1fad62acbd7d4310c724c7395695025bcb09a1d96ef3b69a63f5b5089c218641

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Size

90KB
MD5

627fcd77b202ba5704cd6c800e4f65a0
SHA1

aadff672cfb0237f4e48cd60b607c9de23b5c732
SHA256

1fad62acbd7d4310c724c7395695025bcb09a1d96ef3b69a63f5b5089c218641
SHA512

bf68aa9699581c9fed4d4db001465d53ac95099538c196bbddea6d1222d516bcdc8673ccc07082eccf486599e05a51c89e55f64adbe31cd11ebc4b4b489a17f0
SSDEEP

768:50w981IshKQLrop4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0oplVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe{786E7AEF-F312-48e4-A289-E4047DADD329}.exe627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe{78045083-477C-49ee-8314-3F8D51FDF56E}.exe{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F39D5E0B-D687-4410-B31D-E5EA056A256D}\stubpath = "C:\\Windows\\{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe"	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{196C8963-9F6C-44c3-9FF9-6E5E9751869F}\stubpath = "C:\\Windows\\{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe"	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786E7AEF-F312-48e4-A289-E4047DADD329}	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786E7AEF-F312-48e4-A289-E4047DADD329}\stubpath = "C:\\Windows\\{786E7AEF-F312-48e4-A289-E4047DADD329}.exe"	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{790481A1-ADAC-465e-96B4-C01B3F4A6494}\stubpath = "C:\\Windows\\{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe"	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E24FEB7B-1931-42ee-92EE-8F73299962CA}\stubpath = "C:\\Windows\\{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe"	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456688AA-37EB-40ee-94BE-4C7BF02FE95A}	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456688AA-37EB-40ee-94BE-4C7BF02FE95A}\stubpath = "C:\\Windows\\{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe"	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7AE3979-39E3-4176-9877-C6C983D4DC4B}\stubpath = "C:\\Windows\\{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe"	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F39D5E0B-D687-4410-B31D-E5EA056A256D}	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{790481A1-ADAC-465e-96B4-C01B3F4A6494}	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A62C6ED5-541A-4f74-BECD-D5B398B35386}	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A62C6ED5-541A-4f74-BECD-D5B398B35386}\stubpath = "C:\\Windows\\{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe"	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}\stubpath = "C:\\Windows\\{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}.exe"	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E24FEB7B-1931-42ee-92EE-8F73299962CA}	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78045083-477C-49ee-8314-3F8D51FDF56E}	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78045083-477C-49ee-8314-3F8D51FDF56E}\stubpath = "C:\\Windows\\{78045083-477C-49ee-8314-3F8D51FDF56E}.exe"	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{196C8963-9F6C-44c3-9FF9-6E5E9751869F}	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}\stubpath = "C:\\Windows\\{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe"	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22E3B8FF-F151-410f-9735-74FCA0B56A42}	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22E3B8FF-F151-410f-9735-74FCA0B56A42}\stubpath = "C:\\Windows\\{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe"	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7AE3979-39E3-4176-9877-C6C983D4DC4B}	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe

Executes dropped EXE 12 IoCs

Processes:

{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe{78045083-477C-49ee-8314-3F8D51FDF56E}.exe{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe{786E7AEF-F312-48e4-A289-E4047DADD329}.exe{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}.exe

pid	process
2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
4000	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
3720	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
1928	{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}.exe

Drops file in Windows directory 12 IoCs

Processes:

{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe{78045083-477C-49ee-8314-3F8D51FDF56E}.exe{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe{786E7AEF-F312-48e4-A289-E4047DADD329}.exe{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe

