Malware Analysis Report

2025-04-14 01:49

Sample ID 240602-2ej4tsae23
Target 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
SHA256 b12ed006872e73b97ba1e8ff1312311a8abb22605380d600f1ade592bef7bfe6
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b12ed006872e73b97ba1e8ff1312311a8abb22605380d600f1ade592bef7bfe6

Threat Level: Likely malicious

The file 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win7-20240221-en

Max time kernel

144s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81E48E0-7917-400f-8577-AF0FF1E58E24}\stubpath = "C:\\Windows\\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe" C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF670F4-5586-41e1-B3A4-09927E8E0451} C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}\stubpath = "C:\\Windows\\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe" C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF} C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}\stubpath = "C:\\Windows\\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe" C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81E48E0-7917-400f-8577-AF0FF1E58E24} C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF670F4-5586-41e1-B3A4-09927E8E0451}\stubpath = "C:\\Windows\\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe" C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}\stubpath = "C:\\Windows\\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe" C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4B9B9-EE95-4a64-9C7D-227D5639A113} C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D6A6F3-ABC4-4840-802B-2BA9E3503664} C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E32D79-8B6E-461e-87F3-E05949CB41B1} C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}\stubpath = "C:\\Windows\\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe" C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}\stubpath = "C:\\Windows\\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe" C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA0068D-092B-4de2-BD89-1AD0542A84F2} C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}\stubpath = "C:\\Windows\\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe" C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A064CF-0401-4fb9-816D-16F9BF7DFA66} C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698} C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}\stubpath = "C:\\Windows\\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe" C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6} C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}\stubpath = "C:\\Windows\\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe" C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D7A410-9F2B-43c1-9055-2DCCDF356E81} C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}\stubpath = "C:\\Windows\\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe" C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe N/A
File created C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe N/A
File created C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe N/A
File created C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe N/A
File created C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe N/A
File created C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe N/A
File created C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe N/A
File created C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe N/A
File created C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe N/A
File created C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe N/A
File created C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe
PID 2388 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe
PID 2388 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe
PID 2388 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe
PID 2388 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2264 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe
PID 2224 wrote to memory of 2264 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe
PID 2224 wrote to memory of 2264 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe
PID 2224 wrote to memory of 2264 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe
PID 2224 wrote to memory of 2800 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2800 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2800 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2800 N/A C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2340 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe
PID 2264 wrote to memory of 2340 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe
PID 2264 wrote to memory of 2340 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe
PID 2264 wrote to memory of 2340 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe
PID 2264 wrote to memory of 2544 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2544 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2544 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2544 N/A C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 1808 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe
PID 2340 wrote to memory of 1808 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe
PID 2340 wrote to memory of 1808 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe
PID 2340 wrote to memory of 1808 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe
PID 2340 wrote to memory of 2672 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2672 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2672 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2672 N/A C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2780 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe
PID 1808 wrote to memory of 2780 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe
PID 1808 wrote to memory of 2780 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe
PID 1808 wrote to memory of 2780 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe
PID 1808 wrote to memory of 2320 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2320 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2320 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2320 N/A C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1924 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe
PID 2780 wrote to memory of 1924 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe
PID 2780 wrote to memory of 1924 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe
PID 2780 wrote to memory of 1924 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1436 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe
PID 1924 wrote to memory of 1436 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe
PID 1924 wrote to memory of 1436 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe
PID 1924 wrote to memory of 1436 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe
PID 1924 wrote to memory of 1628 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1628 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1628 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1628 N/A C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1216 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe
PID 1436 wrote to memory of 1216 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe
PID 1436 wrote to memory of 1216 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe
PID 1436 wrote to memory of 1216 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe
PID 1436 wrote to memory of 2112 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2112 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2112 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2112 N/A C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"

C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe

C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76F33B~1.EXE > nul

C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe

C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3C47E~1.EXE > nul

C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe

C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9CF67~1.EXE > nul

C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe

C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E32~1.EXE > nul

C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe

C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17A4B~1.EXE > nul

C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe

C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C72A8~1.EXE > nul

C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe

C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{22D7A~1.EXE > nul

C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe

C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{41887~1.EXE > nul

C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe

C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{14D6A~1.EXE > nul

C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe

C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA00~1.EXE > nul

C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe

C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{58A06~1.EXE > nul

Network

N/A

Files

memory/2388-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2388-3-0x0000000001BC0000-0x0000000001BD1000-memory.dmp

