID 2944 wrote to memory of 2528	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	cmd.exe
PID 2944 wrote to memory of 2528	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	cmd.exe
PID 2944 wrote to memory of 2528	2944	fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe	cmd.exe
PID 2052 wrote to memory of 2568	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
PID 2052 wrote to memory of 2568	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
PID 2052 wrote to memory of 2568	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
PID 2052 wrote to memory of 2568	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
PID 2052 wrote to memory of 1284	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	cmd.exe
PID 2052 wrote to memory of 1284	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	cmd.exe
PID 2052 wrote to memory of 1284	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	cmd.exe
PID 2052 wrote to memory of 1284	2052	{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe	cmd.exe
PID 2568 wrote to memory of 2832	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
PID 2568 wrote to memory of 2832	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
PID 2568 wrote to memory of 2832	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
PID 2568 wrote to memory of 2832	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
PID 2568 wrote to memory of 2604	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	cmd.exe
PID 2568 wrote to memory of 2604	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	cmd.exe
PID 2568 wrote to memory of 2604	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	cmd.exe
PID 2568 wrote to memory of 2604	2568	{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe	cmd.exe
PID 2832 wrote to memory of 304	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
PID 2832 wrote to memory of 304	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
PID 2832 wrote to memory of 304	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
PID 2832 wrote to memory of 304	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
PID 2832 wrote to memory of 2860	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	cmd.exe
PID 2832 wrote to memory of 2860	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	cmd.exe
PID 2832 wrote to memory of 2860	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	cmd.exe
PID 2832 wrote to memory of 2860	2832	{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe	cmd.exe
PID 304 wrote to memory of 2532	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
PID 304 wrote to memory of 2532	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
PID 304 wrote to memory of 2532	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
PID 304 wrote to memory of 2532	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
PID 304 wrote to memory of 2768	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	cmd.exe
PID 304 wrote to memory of 2768	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	cmd.exe
PID 304 wrote to memory of 2768	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	cmd.exe
PID 304 wrote to memory of 2768	304	{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe	cmd.exe
PID 2532 wrote to memory of 2684	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
PID 2532 wrote to memory of 2684	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
PID 2532 wrote to memory of 2684	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
PID 2532 wrote to memory of 2684	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
PID 2532 wrote to memory of 2680	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	cmd.exe
PID 2532 wrote to memory of 2680	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	cmd.exe
PID 2532 wrote to memory of 2680	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	cmd.exe
PID 2532 wrote to memory of 2680	2532	{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe	cmd.exe
PID 2684 wrote to memory of 2844	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
PID 2684 wrote to memory of 2844	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
PID 2684 wrote to memory of 2844	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
PID 2684 wrote to memory of 2844	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
PID 2684 wrote to memory of 2880	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	cmd.exe
PID 2684 wrote to memory of 2880	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	cmd.exe
PID 2684 wrote to memory of 2880	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	cmd.exe
PID 2684 wrote to memory of 2880	2684	{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe	cmd.exe
PID 2844 wrote to memory of 644	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
PID 2844 wrote to memory of 644	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
PID 2844 wrote to memory of 644	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
PID 2844 wrote to memory of 644	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
PID 2844 wrote to memory of 2056	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	cmd.exe
PID 2844 wrote to memory of 2056	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	cmd.exe
PID 2844 wrote to memory of 2056	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	cmd.exe
PID 2844 wrote to memory of 2056	2844	{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fc186576f8f0335fd9213a7313da14c0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
C:\Windows\{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
C:\Windows\{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
C:\Windows\{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
C:\Windows\{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
C:\Windows\{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
C:\Windows\{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
C:\Windows\{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
C:\Windows\{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe
C:\Windows\{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe
C:\Windows\{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}.exe
C:\Windows\{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}.exe
12⤵
- Executes dropped EXE
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{88BC2~1.EXE > nul
12⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{76E28~1.EXE > nul
11⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{47261~1.EXE > nul
10⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{66FB1~1.EXE > nul
9⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{91564~1.EXE > nul
8⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1E2B7~1.EXE > nul
7⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BB423~1.EXE > nul
6⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CCC9F~1.EXE > nul
5⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5D4D9~1.EXE > nul
4⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{41161~1.EXE > nul
3⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FC1865~1.EXE > nul
2⤵
- Deletes itself
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E2B7EE2-2D8E-4654-A912-9200EAA5AA5F}.exe

Filesize
88KB

MD5
70c9826b6c755a67539de125e38a63ab

SHA1
7a426f9c11e3bb43e5f97b63e66483881d45e495

SHA256
9a3ec42f489452ac1bb6b7a031f561879367dcff55e47fa31738d21fb2fce9f4

SHA512
c0f202a22ac01b3f8a470623df9c9fcd9dc56fb68625abf77c5162eeb03dad5956f24971e91bdfe99b725359f7a7bf4767f6df42e082fe0747960a7e0d0b7230

Download Submit
C:\Windows\{41161C5D-0262-4d1d-B495-ABC2429C555A}.exe

Filesize
88KB

MD5
29cc75d37617b37196f35bf62ddb85ac

SHA1
a7b74ddaff1b536ba81b8cccba8a560120f30d37

SHA256
573e21ffe4d06e7f9c90a80a3c6e8fbe8fd3255921b37c9dd5ca04596f1fbb7b

SHA512
d70e91ea90aea4112fa44e086b539138e82780d6b8a4dd3a1e89f8031e305de2caee429167df7d3bc5e20b590f7083b1bb2c34f1e2eb128f2892e946eea9441e