description	ioc	process
File created	C:\Windows\{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
File created	C:\Windows\{78045083-477C-49ee-8314-3F8D51FDF56E}.exe	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
File created	C:\Windows\{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
File created	C:\Windows\{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
File created	C:\Windows\{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}.exe	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
File created	C:\Windows\{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
File created	C:\Windows\{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
File created	C:\Windows\{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
File created	C:\Windows\{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
File created	C:\Windows\{786E7AEF-F312-48e4-A289-E4047DADD329}.exe	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
File created	C:\Windows\{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
File created	C:\Windows\{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe{78045083-477C-49ee-8314-3F8D51FDF56E}.exe{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe{786E7AEF-F312-48e4-A289-E4047DADD329}.exe{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1192	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
Token: SeIncBasePriorityPrivilege	4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
Token: SeIncBasePriorityPrivilege	2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
Token: SeIncBasePriorityPrivilege	4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
Token: SeIncBasePriorityPrivilege	1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
Token: SeIncBasePriorityPrivilege	2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
Token: SeIncBasePriorityPrivilege	4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
Token: SeIncBasePriorityPrivilege	4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
Token: SeIncBasePriorityPrivilege	3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
Token: SeIncBasePriorityPrivilege	4000	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
Token: SeIncBasePriorityPrivilege	3720	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1192 wrote to memory of 2664	1192	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
PID 1192 wrote to memory of 2664	1192	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
PID 1192 wrote to memory of 2664	1192	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
PID 1192 wrote to memory of 2008	1192	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	cmd.exe
PID 1192 wrote to memory of 2008	1192	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	cmd.exe
PID 1192 wrote to memory of 2008	1192	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	cmd.exe
PID 2664 wrote to memory of 4576	2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
PID 2664 wrote to memory of 4576	2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
PID 2664 wrote to memory of 4576	2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
PID 2664 wrote to memory of 3804	2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe	cmd.exe
PID 2664 wrote to memory of 3804	2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe	cmd.exe
PID 2664 wrote to memory of 3804	2664	{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe	cmd.exe
PID 4576 wrote to memory of 2256	4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
PID 4576 wrote to memory of 2256	4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
PID 4576 wrote to memory of 2256	4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
PID 4576 wrote to memory of 3008	4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe	cmd.exe
PID 4576 wrote to memory of 3008	4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe	cmd.exe
PID 4576 wrote to memory of 3008	4576	{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe	cmd.exe
PID 2256 wrote to memory of 4900	2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
PID 2256 wrote to memory of 4900	2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
PID 2256 wrote to memory of 4900	2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
PID 2256 wrote to memory of 3868	2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe	cmd.exe
PID 2256 wrote to memory of 3868	2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe	cmd.exe
PID 2256 wrote to memory of 3868	2256	{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe	cmd.exe
PID 4900 wrote to memory of 1932	4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
PID 4900 wrote to memory of 1932	4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
PID 4900 wrote to memory of 1932	4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
PID 4900 wrote to memory of 3976	4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe	cmd.exe
PID 4900 wrote to memory of 3976	4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe	cmd.exe
PID 4900 wrote to memory of 3976	4900	{78045083-477C-49ee-8314-3F8D51FDF56E}.exe	cmd.exe
PID 1932 wrote to memory of 2336	1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
PID 1932 wrote to memory of 2336	1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
PID 1932 wrote to memory of 2336	1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
PID 1932 wrote to memory of 1892	1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe	cmd.exe
PID 1932 wrote to memory of 1892	1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe	cmd.exe
PID 1932 wrote to memory of 1892	1932	{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe	cmd.exe
PID 2336 wrote to memory of 4948	2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
PID 2336 wrote to memory of 4948	2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
PID 2336 wrote to memory of 4948	2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
PID 2336 wrote to memory of 1040	2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe	cmd.exe
PID 2336 wrote to memory of 1040	2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe	cmd.exe
PID 2336 wrote to memory of 1040	2336	{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe	cmd.exe
PID 4948 wrote to memory of 4272	4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
PID 4948 wrote to memory of 4272	4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
PID 4948 wrote to memory of 4272	4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
PID 4948 wrote to memory of 1608	4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe	cmd.exe
PID 4948 wrote to memory of 1608	4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe	cmd.exe
PID 4948 wrote to memory of 1608	4948	{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe	cmd.exe
PID 4272 wrote to memory of 3304	4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
PID 4272 wrote to memory of 3304	4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
PID 4272 wrote to memory of 3304	4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
PID 4272 wrote to memory of 640	4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe	cmd.exe
PID 4272 wrote to memory of 640	4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe	cmd.exe
PID 4272 wrote to memory of 640	4272	{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe	cmd.exe
PID 3304 wrote to memory of 4000	3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
PID 3304 wrote to memory of 4000	3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
PID 3304 wrote to memory of 4000	3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
PID 3304 wrote to memory of 3012	3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe	cmd.exe
PID 3304 wrote to memory of 3012	3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe	cmd.exe
PID 3304 wrote to memory of 3012	3304	{786E7AEF-F312-48e4-A289-E4047DADD329}.exe	cmd.exe
PID 4000 wrote to memory of 3720	4000	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
PID 4000 wrote to memory of 3720	4000	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
PID 4000 wrote to memory of 3720	4000	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe	{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
PID 4000 wrote to memory of 828	4000	{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
C:\Windows\{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
C:\Windows\{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
C:\Windows\{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
C:\Windows\{78045083-477C-49ee-8314-3F8D51FDF56E}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
C:\Windows\{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
C:\Windows\{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
C:\Windows\{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
C:\Windows\{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
C:\Windows\{786E7AEF-F312-48e4-A289-E4047DADD329}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
C:\Windows\{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
C:\Windows\{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}.exe
C:\Windows\{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}.exe
13⤵
- Executes dropped EXE
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F0DAD~1.EXE > nul
13⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{79048~1.EXE > nul
12⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{786E7~1.EXE > nul
11⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{196C8~1.EXE > nul
10⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F39D5~1.EXE > nul
9⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A62C6~1.EXE > nul
8⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E7AE3~1.EXE > nul
7⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{78045~1.EXE > nul
6⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{22E3B~1.EXE > nul
5⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{45668~1.EXE > nul
4⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E24FE~1.EXE > nul
3⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\627FCD~1.EXE > nul
2⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{196C8963-9F6C-44c3-9FF9-6E5E9751869F}.exe