C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe

MD5 6771e8e01066c1159b75ea89c2ea88e1
SHA1 88700e14c8f63d8c80ab3fa19e6fb2c876af7b8d
SHA256 3fd8873cfac8a0bcc176cfa46d7409204198492038e65144cb5d36a6f50f41a6
SHA512 0f3632ac672005cb47df5a512d17ab4d9256d57c8bee3c2b7cac7851a08b02c231f72d2f25c377dc92f100fd6ba8bc1a46426f3325ea3a07c9103274894ef913

memory/2224-9-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2388-8-0x0000000001BC0000-0x0000000001BD1000-memory.dmp

memory/2388-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2224-18-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe

MD5 4a885e9855cc7145b8d14ba68d05ae74
SHA1 b4d563597a6f3f40c1710fd5489cdf23bdca23b6
SHA256 671321a56daeab0f75ea7063afcc5eecdecb617ba43347df6088fbae9be4fc4f
SHA512 a0bc0339d495fd3c323ff98b267224b14eab621452c26e86c2f9a2bfbf940a8f69861eb6d8a8482e30de5ca438a8be484ef6cf98aa75120ccbe552c5402b1be2

memory/2224-14-0x0000000000310000-0x0000000000321000-memory.dmp

memory/2264-20-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2264-28-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe

MD5 58101828d1995687a19dc53bf29fca68
SHA1 220eb4e984baa33936db4e3ba215a002bd68d456
SHA256 6dcbe9374d80baf39688708a46560703118ec0ba62e567373f8f9ec83f172e41
SHA512 8b4d0433b82e371cdad3ace9f58b30a29f152036a43a5296d223f2a09971d7ffdbce0c6318977a0935e84f141a44e2bc43de6364087fd7afbf6a2352d20a900f

memory/2340-29-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe

MD5 01186c6a3d74142e9e0a20abdd32428d
SHA1 803aefa5af48e9afa19b6a8e9b888691c505bdbf
SHA256 3c866b8b8ec2ed07e57e2c1a1147ce94f65989c454e29e67e7c9ff5de70dcd9f
SHA512 bd70c8534531b8455cef73b4b816773010947f39cff833e82ea293161d56315e2064ad2deab29cc0c972e3e5212ac4f942a3c5be625367aca015de42d01241de

memory/2340-36-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1808-45-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe

MD5 cda3bcc2af1f8b5d8c8331f0a05f5604
SHA1 04e73d462618eca03724fae3a3643bd6091f3660
SHA256 9b241c87222c05a1ee7ac2436748aa4e09aa46fca2380bee527a20c9aaa7802a
SHA512 ecf29e8ca6f94b563f909ea5cd7f8a5f8192db317f3369506b34c242d314cedb34cf893dff49a3080bad18d9a262a7a3933971bfe51a9f0d0adfbfc42b285408

memory/2780-46-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe

MD5 5470fa53c13328289ddb444c81c2c95f
SHA1 b7631d2f216b88f6f9895040ae9b033a3ca09b58
SHA256 140ef0206f9339aa03b4d61575368e6ba72ac091da01cac452fbe446073bb0d9
SHA512 6345f52bf79729a749f13bdb894ad9db68b9552cffa96c124ac183fab42462f4f7ece6ee9505fd4ded76cadc90d5eae11fc713eec99bdb62e24116c60c95dcf1

memory/2780-53-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe

MD5 5ea279b73fa9c6b3132e41294b5489c2
SHA1 6aca2b8ee644b06da05a7360401576a6464fc353
SHA256 9e5c78634f4b14e986c5b7c55b1eef6621995bf2d4259ccff9dfc85e35fdfe18
SHA512 39f0b3ac0e02301b8c52673768a8a853918bae01b240ad663645599404891ac3749237ba454af563e1cb942d8df08231b68c795663eb8b7346d04b9c834eca11

memory/1924-61-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1436-70-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe

MD5 27053cdf77bfe4a3a43cd6afb70bfa67
SHA1 bd4f9450e7229bda5732892211d1501a0b572fe3
SHA256 23be8da2fcb70f704753595a87659a00ebb5de987d864911f4cf0dca1079b700
SHA512 4fb9caa3c9684b82123b9f73aee113fa618f0eeff8e7ca55b09756bb2a2357ae10129617a303d1386c0a0cad6e017fc28edcce8fdf48bac4ff30f3b5d17b6655

memory/1216-71-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1216-79-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe

