Malware Analysis Report

2025-06-16 07:12

Sample ID 240602-fh2x6acc67
Target 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
SHA256 af0def80b3c5accef3c73ee79df6f8026f125469a0037290efa229c1c6efc7db
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

af0def80b3c5accef3c73ee79df6f8026f125469a0037290efa229c1c6efc7db

Threat Level: Likely malicious

The file 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:53

Reported

2024-06-02 04:55

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94} C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}\stubpath = "C:\\Windows\\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe" C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}\stubpath = "C:\\Windows\\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe" C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}\stubpath = "C:\\Windows\\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe" C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}\stubpath = "C:\\Windows\\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe" C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88} C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78C804C-8D22-49f9-9EA4-3F9FB384C933} C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB} C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1} C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}\stubpath = "C:\\Windows\\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe" C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3} C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}\stubpath = "C:\\Windows\\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe" C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41F3C5A-B732-4dd8-AB90-CD100D653489}\stubpath = "C:\\Windows\\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe" C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383F0D35-F2BA-4048-AE81-4F43CB80E89E} C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}\stubpath = "C:\\Windows\\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe" C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123} C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}\stubpath = "C:\\Windows\\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe" C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C46E71A3-8097-4903-A697-120E23F9A7CA} C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C46E71A3-8097-4903-A697-120E23F9A7CA}\stubpath = "C:\\Windows\\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe" C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}\stubpath = "C:\\Windows\\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe" C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7F69F1D-C77E-4b28-B290-1814B884E1AA} C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41F3C5A-B732-4dd8-AB90-CD100D653489} C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe N/A
File created C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A
File created C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe N/A
File created C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe N/A
File created C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe N/A
File created C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe N/A
File created C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe N/A
File created C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe N/A
File created C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe N/A
File created C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe N/A
File created C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe
PID 2164 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe
PID 2164 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe
PID 2164 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe
PID 2164 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2660 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe
PID 2960 wrote to memory of 2660 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe
PID 2960 wrote to memory of 2660 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe
PID 2960 wrote to memory of 2660 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe
PID 2960 wrote to memory of 2912 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2912 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2912 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2912 N/A C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe
PID 2660 wrote to memory of 2420 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2420 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2420 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2420 N/A C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2248 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe
PID 2504 wrote to memory of 2248 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe
PID 2504 wrote to memory of 2248 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe
PID 2504 wrote to memory of 2248 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe
PID 2504 wrote to memory of 1756 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1756 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1756 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1756 N/A C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2436 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe
PID 2248 wrote to memory of 2436 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe
PID 2248 wrote to memory of 2436 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe
PID 2248 wrote to memory of 2436 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe
PID 2248 wrote to memory of 1980 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1980 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1980 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1980 N/A C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1744 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe
PID 2436 wrote to memory of 1744 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe
PID 2436 wrote to memory of 1744 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe
PID 2436 wrote to memory of 1744 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 768 N/A C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1636 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe
PID 1744 wrote to memory of 1636 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe
PID 1744 wrote to memory of 1636 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe
PID 1744 wrote to memory of 1636 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe
PID 1744 wrote to memory of 2256 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2256 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2256 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2256 N/A C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 284 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe
PID 1636 wrote to memory of 284 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe
PID 1636 wrote to memory of 284 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe
PID 1636 wrote to memory of 284 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe
PID 1636 wrote to memory of 1696 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1696 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1696 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1696 N/A C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"

C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe

C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A5DA7~1.EXE > nul

C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe

C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BC28~1.EXE > nul

C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe

C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{383F0~1.EXE > nul

C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe

C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C46E7~1.EXE > nul

C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe

C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AD0F3~1.EXE > nul

C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe

C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6B587~1.EXE > nul

C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe

C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ACE2C~1.EXE > nul

C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe

C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A96F1~1.EXE > nul

C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe

C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C7F69~1.EXE > nul

C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe

C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C41F3~1.EXE > nul

C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe

C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED18~1.EXE > nul

Network

N/A

Files

C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe

MD5 bfa479a1e4b5af5845f49ffe9c8bd25c
SHA1 ff2169f536df19c82eaef4e01bca27c2f502a3fb
SHA256 82e4abcaf7c1d682b9f61d5d6c92b42de379228b9c0970bb2f12778078d40675
SHA512 0ba7351263c43cd17ef00896d4b664bf5d38110e0553eb485a753232aba8d45875730556aac8977c114f58531dd282314738b01ba53281e7885eff2c1eab1e62

