eb8576af91f370e924bfefe2e618f351751563efda768517f937bc2cb1e6da87

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe
Size

89KB
MD5

691cb70e8509a4f1ce5e20ad271137a0
SHA1

bad95b009ed12cb959758b3f610f14e875183af0
SHA256

eb8576af91f370e924bfefe2e618f351751563efda768517f937bc2cb1e6da87
SHA512

e6d21effa115d9802a35ed426cfc0cadc1a0f42040005a79e854af6b158329fabb3ce9f97a3e2bd3ae4460932c2689e165bc81c5c67140c8a6f471be54984f9d
SSDEEP

768:5vw9816thKQLroX4/wQkNrfrunMxVFA3v:lEG/0oXlbunMxVS3v

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe{543738F9-E592-4339-B761-838C4CE49035}.exe{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe{0CFC92F8-7F60-4024-9C85-721152993219}.exe{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}\stubpath = "C:\\Windows\\{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe"	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D25C7CD0-8E33-4c80-991F-F078D1380ACF}	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D25C7CD0-8E33-4c80-991F-F078D1380ACF}\stubpath = "C:\\Windows\\{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe"	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}\stubpath = "C:\\Windows\\{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe"	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}\stubpath = "C:\\Windows\\{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}.exe"	{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}	{543738F9-E592-4339-B761-838C4CE49035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3864558-177C-48c4-8198-F6D1A21CB29B}	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3864558-177C-48c4-8198-F6D1A21CB29B}\stubpath = "C:\\Windows\\{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe"	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD99E0F6-4A33-4146-AA65-FB35825CA24B}	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD99E0F6-4A33-4146-AA65-FB35825CA24B}\stubpath = "C:\\Windows\\{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe"	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C4DEC0-D988-432a-A211-56DEC2C02D76}\stubpath = "C:\\Windows\\{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe"	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543738F9-E592-4339-B761-838C4CE49035}	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}\stubpath = "C:\\Windows\\{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe"	{543738F9-E592-4339-B761-838C4CE49035}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}\stubpath = "C:\\Windows\\{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe"	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CFC92F8-7F60-4024-9C85-721152993219}	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}	{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CFC92F8-7F60-4024-9C85-721152993219}\stubpath = "C:\\Windows\\{0CFC92F8-7F60-4024-9C85-721152993219}.exe"	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C4DEC0-D988-432a-A211-56DEC2C02D76}	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543738F9-E592-4339-B761-838C4CE49035}\stubpath = "C:\\Windows\\{543738F9-E592-4339-B761-838C4CE49035}.exe"	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe

Executes dropped EXE 11 IoCs

Processes:

{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe{0CFC92F8-7F60-4024-9C85-721152993219}.exe{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe{543738F9-E592-4339-B761-838C4CE49035}.exe{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}.exe

pid	process
1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
2160	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
1908	{543738F9-E592-4339-B761-838C4CE49035}.exe
2900	{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe
1728	{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}.exe

Drops file in Windows directory 11 IoCs

Processes:

691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe{0CFC92F8-7F60-4024-9C85-721152993219}.exe{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe{543738F9-E592-4339-B761-838C4CE49035}.exe{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe

description	ioc	process
File created	C:\Windows\{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe
File created	C:\Windows\{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
File created	C:\Windows\{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
File created	C:\Windows\{0CFC92F8-7F60-4024-9C85-721152993219}.exe	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
File created	C:\Windows\{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
File created	C:\Windows\{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
File created	C:\Windows\{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe	{543738F9-E592-4339-B761-838C4CE49035}.exe
File created	C:\Windows\{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
File created	C:\Windows\{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
File created	C:\Windows\{543738F9-E592-4339-B761-838C4CE49035}.exe	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
File created	C:\Windows\{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}.exe	{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe{0CFC92F8-7F60-4024-9C85-721152993219}.exe{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe{543738F9-E592-4339-B761-838C4CE49035}.exe{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
Token: SeIncBasePriorityPrivilege	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
Token: SeIncBasePriorityPrivilege	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
Token: SeIncBasePriorityPrivilege	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
Token: SeIncBasePriorityPrivilege	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
Token: SeIncBasePriorityPrivilege	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
Token: SeIncBasePriorityPrivilege	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
Token: SeIncBasePriorityPrivilege	2160	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
Token: SeIncBasePriorityPrivilege	1908	{543738F9-E592-4339-B761-838C4CE49035}.exe
Token: SeIncBasePriorityPrivilege	2900	{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1444 wrote to memory of 1316	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
PID 1444 wrote to memory of 1316	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
PID 1444 wrote to memory of 1316	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
PID 1444 wrote to memory of 1316	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
PID 1444 wrote to memory of 2800	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	cmd.exe
PID 1444 wrote to memory of 2800	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	cmd.exe
PID 1444 wrote to memory of 2800	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	cmd.exe
PID 1444 wrote to memory of 2800	1444	691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe	cmd.exe
PID 1316 wrote to memory of 2748	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
PID 1316 wrote to memory of 2748	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
PID 1316 wrote to memory of 2748	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
PID 1316 wrote to memory of 2748	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
PID 1316 wrote to memory of 2636	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	cmd.exe
PID 1316 wrote to memory of 2636	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	cmd.exe
PID 1316 wrote to memory of 2636	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	cmd.exe
PID 1316 wrote to memory of 2636	1316	{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe	cmd.exe
PID 2748 wrote to memory of 2840	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
PID 2748 wrote to memory of 2840	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
PID 2748 wrote to memory of 2840	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
PID 2748 wrote to memory of 2840	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
PID 2748 wrote to memory of 2648	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	cmd.exe
PID 2748 wrote to memory of 2648	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	cmd.exe
PID 2748 wrote to memory of 2648	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	cmd.exe
PID 2748 wrote to memory of 2648	2748	{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe	cmd.exe
PID 2840 wrote to memory of 2528	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
PID 2840 wrote to memory of 2528	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
PID 2840 wrote to memory of 2528	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
PID 2840 wrote to memory of 2528	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
PID 2840 wrote to memory of 2164	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	cmd.exe
PID 2840 wrote to memory of 2164	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	cmd.exe
PID 2840 wrote to memory of 2164	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	cmd.exe
PID 2840 wrote to memory of 2164	2840	{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe	cmd.exe
PID 2528 wrote to memory of 2600	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
PID 2528 wrote to memory of 2600	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
PID 2528 wrote to memory of 2600	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
PID 2528 wrote to memory of 2600	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
PID 2528 wrote to memory of 1644	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	cmd.exe
PID 2528 wrote to memory of 1644	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	cmd.exe
PID 2528 wrote to memory of 1644	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	cmd.exe
PID 2528 wrote to memory of 1644	2528	{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe	cmd.exe
PID 2600 wrote to memory of 796	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
PID 2600 wrote to memory of 796	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
PID 2600 wrote to memory of 796	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
PID 2600 wrote to memory of 796	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	{0CFC92F8-7F60-4024-9C85-721152993219}.exe
PID 2600 wrote to memory of 1968	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	cmd.exe
PID 2600 wrote to memory of 1968	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	cmd.exe
PID 2600 wrote to memory of 1968	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	cmd.exe
PID 2600 wrote to memory of 1968	2600	{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe	cmd.exe
PID 796 wrote to memory of 2220	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
PID 796 wrote to memory of 2220	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
PID 796 wrote to memory of 2220	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
PID 796 wrote to memory of 2220	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
PID 796 wrote to memory of 2404	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	cmd.exe
PID 796 wrote to memory of 2404	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	cmd.exe
PID 796 wrote to memory of 2404	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	cmd.exe
PID 796 wrote to memory of 2404	796	{0CFC92F8-7F60-4024-9C85-721152993219}.exe	cmd.exe
PID 2220 wrote to memory of 2160	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
PID 2220 wrote to memory of 2160	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
PID 2220 wrote to memory of 2160	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
PID 2220 wrote to memory of 2160	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
PID 2220 wrote to memory of 1520	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	cmd.exe
PID 2220 wrote to memory of 1520	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	cmd.exe
PID 2220 wrote to memory of 1520	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	cmd.exe
PID 2220 wrote to memory of 1520	2220	{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\691cb70e8509a4f1ce5e20ad271137a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
C:\Windows\{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
C:\Windows\{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
C:\Windows\{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
C:\Windows\{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
C:\Windows\{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\{0CFC92F8-7F60-4024-9C85-721152993219}.exe
C:\Windows\{0CFC92F8-7F60-4024-9C85-721152993219}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
C:\Windows\{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
C:\Windows\{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\{543738F9-E592-4339-B761-838C4CE49035}.exe
C:\Windows\{543738F9-E592-4339-B761-838C4CE49035}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe
C:\Windows\{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}.exe
C:\Windows\{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}.exe
12⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEB9~1.EXE > nul
12⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{54373~1.EXE > nul
11⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{030BB~1.EXE > nul
10⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{84C4D~1.EXE > nul
9⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0CFC9~1.EXE > nul
8⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96660~1.EXE > nul
7⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FD99E~1.EXE > nul
6⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A3864~1.EXE > nul
5⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D25C7~1.EXE > nul
4⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0E16C~1.EXE > nul
3⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\691CB7~1.EXE > nul
2⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{030BBF1B-DA1F-4b98-A2AB-5F82EE254F8C}.exe