MD5 962476d67cfa49c9c69eb3e9268022e0
SHA1 9539125e1dee564b4d81a41d68546ba2d9f7ea9a
SHA256 77be4731273fc7503fc96760b0f796ec0f525ea319ea0f04bdd6acb563d4cf33
SHA512 373c1ec083b6c14ab0864bf5419dc53b20b9fc58b983a8426f2ede20081c2607f478d6991c65878051dd058e1aff8040a5ce4f49542766a74e74aac9e8fc0a6e

memory/2092-87-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe

MD5 105da8033eb2fdd24702ef1becf2d2aa
SHA1 4ce80a72da0e78cb6270380dbc6a151068a2f6a8
SHA256 78161082a541bf6aaebc9dc6d53fb566d3d0a9bf37b7f2e8e8be163da30402a6
SHA512 07ed6e03a4c5571485df0d5a12b62b7cc3bbdc0b3aeaf4ce8ec2a500b17f32cbcd9f1ca69687fefed7a17b155c62ae5532f1cd988288c394cccc3a6a16daad62

C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe

MD5 5b127b9403627053949bf1f304f78ac7
SHA1 b3f804b3dd77bad1d2f72c52ed6c3b7e6c829865
SHA256 073c7b5cd136c2ed57d0421e2cfaf41cfd8f9e6f7e4aa8bb49b4ecc5205b4b3f
SHA512 512dc0e889f38d4d5221bf7ae473dc7ee6d727490bc7623e5853b189a374ebd7cc254ff0a291c52278713d81f4171f6ab5ddd4ec5dd2ea38b35e56684bc0bd05

memory/480-95-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}\stubpath = "C:\\Windows\\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe" C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9186D66F-5A2B-449e-AE63-10A708BB72C8} C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C} C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B007E9-7191-476c-AC7C-C486207357E9} C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}\stubpath = "C:\\Windows\\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe" C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435859EF-1983-4383-8901-19A4A5F0BD05}\stubpath = "C:\\Windows\\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe" C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B007E9-7191-476c-AC7C-C486207357E9}\stubpath = "C:\\Windows\\{63B007E9-7191-476c-AC7C-C486207357E9}.exe" C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF840DF1-A1F9-44f4-A13A-6D1502483A35} C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}\stubpath = "C:\\Windows\\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe" C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4050ABA0-496C-4498-97C4-AD65EA511E84}\stubpath = "C:\\Windows\\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe" C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D} C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A45AC3F-C55C-4423-83F1-A45031A49FF3} C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}\stubpath = "C:\\Windows\\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe" C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}\stubpath = "C:\\Windows\\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe" C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98AAC933-328A-41f2-B5B6-2E26D2C029D1} C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}\stubpath = "C:\\Windows\\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe" C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45} C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9186D66F-5A2B-449e-AE63-10A708BB72C8}\stubpath = "C:\\Windows\\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe" C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A} C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E182DC24-4CD0-4bb4-A30A-E2846595AA16} C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4050ABA0-496C-4498-97C4-AD65EA511E84} C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435859EF-1983-4383-8901-19A4A5F0BD05} C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}\stubpath = "C:\\Windows\\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe" C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}\stubpath = "C:\\Windows\\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe" C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe N/A
File created C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A
File created C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe N/A
File created C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe N/A
File created C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe N/A
File created C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe N/A
File created C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe N/A
File created C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe N/A
File created C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe N/A
File created C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe N/A
File created C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe N/A
File created C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe
PID 4816 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe
PID 4816 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe
PID 4816 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2436 N/A C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe
PID 4796 wrote to memory of 2436 N/A C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe
PID 4796 wrote to memory of 2436 N/A C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe
PID 4796 wrote to memory of 4996 N/A C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4996 N/A C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4996 N/A C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3772 N/A C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe
PID 2436 wrote to memory of 3772 N/A C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe
PID 2436 wrote to memory of 3772 N/A C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe
PID 2436 wrote to memory of 4948 N/A C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 4948 N/A C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 4948 N/A C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe C:\Windows\SysWOW64\cmd.exe
PID 3772 wrote to memory of 1992 N/A C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe
PID 3772 wrote to memory of 1992 N/A C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe
PID 3772 wrote to memory of 1992 N/A C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe
PID 3772 wrote to memory of 4036 N/A C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3772 wrote to memory of 4036 N/A C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3772 wrote to memory of 4036 N/A C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1856 N/A C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe
PID 1992 wrote to memory of 1856 N/A C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe
PID 1992 wrote to memory of 1856 N/A C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe
PID 1992 wrote to memory of 4468 N/A C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 4468 N/A C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 4468 N/A C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1332 N/A C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe
PID 1856 wrote to memory of 1332 N/A C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe
PID 1856 wrote to memory of 1332 N/A C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe
PID 1856 wrote to memory of 2180 N/A C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2180 N/A C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2180 N/A C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 4260 N/A C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe
PID 1332 wrote to memory of 4260 N/A C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe
PID 1332 wrote to memory of 4260 N/A C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe
PID 1332 wrote to memory of 3300 N/A C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 3300 N/A C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 3300 N/A C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3156 N/A C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe
PID 4260 wrote to memory of 3156 N/A C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe
PID 4260 wrote to memory of 3156 N/A C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe
PID 4260 wrote to memory of 4104 N/A C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 4104 N/A C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 4104 N/A C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 2116 N/A C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe
PID 3156 wrote to memory of 2116 N/A C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe
PID 3156 wrote to memory of 2116 N/A C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe
PID 3156 wrote to memory of 4384 N/A C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 4384 N/A C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 4384 N/A C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 5052 N/A C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe
PID 2116 wrote to memory of 5052 N/A C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe
PID 2116 wrote to memory of 5052 N/A C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe
PID 2116 wrote to memory of 1504 N/A C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1504 N/A C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1504 N/A C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4808 N/A C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe
PID 5052 wrote to memory of 4808 N/A C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe
PID 5052 wrote to memory of 4808 N/A C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe
PID 5052 wrote to memory of 2616 N/A C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"