C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe

MD5 7386a9b808865a7e6f63f84266a04db5
SHA1 da3245f49ba2e4485b5fd89210ba5a4c699aa2c2
SHA256 dd6a62dbd5f3a8a1a50fcbc8756e31dcc2f1769462ab93f0130ed64cb8f35bc5
SHA512 ab383b5d210e69588a580018417069c98e3ce97995120aee2f009a452d77379a9770dbb218e590d671b1aeae4e9df6ffcb85617af094d4b78da5637b4add0a9b

C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe

MD5 3b62b6186cc484a248262788a246e4f6
SHA1 818bdc5b392f8e7257855d26d7a573700535abaa
SHA256 89826ac6e81a8c6d7ca6a0106ac4dee7a6dd2e1c05c7b4dc9b06717227d389d0
SHA512 bde1185613daf154a84ffa65219e65cd21baf5b94c53a237a32e10d5171d5baf7543a4580a38b894bb2264d4e45bd95131123ba913ad450131a9e1849f018277

C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe

MD5 b1c1dfb516f782bd1b9f3a752b86f42d
SHA1 f2b27b35968d9808bbbe073d4d0798dcada20082
SHA256 76f9678046cfa8c63734d8ebf526101f249e16df6ba752e0179b7b91124f3702
SHA512 d86f8646e481658b86be0341cb34af7de892d1a9a7c3810e6999245cbfc063b323a6e519c5e7f20eaa2812ea95a07a1918ce668829f3bdb545fa8dac136093b5

C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe

MD5 b4e8f09016dc9fa1e1fd1a8bf3be7bd9
SHA1 59ac8dad00a23eba205dfd57d3cefa88bd0dceb0
SHA256 22a74adfeb5c7117454a769d8e8b9f5841b1e143a79c8680ca591d01cf36e2ea
SHA512 f62fbdcc9139b43e270ba3670a71f79d70d8943e11a05f70ab62e4eca418d579703b3c67e3ce66bf5de926ee457c8c01e689fc94ef0d457d1c4231014f8b419e

C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe

MD5 be5c2d16248580920cdf9ec20177ced3
SHA1 263bce1cf79be27c09961effa9a9b38c8b67f948
SHA256 f0cc9e5e768df4d799064c0423293cdcfc2ee441179b4a5fd94681c831eeb9ea
SHA512 ba3a422ebe6328e1325be39798e6740a7430dd217744a07ae71ad27d935126fe23e2fb3f9d97bb287ae71568306c4b6bac6e7837102d91232a42530d1de8f8bb

C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe

MD5 24b4a250e6564aaa8474b3db58c9a4b9
SHA1 7da274450b8e07e7a9d4a733f52a509ce0fffa96
SHA256 c90003d7e17ac238a9ece9a2d594cb10a4d17e34a93b3fb05eaf10996efc8b48
SHA512 ae9cfce4cf2321d39f1e22fff14de64242ec969de70effd7cd988caad1a03ee6adc33e64526491057622dbaf26d270e09d74cfe97a8c08cd75a28c99b350317d

C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe

MD5 9107faf8fd73b23ac23d96b0a48dab17
SHA1 6c2df5a30c37257fd29509cd3d8b5e0a93765f55
SHA256 387419ea100a4413ef7b8aa34a53d321b965ec4da780f01ad00ea7557ba3b760
SHA512 48be8157cf5f58d3471992ab8f681c28a108bf49819291867a4aa4f05ac8433a8fc63703856903aa881007ed76527a88d0cb0037bdb526f3e4f30a31595caa5d