Filesize
89KB

MD5
711c60dbfc6464f229ff923c72743ffe

SHA1
383b7940ae2cbb66467d95c8faec489759671d72

SHA256
49a866923d8986077fe26c95b48d4cf48e39815e33af0d70a250bd1d95476912

SHA512
bf6955b7eac2f382ce64f909afd125409506e4f174939d7a16a7e5a8e8e47168afac5832d11b95561866c14f297ca1099b678dbe647726dd13e02f26e1b144e9

Download Submit
C:\Windows\{0CFC92F8-7F60-4024-9C85-721152993219}.exe

Filesize
89KB

MD5
1f420c367e695fa257e532b21fefa494

SHA1
6a1615ae068156f79bb561f74c76d8f87d27a655

SHA256
3a563eb43a39e6aa95ac11f303a6f22fbee1765aeabdcd55ab7643e8632a564f

SHA512
5b17da1d556d8ef8effb872ce05b537f26e7e6538c2f9ca6a87f28c04a34ce38da1023278b22dbceb990b770940cea4c3d31f5ff433c85bcf6f66c4826d7b0a6

Download Submit
C:\Windows\{0E16CBFF-E936-4c2f-B3D3-984FDA377FF6}.exe

Filesize
89KB

MD5
cf0dd36e83d8f6324244cc915b3bc3aa

SHA1
3c3e7f8528fa929c886d46cae8b7cfe2e2947c89

SHA256
858ae27fae2dc7e351cb570f5bf774e13e21340cc5501480acf3549c407e8b96

SHA512
367f0cdc670cb11dc2bb0165a195ff06d873f08a8623a8ef96f188f41b5f07b9d7bd3911731465f38fb9f9ea2cf016f764de8464751f97e3145984ba5ca5328c

Download Submit
C:\Windows\{543738F9-E592-4339-B761-838C4CE49035}.exe

Filesize
89KB

MD5
4a8e50d53aad0c770b14f259552fe87d

SHA1
9475f4688f49897e58711aa05427466fbf78db06

SHA256
b831fccac645195a1bd4e7ca37e751d31c19efeb5891adbda6bebe300605fcba

SHA512
0719f6f2f20f898374c295ee7265a8962e2e54d4740073df760934214e0650b55c89854040a9a7aa264f3194e716cb447e2874ee7ae29f914e95f1878b0af9bf

Download Submit
C:\Windows\{84C4DEC0-D988-432a-A211-56DEC2C02D76}.exe

Filesize
89KB

MD5
91ca94f29a160836585865a4f0b72cc0

SHA1
3ff54a99fe7bde72d514dd4b1ace4fc886b0e729

SHA256
8c6651dfabc319d00bb4268ab34351cfd01c49c806e5c58a4f1a00b35c90dcd2

SHA512
bf5e1ff86903f77115cf8919458679146de8723ed332cb446d4c6ae6bec6d87a90bdcb1c92bebecd4690f351aec7e0b429dae12bbe93bf514da54382567b148d