Download Submit
C:\Windows\{47261493-F1DA-4912-A6B1-35579C6A4C4B}.exe

Filesize
88KB

MD5
e87cfba831e32d98cb1eff399c4094e4

SHA1
174e02394663e4dc43cfb65e01ec4724fbd9771d

SHA256
1efa23915f11a6153e14ed3bee561946ac47d1e3e456f5ad63aeb135d6aa2f57

SHA512
23660f48f74170740a67c7cbdb4911971c54774c4498718d62fec335ebbb7a03419a8132bd632f797e9706c517d19086caa8819ed7b9446f98eda3a0ceb1fe26

Download Submit
C:\Windows\{5D4D95AB-2C7F-4468-A062-028D5C32423F}.exe

Filesize
88KB

MD5
54c983f0cba8b36078ba7c733629f4eb

SHA1
d7bad8b2d919df2a7e71082427bd5ca466fd1939

SHA256
4cd636aac7e4b39fdc413a21c589cb6a30b66004eb192b409ef54b6ed8e308d9

SHA512
cbdced24864025bc6a501f47917e0ee8cd50e4d494c6a765d42d51e2970ba869d9deb2be7b1cf91307369e6b26fcadb75469fd0f0e8b291867cb228563d13a69

Download Submit
C:\Windows\{66FB1547-14AA-41f3-8A4A-0954DBBB0EA4}.exe

Filesize
88KB

MD5
6756a20b5719df05010afccc78b834d1

SHA1
50ec2829ec2dd8f1eb4d1783a8f7cc7c8858464a

SHA256
81662c89b3cb478a9b8a6245d69999ef6da8948bfc1da53676bb666f86414cfe

SHA512
10291c012c5f5a489254eb94349235144750b88a8b554c862459832830c058d100fe04db5eb297dba5c8e9fbd88fa50422cefdb26e2660083d578dd75b5fc2d7

Download Submit
C:\Windows\{76E28559-7B61-4d92-8284-2CCF0EACAE7F}.exe

Filesize
88KB

MD5
f4d5ee69dffa4007533d5cdf627cc53f

SHA1
5371474ad7903573c099dcc4eda89648cb554299

SHA256
d989436c85778fa26e05e330056a046c9b5b7a5ae64470e029bdf045655ec64a

SHA512
146e2e0cf1e82aa30a132f9dd2618c468e9ed300eaf99aceffdea2082c12f46ff71f4fec7a426224df0db382d35f8c1173fa5d8c5d64f9e8ea5b2fde6dbf5da7

Download Submit
C:\Windows\{88BC263B-A4A5-4fc1-B1CB-E1DB8E303D08}.exe

Filesize
88KB

MD5
565bd3b0c6a17532fe98c48b26a8ab82

SHA1
6432579bc2e7b22b7e9bd76ac5b9a048133e6af3

SHA256
cd46cff49245acb9f1632c21ede82c515d42e1f92745a53b4c606e2a7a19ae5f

SHA512
216cb3f4bf82eb994c3a400bfa055480de1bac0f020b62c3cd8e170cbb0dc309cf29142a4760501718fe0d110053385fb5d92a0f15567af7ff0e90445af227d1

Download Submit
C:\Windows\{915645C2-1DC8-4aaa-8581-81DDE4D39060}.exe

Filesize
88KB

MD5
9b7668911aa24b2b51b7c024fc28649c

SHA1
1a162657b0fd3e76255dd7bb51676540881e1768

SHA256
76240f3819b8bd208d47dd7a62c5c4959d899e925c54eb78bbf28ff0554aa9cc

SHA512
288f2e431c3436da5d55bb48bbf492b7b8a31744dd97bf5898feb85c810c485f864ac6fa3daf65e6df5c5fcf7dbd37ec443f858b34e280b13e900df965af7f0a

Download Submit
C:\Windows\{BB423AC1-3A2A-4ee6-8E6F-35082ADA6B20}.exe

Filesize
88KB

MD5
b75bd6e17f16fd4b6821456a2f0c6579

SHA1
c43df4b04958e7e714bc373fc1b8c3b6bee44bf8

SHA256
98f5950679e2b79203b3d50e16b08b29e57a82b85efbe92b2fd911a161999fb8

SHA512
ff484be0e9c486350b2612b41800c8929e8df6a46c85fef7ac4b09c0652832ea31e34ed90f4bdae555098c745759e3792fee4b89a0b22bbf22ef30131ad63e19

Download Submit
C:\Windows\{C14A7DFD-6ECD-44a5-A42E-75E0D98AA2AF}.exe

Filesize
88KB

MD5
e5b0c2edad8e36d2a060fe211738676b

SHA1
d3b22e0768ccf2de20bbd15204a5f55320514ca8

SHA256
6d4da36b62a74742e1852fab49e2f5252cf13326eff9bd11dd218496a3525179

SHA512
a8b539566c1ba4a6413c6f9d35ac02fb1c6a7a5b30a87666c727946551a657eccb1af46684395f3d79caa47f65fc6430e1a91a1d192af150f96090e2829be417

Download Submit
C:\Windows\{CCC9FF0A-C465-4281-935F-BF8A45D497F3}.exe

Filesize
88KB

MD5
45a8cd3df2d5a38415803c1abe9d4f65

SHA1
8ee0d51df353380aa40f27f7643fe5807fddaa4e

SHA256
722953a5d90827626e6c97b798d5851f003d4e7f98a5855c080134725b61ec6f

SHA512
4d5c259fddfc19de22ff2520483b1ef510323093ebe226e373e1ac2f88e1de7fde5c56fb29c8ed442babffdff5c9d96bf7b663fc6a5d20afa1327b3396983d8a

Download Submit
memory/304-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/304-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/644-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/644-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/788-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2052-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2052-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-90-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2532-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2532-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2684-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2832-35-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2832-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2832-34-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2844-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2844-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-7-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2944-8-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download