C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe

MD5 6a1e31bb594714507d7b5dfb1a96f61d
SHA1 8b848cf24dd9986850c5a45cf82f84c507429688
SHA256 b1ec55268f6539de6dd01fed12d390e2be7be36dab5df3e9b87c42b10bc9ee38
SHA512 fbeaf70cb0d80f8fccc7b2394a28a784a04f884cbb76dacbb8a666ce449b30dc858008cefa514f40250f2fb498a755edc5358aca71a7f5a117887e0311845571

C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe

MD5 065e6a84bc7590caa76e8071c2646764
SHA1 3e33337b3f491f444863b1cecfb72aa245f0620d
SHA256 110ca876cb8be6ee70ff902bdf9e9b71ffefea33d33272538ce0e61844f44310
SHA512 f54023fbe78ce8b2e6512b94fdf24a65bdd78535379a8903372477e90841cf9bf0c7b902b8f7ca52d3ceabac52235f62dbed2dd6d956b95f1571793d534fcb21

C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe

MD5 06bcd0b46ad35cc600b42ffc7a6b4b95
SHA1 4f23bc6905357348d4aa23fb0127d7c798c113f0
SHA256 e61317251282fbffd9f20be31a674a4670c657736c5874bd48a2a0f1dde01d70
SHA512 68faa0b1d1ce6caaa52b1f22718e22989d1f289707e8c846fdfbbe160981791408dce326453a8a3990e1f7fabe62c5c8e42999a035a112bad369179a30b8b2b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:53

Reported

2024-06-02 04:55

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871} C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD515DC-BD46-45e1-BA9D-21522780795D}\stubpath = "C:\\Windows\\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe" C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11} C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BA9F34-AFA2-4e64-AB9A-84067A183D33} C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B} C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2F3D43F-78BF-458d-8039-B7E389BF7895} C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4415DFC-9F2A-48c2-AB78-B7762A852A68} C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50} C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}\stubpath = "C:\\Windows\\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe" C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}\stubpath = "C:\\Windows\\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe" C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}\stubpath = "C:\\Windows\\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe" C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}\stubpath = "C:\\Windows\\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe" C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD515DC-BD46-45e1-BA9D-21522780795D} C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}\stubpath = "C:\\Windows\\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe" C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2F3D43F-78BF-458d-8039-B7E389BF7895}\stubpath = "C:\\Windows\\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe" C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26F1A63-FB01-430f-A386-54D846B3E3A6}\stubpath = "C:\\Windows\\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe" C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C39884-5818-4b4a-A61A-A192FFEBF6CC} C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24} C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3192BA-2481-421e-AB81-8793772F906B} C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3192BA-2481-421e-AB81-8793772F906B}\stubpath = "C:\\Windows\\{3B3192BA-2481-421e-AB81-8793772F906B}.exe" C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}\stubpath = "C:\\Windows\\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe" C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}\stubpath = "C:\\Windows\\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe" C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26F1A63-FB01-430f-A386-54D846B3E3A6} C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}\stubpath = "C:\\Windows\\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe" C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe N/A
File created C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe N/A
File created C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe N/A
File created C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe N/A
File created C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe N/A
File created C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe N/A
File created C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe N/A
File created C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A
File created C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe N/A
File created C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe N/A
File created C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe N/A
File created C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe
PID 4368 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe
PID 4368 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe
PID 4368 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1248 N/A C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe
PID 2156 wrote to memory of 1248 N/A C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe
PID 2156 wrote to memory of 1248 N/A C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe
PID 2156 wrote to memory of 3568 N/A C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 3568 N/A C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 3568 N/A C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3532 N/A C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe
PID 1248 wrote to memory of 3532 N/A C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe
PID 1248 wrote to memory of 3532 N/A C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe
PID 1248 wrote to memory of 3436 N/A C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3436 N/A C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3436 N/A C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3632 N/A C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe
PID 3532 wrote to memory of 3632 N/A C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe
PID 3532 wrote to memory of 3632 N/A C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe
PID 3532 wrote to memory of 4832 N/A C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 4832 N/A C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 4832 N/A C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 1148 N/A C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe
PID 3632 wrote to memory of 1148 N/A C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe
PID 3632 wrote to memory of 1148 N/A C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe
PID 3632 wrote to memory of 4040 N/A C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 4040 N/A C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 4040 N/A C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 4220 N/A C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe
PID 1148 wrote to memory of 4220 N/A C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe
PID 1148 wrote to memory of 4220 N/A C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe
PID 1148 wrote to memory of 3248 N/A C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 3248 N/A C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 3248 N/A C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 1836 N/A C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe
PID 4220 wrote to memory of 1836 N/A C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe
PID 4220 wrote to memory of 1836 N/A C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe
PID 4220 wrote to memory of 3604 N/A C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 3604 N/A C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 3604 N/A C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 872 N/A C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe
PID 1836 wrote to memory of 872 N/A C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe
PID 1836 wrote to memory of 872 N/A C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe
PID 1836 wrote to memory of 3752 N/A C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3752 N/A C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3752 N/A C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 5108 N/A C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe
PID 872 wrote to memory of 5108 N/A C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe
PID 872 wrote to memory of 5108 N/A C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe
PID 872 wrote to memory of 4284 N/A C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 4284 N/A C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 4284 N/A C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 5100 N/A C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe
PID 5108 wrote to memory of 5100 N/A C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe
PID 5108 wrote to memory of 5100 N/A C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe
PID 5108 wrote to memory of 1796 N/A C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 1796 N/A C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 1796 N/A C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 2004 N/A C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe
PID 5100 wrote to memory of 2004 N/A C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe
PID 5100 wrote to memory of 2004 N/A C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe
PID 5100 wrote to memory of 4784 N/A C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"

