Analysis Overview
SHA256
99343d229dd14c2bd040955c6984373fa4b8738233cc90e1d3a4ddf378257af7
Threat Level: Known bad
The file 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 00:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 00:52
Reported
2024-06-02 00:54
Platform
win7-20231129-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\yeauya.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\yeauya.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /E" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /v" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /G" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /Y" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /c" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /R" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /A" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /h" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /U" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /e" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /y" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /B" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /X" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /W" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /N" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /i" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /d" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /M" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /r" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /u" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /f" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /n" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /x" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /V" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /m" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /O" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /D" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /w" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /C" | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /P" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /I" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /S" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /F" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /t" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /q" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /T" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /b" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /j" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /g" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /l" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /J" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /L" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /H" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /Q" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /K" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /s" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /C" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /Z" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /p" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /a" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /z" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /k" | C:\Users\Admin\yeauya.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeauya = "C:\\Users\\Admin\\yeauya.exe /o" | C:\Users\Admin\yeauya.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\yeauya.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1712 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | C:\Users\Admin\yeauya.exe |
| PID 1712 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | C:\Users\Admin\yeauya.exe |
| PID 1712 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | C:\Users\Admin\yeauya.exe |
| PID 1712 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | C:\Users\Admin\yeauya.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe"
C:\Users\Admin\yeauya.exe
"C:\Users\Admin\yeauya.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 104.155.138.21:8000 | ns1.player1532.com | tcp |
Files
memory/1712-0-0x0000000000400000-0x0000000000430000-memory.dmp
\Users\Admin\yeauya.exe
| MD5 | 365cd9d2901502ca75e457ef5160acdd |
| SHA1 | daa9fb48a5c76f34e71228eb5450bf02ffe135e9 |
| SHA256 | 77f2c0d9c6beaed7de475b7f1fe0b0bc5ef739de3f10a1ca7e2adb2c266b2cf7 |
| SHA512 | 7c1fb823731769376c69eaafc691356a2107bb3bc680eaa9b67791e5ac905c85142c3c425cbd54b125a383452c180828401cb5e6dc6e512043faddfecd091a28 |
memory/1712-9-0x0000000003510000-0x0000000003540000-memory.dmp
memory/1712-15-0x0000000003510000-0x0000000003540000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 00:52
Reported
2024-06-02 00:54
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\puiloe.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\puiloe.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /B" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /N" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /C" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /a" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /e" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /t" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /w" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /q" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /W" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /H" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /L" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /I" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /i" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /A" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /p" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /z" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /d" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /R" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /j" | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /b" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /j" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /g" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /V" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /s" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /T" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /Q" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /F" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /m" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /l" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /E" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /h" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /Y" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /v" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /c" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /D" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /o" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /X" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /r" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /Z" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /k" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /f" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /S" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /n" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /x" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /G" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /U" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /O" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /P" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /J" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /M" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /y" | C:\Users\Admin\puiloe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /K" | C:\Users\Admin\puiloe.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\puiloe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4532 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | C:\Users\Admin\puiloe.exe |
| PID 4532 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | C:\Users\Admin\puiloe.exe |
| PID 4532 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe | C:\Users\Admin\puiloe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe"
C:\Users\Admin\puiloe.exe
"C:\Users\Admin\puiloe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
memory/4532-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\puiloe.exe
| MD5 | 222f730582b03df9649f8e8635e19266 |
| SHA1 | 87a26237cd014d7c80c920b7a4df6b49570cefd7 |
| SHA256 | 2052e6cef634d8711eef0158a15220daf38a83697232c8b7806fceb65635e5fd |
| SHA512 | cb75a9719a7409a1798cb252e905011a953150254a491889da49994b10d304a25167d9c15eaaf21ebee10be9a35441c50b9df2df4872bd876ab6ab11630e53d9 |
memory/4908-33-0x0000000000400000-0x0000000000430000-memory.dmp