Download Submit
C:\Windows\{94F56B6D-A3C7-4a9a-83AA-E54C893F9483}.exe

Filesize
89KB

MD5
0bacf57265cac3533c95f8fd532fd30f

SHA1
8ee884faf47830051eadf38252442f8092f9bbc3

SHA256
69db3768dca7c725e6f4b71f89ecc758b79ce823ae0757c4d0770451e7115e64

SHA512
217a571ee162dd15664f307cf0f724c70841c0bfcc753be495aec8a766d016335db16febf677609abdcae70fa8ada531be22efe7fdce5c836e132cb47bc9aa00

Download Submit
C:\Windows\{96660445-B3AC-40b3-AEFB-79E7CEAFAE14}.exe

Filesize
89KB

MD5
0020723a0082be10867fd7904f46a6fc

SHA1
58c4a03c9c7b72fe1b52a78ea07bdb67c4be642c

SHA256
4a2549f3ee2f95195ff83f82051fee6e651906123d74edce537b78746c1f4497

SHA512
8c8b329888f2c11661d2ee4190f8ecc254734ca48dca55d603b87ee113714bb09bc68d7aca8881dd65b91248f25031e48d303be043f32eda3d25db170f707af8

Download Submit
C:\Windows\{A3864558-177C-48c4-8198-F6D1A21CB29B}.exe

Filesize
89KB

MD5
65c4b86dae97a3dbe97391c0d62c6485

SHA1
3c5b9ef0bb5d059f4ce738bb2b0eee99f8612e18

SHA256
f784f1f4effdd16fc2580b9b04dc33a8aff5f5bfd3233ac8e10dd882f0c8cb94

SHA512
d5a41d97cee9371833808c72caae7a8dc067416e04d4e784a9159baa2c0e3fd5f91e4b3bc4ea0219cb4273541c9303b5008aa6c5194959e4e8b827fc1afcf7f5

Download Submit
C:\Windows\{D25C7CD0-8E33-4c80-991F-F078D1380ACF}.exe

Filesize
89KB

MD5
7c95d6db92df24d8c1714fd6168f1a5a

SHA1
baf748965b91a108c53813caf5e8c883f0d54a25

SHA256
7360c00be44ac51ca29552deb82928158044863314381f38ab7ecdf7907de0bd

SHA512
b7d1329a370e2e7d371d062fdebea2321e97bb901601a54d08e3aff3d0ce426ac50aec0959c3212726f1e6286e6439a31203070ceae11341070fd89ae098a75e

Download Submit
C:\Windows\{DFEB9F6F-B43A-4ae8-9493-DA510AA04114}.exe

Filesize
89KB

MD5
b9b7b395b88819956765fa3645e81265

SHA1
3e2a0d24293dc1404ddbf22aba9a40c1f7dd367e

SHA256
70e709b9470514a6cfbae0eeee45b134a873d94f4e48ae094fe181821847b34e

SHA512
c028b8c9395ac0ca73f42aeb1470fc4d10b9dbf0b9a5fda01399cf48fb2b797e0c23ed3adb0f9a6a0c56ea226bbf13f10a067d1d5b95d09f2ac125d98c1366c5

Download Submit
C:\Windows\{FD99E0F6-4A33-4146-AA65-FB35825CA24B}.exe

Filesize
89KB

MD5
1a0346cc1cb87a3599bcc315d3c6a0b3

SHA1
f72055f6ec61b62d0b769532da26bbf9272e694e

SHA256
435dbf767bdf7ff4c04ccfdb748440ca183ef4c3ba42a598099b45dca0dbde12

SHA512
b2a9b6f77f1e110c4a9875495cf61fc4a990e865af95a23573eb41b1f946024da378f2e2d88a0269f937e2766980dbd313683358aa82ab31f97ed30a482c37ce

Download Submit
memory/796-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/796-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1316-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1316-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1444-8-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1444-7-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1444-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1444-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2220-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2220-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2528-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2528-41-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2528-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2748-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2748-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2900-97-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download