C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe

C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A5DA7~1.EXE > nul

C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe

C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4415~1.EXE > nul

C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe

C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D72A4~1.EXE > nul

C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe

C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B319~1.EXE > nul

C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe

C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{93B5B~1.EXE > nul

C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe

C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CFBE7~1.EXE > nul

C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe

C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{07C39~1.EXE > nul

C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe

C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD51~1.EXE > nul

C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe

C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DD0DE~1.EXE > nul

C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe

C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{06BA9~1.EXE > nul

C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe

C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2CDF4~1.EXE > nul

C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe

C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D2F3D~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe

MD5 7171553a867362462befbbad9d27da76
SHA1 6f0a496d500a17022c66ec17bdbcfe4b593a8890
SHA256 457c514bc7c60e37c66a00bfe892a1a99a4c1d9f65f7e787ac2343472cf730ca
SHA512 4bd7163a8880eed603e09ac54c0e4696d8c4ed2fef762689cb9be5fc4e7771369c4ee2a3cd4e745e8724fe302aeea3eb037e7afa0d84a600523724279ad31ded

C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe

MD5 76d79a83acd404bd8a21f6f2a6764416
SHA1 6f38cca0437b6bbd5dd08949c473f295804c782e
SHA256 f2a0958d103d1a07f3540da7449712256d7522f40fb907f27d527f4e7ea05367
SHA512 b50c5949b65b07b0a931a5d5adfb8c66b431b581fb5ccdfb02439a97666a86086633af4296f493972b64806ee1459d26962bb0affb39219dc141cc6a56cd6f32

C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe

MD5 0fde042da58bcec02a9200367fd7269d
SHA1 0957a5c7ea09ecb1ce5de51a2272b765d4b4e3ed
SHA256 496b751ff23f0feff2444ce3bba6a04cd5b75b7a9d0d704a774939f898c57af6
SHA512 fbe57b1e00206dcd9824c17f73502d5fb8c5dfe2b0bfbb26503741a4ff27f85c04f07b097559a0c7b1439de26215d5aa4e780fee69e097de608d2cd98911906b

C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe

MD5 368dc405b43d5e76f22f510f9d3e44de
SHA1 f3de03e30f568dfcb08190cbcb7346fff5835774
SHA256 c11623fd4a5b5a76b1f3b37ba7f002ba084117587d9cb37bbd60fd137aee740b
SHA512 7a95ad238b240029927b6175dbd117752d43797304be94063f0b9b740f132d1210f18812bcf030f6999ac3f6995d7152a062fdaeb54b10856b8598514a2c0ba5