C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe

C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76F33B~1.EXE > nul

C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe

C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FF840~1.EXE > nul

C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe

C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4050A~1.EXE > nul

C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe

C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{98AAC~1.EXE > nul

C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe

C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E4E0~1.EXE > nul

C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe

C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9186D~1.EXE > nul

C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe

C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{852CD~1.EXE > nul

C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe

C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{43585~1.EXE > nul

C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe

C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{81EAE~1.EXE > nul

C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe

C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A45A~1.EXE > nul

C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe

C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76AD7~1.EXE > nul

C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe

C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{63B00~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4816-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe

MD5 04a6deda8663b335400a3e1d4d6f35c9
SHA1 ba336be324630e92092ece6eed85b8f4609cfae2
SHA256 143dc6df1129e4e3d29363874eb4d1188a5575e3a00eeeacc013d2ee3ee92bf2
SHA512 aea43101c21d813bf690556b40d71a262ed76f8a03d18e32a9224ac92888a4468942ef2c5dc38e461804f25c892e6ec867bf163e961c75540f76a9459ee23b36

memory/4816-6-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4796-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4796-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2436-11-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe

MD5 6fb32be8797837e8b6d72fa0d8d53e32
SHA1 5e7e0ce8da3fff339ea5453fb35802ea7fbfb171
SHA256 b2a0d20c76752beda2011c76bceb8058f813ed878023c1911440fc613cac2016
SHA512 8d84c9982a5aff7bccd7301e497e8d15dfe08d855de1254485b9a66561024a345af6d071e4ef3341f0827d3b29f9b23fbc6dec362cffab15d6d80814ff70f0cc

C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe

MD5 ef0bf0197ffea8f688042d9bd84144c4
SHA1 b007f197d3123f760b2d4a0deca161539d768e4e
SHA256 6404db9cc9c0aeb784940f848caa805f888a14daa3215d13771defad9a90a31d
SHA512 9fddd9c2c4cb85c02337ea8b6370d1793a70148a154c7cafc87f0103da4d7d93fb0ee41d45eb9c7255feeadcdbe491b6c4e10495fea7a2b6286e058fd17f7ed4

memory/3772-18-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2436-16-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3772-22-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe

MD5 a8386ab3f5e9e33b2217bfb47bc7dcc9
SHA1 46f457f9bb441344272af973805bb2f12fe23494
SHA256 11ce1fe4ef8f5f4526dca11ee74f99d29577ec6ca6d59c889be996e9139d8860
SHA512 2c0d04ccceaa2562ef54491435ad3707470f467e1f2968300bde416fc1e91f75b54df3affb2b5f7ed89d35aa03e42f5d27810ada0e3e5010656c11ce85f7e79f

memory/1992-23-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1992-29-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe

MD5 0ce92e8b3ca5113749644d0b5c374c76
SHA1 1312c6aa2343a4c28708351664275032a73e283e
SHA256 c9cce07934ecb0d531928a954d9b555cc5dd01c315bb2517c9071325ee272bab
SHA512 39a29a9cb7d830ed7af580c3a38269d4f7883cce82e79ff76169a7c531d4f622e0cf50373684585c47a95924c700391123856e4710c8f0bd1963c16c4726285e

memory/1856-30-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe

MD5 eeeba1ec5fb100cd86c4c28e718782a9
SHA1 6e4b3ebe49c4f990dea2c06295eea202f8fa3293
SHA256 4d575429535c51f1953613f817aef8fd5be54dd1b945ce884665f0715c53b4c5
SHA512 8452cb8b9e28e1fc2ea2d48cbf2d05812ce4d5c9364a50340f20ec7fd1efb33af33952f79367f1a73868ab8e2516686b024e15ebf9e8b3fba49b2d571717bd75

memory/1332-36-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1856-34-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1332-40-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4260-41-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe

MD5 bc9a4e619de85c04ca9f7f7330953af6
SHA1 6fd382d80960974040d757fa33f7498cc21a9633
SHA256 8bf5d244fe02e01a13c4f57adf460804ae0d8a8c7f88a01287f451a98c0d65b3
SHA512 b912044a6df35f09924b2a603fbe9ddedbf7949deb3ae600249b8a1b468e6d3cd1aeb045f62aa0275272c4f6c701096cda28611167e47c831871235e3cb023b1

C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe

MD5 3e06f4283108e67c923903cdcd7e150a
SHA1 90668858fe99aa15f2b4f1f13274fba501aaf8a5
SHA256 43c620b6eef3644b4f0a1a1dc4a4b3071bd84355cb83d6c55297cd84df1b9a27
SHA512 9c2f77542873160674d4cbbba065d71a5b17f9e28752eb1beb6fa2ccd4e3bc7ed8d13b2eb1c5a932af428ec2f20729f1302677aa8a48d73199f98a831d324f79

memory/3156-48-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4260-47-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3156-52-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe

MD5 2337f258a567d20ce5c2260e0bc35c29
SHA1 11d43ee6b1b1fb3283596493f2ab54ad5224e6b0
SHA256 4c45bb0e0244fc24bbb8cf1a7ecf94317d09da20ace89b258e42693cfd20a152
SHA512 180cbaa79d0b89d3a1931e40d7926a29d11906eb2d46fb2ce3375e2935961a174cff82e34dea3f74fde1f252af187796b539f4e7f56928456f18f0904274be5f

memory/2116-53-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2116-59-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe

MD5 2f0bba10a2ed5870eb1037a26846968a
SHA1 dcde1371331f1fa9ddf0a6033adb56be4ee29c7c
SHA256 5429f86c0ac2122d8df7cda0f3278655c55c359b38d6ace5b54e04a5500575f7
SHA512 e82016fc92a918eda29d412d6f96df03fc5417f2baffd8ef5d3ed4c01d1cf903dfefd6b6a563fdc3248579d0bb636188de0f608fde8992aa9068755569c60c24

memory/5052-60-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe

MD5 4371ea714015ea91c3985a2b84b6ba83
SHA1 417bcf0047741b271658b17956df7ff955323741
SHA256 0fa31687df36cf995d3c315d4f056123fe6496222fe122649da1e5609157cfcd
SHA512 c13647dd35b8637a36c9b43a861ede42c9d0254676bbc87e4b512a87705f6319c307a78d44019e3403486c3a55d84811a0cb47f832df801a657a1e063a7b2486

memory/5052-65-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe

MD5 189538440d46f798fa2e5765be4f149e
SHA1 3cab64a9345962405e6b177175d340604647aa57
SHA256 bafb1baba6e54dd8446c28972383087f421030e342e4bbf69ea203f52884c3fd
SHA512 afa16c523e7d14ca9457280a5d770cc00d395cf1247fe8dcd334c2c9226673b5c4f8230ab877ddad1c8a14b377bfeff42996611d2182007bd43c88f10008e42a

memory/2388-71-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4808-69-0x0000000000400000-0x0000000000411000-memory.dmp