Filesize
90KB

MD5
93be11bb052e8da3aab0ace3134d6685

SHA1
80bea254e1be80527b76babe861b320ad18b7d1d

SHA256
7fd940a18bf3d5f1e133b6bb199f26dd60d1329f75846b1e9a8fbe8b71309181

SHA512
acaa1df508af69b6ff1c7586cb0c98b7431fc80ece765255fa36c73545573a5037338d5c80f6d6855de401c36aaf5671f1729125a1989d010335df283cf444aa

Download Submit
C:\Windows\{22E3B8FF-F151-410f-9735-74FCA0B56A42}.exe

Filesize
90KB

MD5
1f07b0d82618768d04c6e6b4ca7d66f8

SHA1
df1e10820c000bf1a1cc75b1ebc9523bd4555c83

SHA256
cfe931d2bdb7b763863a464b900f241f294dd179783436bb89b920eca38a96bd

SHA512
371b4d898d6248cf0363a4dc77f731d554a6ebae2cf8ca792060485f62394aa5636ed6b09910594ef345f8672574174a14beacd7b298595eba65402d5cae6836

Download Submit
C:\Windows\{456688AA-37EB-40ee-94BE-4C7BF02FE95A}.exe

Filesize
90KB

MD5
07920c08415bfd33ba8da5f3bc6b14c6

SHA1
2910a4414bdbbefc7ba4a75ecf623251deb9a1d2

SHA256
2115cd839ef85490413c64b73de53757034226b3d9c5a25a1a02621173a6d0df

SHA512
9255525aa5a9d33dd1f733ec3445f336b51fa546b74a47e63aca8774ce44b5c40f8b642f5b548e726a00905d5d074a25188d18ee77641deb5bd88eba75ae866a

Download Submit
C:\Windows\{78045083-477C-49ee-8314-3F8D51FDF56E}.exe

Filesize
90KB

MD5
c6b088670e0a3a808a6a75a21637c997

SHA1
3378cee72ac1dbaa3930ef3ba9fa024eb70f644c

SHA256
a01e7f361b493dd4654215b93e0ae47a2281ab4d346ef9028a889bdae9203b49

SHA512
8cd843fd032f13ffb1eb975d917834ad9c2002a1a48899738b05ac4fc1eb3fab1450ebad73fae812278232109b814d0240b6e61b3893ef2f607d2869f181b9aa

Download Submit
C:\Windows\{786E7AEF-F312-48e4-A289-E4047DADD329}.exe

Filesize
90KB

MD5
3bcb9c60172ace87d27792144ab3e7ee

SHA1
3b7ac4534ec14777a184ec3753f14b6a940f13c6

SHA256
20535556aa33399becb31c10aa685434f9d2159b980775686b9ab2212dc83e21

SHA512
34644de947d586e221709b7c4da5dc762462e7b78992661e4ec9e0aeafdeb00536200424550e5e0e9ddef1f947535f3a9d3f741692c715c3e5ee6c49d48dfa1b