C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe

MD5 3c71b6352e90010bc13c9a68fc8f4262
SHA1 30909f19506b6348b876c9a56f1ca5e7eeb2d77e
SHA256 f1b5b13364bbb0a78efe05c92a57e5ea3be259e1209d54313a4260e0829e977c
SHA512 ac04afd77183db5e9939362ae6fe715f7b4e33b5cb3761dfe50412d309b8a1a9ebce27e9981a459870e4f035f20b30895b94c2e32393c01a9eb3927931ff5218

C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe

MD5 89ba777a410f16f8d9a4827b25eee736
SHA1 2fdcf40802e60b7165a1bc271bd298edece9d5e4
SHA256 2a6a9a939146fc3d017c0c0b771717a14e52a5b29428d58059ea6da03028ce52
SHA512 6a0d288032d0159e5a28a79e40d0122b21b167e5c0bff4c2bffa2a31a0815056e6340bb96df1fe4dda07d2c832072b172865ac7eb4cdb351374960081aad94bd

C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe

MD5 57bc1788a836e6bcd7de5c4044e862cc
SHA1 558b2ab7edf818a00f6f73c993be7db423fa4eb5
SHA256 af306e09e770d84aff963714d383a8883d8d235c744235ca6d21074ee6e6f66d
SHA512 6e156fd7570408aea2d6c1d0b1dcff066b888bf92fc985b0edf7f76fdbc62172f0ad52be8120ab785b5225a25067ef71a2f2c54768e646ef6c0ef6404f731495

C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe

MD5 bf3f9ff7508be91a99a0d5c9067e59b5
SHA1 e2157956a051ae1d6b2ac1e9a3c0d13e113afcc0
SHA256 f902540b7129ec25b5a5950a5b22abd2f258bffa77dbb8dd05ffb4c306f83d6f
SHA512 03270725a3eb4e22db9123a521b44100afa398ecbb9df17e0d40849c0e43b4dd43ac2ce04ccff8dd0daf3bbb1611d8371a5790d24641b38fecff1a01ebd223dd

C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe

MD5 dadeeb584fa91b3c0a164d453793cb35
SHA1 ec9962b7e5349f852554c43d94f6894987e84710
SHA256 2da891493bea8558324354af66c5a82b2185701a0636c596d37476d4b2fbca92
SHA512 cb4523dd6da1cca7e90a5ca142b0e5bb7f6c99dabb9383cd35a4a32c5cddde2e4ffbe9877869da827a97e2abf2784a189606ab798fe5c812fb0b9580d36a368f

C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe

MD5 0cdb23966e16a6f5f83e859eefeb8b82
SHA1 649f839f262ca01d3274fc9e5ed40340b8a8722a
SHA256 2b65dbca88aa74209794fb32e1edcdfae55bae514eaf6ea953e2c47453838431
SHA512 8936ee7a8cc3239863d0ce8be94b8d27d83f56dbbd22afc046207535ebfded930587500c2264b63948085258641782d14b6308d77e9daa4a5882d727640a88d3

C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe

MD5 2bb85a8ef223d7ec3fbccd79194d3fe0
SHA1 14c9d1c46b9655baa0f28fba7701d36838823ad8
SHA256 749c786c3d7753c6373cdb4f131fc15d1137b65874c64588d424fe5392c42d7e
SHA512 c743430a29182211abe82609d32ae436562be5a49d6d7e34f2dcfde31b4f75aa9a39290a0a9bca1bd1646bc181ffed83655ebda9b8b2a6403255e67c16ed227d

C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe

MD5 c88edf78a96516568fea6d3badf3ffd4
SHA1 608b394df7920549f44fc713cb4b09b51c330acc
SHA256 60ca5676e98e66a241ae2ec8894a622e8c9d58bc3fb6ba396b671a0645a43fc8
SHA512 8f63e6a59196d7e064d841427e438511007d62a77941622e5100bcf5f3b0cad7aacd200017a1ea9f86a01a935861497d33c865b53f59ce40d696ccbd697762c1