Download Submit
C:\Windows\{790481A1-ADAC-465e-96B4-C01B3F4A6494}.exe

Filesize
90KB

MD5
b806df12684b1733c9baef035ff4f2a7

SHA1
2568d356794d239796253e7605ee49a5281b9f9f

SHA256
a3f4974a886d54020cd5b2f32dc43647b3f44c13adb9a01215bba7f04303e501

SHA512
71bafab42e26d131e16b0a11f9469f0f05e8508c8c2a44706a4ffdaba1f589417eb69cb1a10a0384df7f3ec0b18504d00d468fb9d67635152b86f2a6c4cb29ae

Download Submit
C:\Windows\{817F9ADB-7386-4fdc-8BA1-979F3AB55D98}.exe

Filesize
90KB

MD5
aece740c4bf07d4d2726e81c6206e5e7

SHA1
bee1b935ccf3c04817da7daf15b78029ba26fa08

SHA256
eaecf91477e22a46d5baa9de68e5aa0a78cd1f5b0ce4c0806677ed28ffa29ea4

SHA512
3e13fec88e64a26808738d2922d08795d3b2831951b03ba95df56eed7e0e8d84744590023e1217e7f9e0282351f86a1e06d9303a2d29c0b30d4203342fcb5523

Download Submit
C:\Windows\{A62C6ED5-541A-4f74-BECD-D5B398B35386}.exe

Filesize
90KB

MD5
4b5597701116f1fc4eae6537a12545ca

SHA1
4cab4a052f6ee95e2740a7e8c89c05920c5c8be0

SHA256
449479d3faf93a0299a8baa74c71a52c6318738acd89824f5db85fe42cfdd97e

SHA512
339e71f3811587173386a798522650df5193c8036b5a2510771a78f76c3ba606959f6ba137375c11d7b2be9be9e74f52f27c6258bd9713baf77632b50db6326b

Download Submit
C:\Windows\{E24FEB7B-1931-42ee-92EE-8F73299962CA}.exe

Filesize
90KB

MD5
00e163dbcfe240406e60dce077c4fe9d

SHA1
4a8fa262716f368074c39e4f6bbdc8180f8d7db8

SHA256
4ee072977a5415fe2f8f909b89e3ebfe3f685dc029211252e3acd5ec54e2c17e

SHA512
3ca8ee60e3d1ced7bac7da2108e9f0fb9d2c92824d12789b557f64c7aa0e3ae85cff71228b24e74ed6f375b4e4b03d7bb414c95db29cdb4b78a421ac4be491a9

Download Submit
C:\Windows\{E7AE3979-39E3-4176-9877-C6C983D4DC4B}.exe

Filesize
90KB

MD5
368101eee150268eacf9417ac4662ba3

SHA1
95f464376f700b65e325f66f5afc7203f4a26cc9

SHA256
f44ff61467011653111b6c72e3117aae87dcf892c0d972b581476f206cc84a46

SHA512
df0d42b0dfabc051e7668372c8ae968aba3bab92d9154d13b3ec9ffa5cb339d9d45ac5ba7c0b5e4487b910fd3bdacadb46e5494a8ec1acda368f19010460c9d7

Download Submit
C:\Windows\{F0DAD6B8-E0D8-4723-B76A-0308F8D5D28D}.exe

Filesize
90KB

MD5
41ced6c3f47ad84f578e514ca07f7347

SHA1
f46f295aeba6b375de04f7baa93b5f64d7e4ad04

SHA256
0b463bd4b55b95bb5410f79ad55185b8ad1d9e68822a1138e85c7db39f1c7361

SHA512
4ef5095734ae010cdf620ef639c1bf3d57b3294b7bbb62996dbd8e9042bcbcb83fb2739d3ddcc6278394f9978a6c4c9d9bac6e229e9a537de2f351e80e3acbcc

Download Submit
C:\Windows\{F39D5E0B-D687-4410-B31D-E5EA056A256D}.exe

Filesize
90KB

MD5
eeb893f7b1d5a862e1be67f0a2f65b7e

SHA1
6f0f03b98845f565d388ada31534ed107f6de79e

SHA256
b8fc74dd55e128927377a46b7cce1dab27cd02891023dee4190f9e0b7aaa57c3

SHA512
f383f7ba44b1b0cdd34df2d93cf727b7c9685502751f6dddf80760c6e37aaaced74e5491d2a32e39499242d3b28bed66152403230dd2efbe481f39f8be4e1412

Download Submit
memory/1192-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1192-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2336-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2336-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3304-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3720-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3720-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4000-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4000-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4272-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4272-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4576-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4576-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4900-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4900-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4948-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download