Malware Analysis Report

2025-03-14 23:45

Sample ID 240603-gjqrysdg5t
Target 9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe
SHA256 74a158f23641c212cc6c6150f8701f066386770834bd2f1570ee57ac083552dd
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

74a158f23641c212cc6c6150f8701f066386770834bd2f1570ee57ac083552dd

Threat Level: Likely malicious

The file 9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:50

Reported

2024-06-03 05:52

Platform

win7-20240508-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}\stubpath = "C:\\Windows\\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe" C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADB18692-2104-4feb-AFEF-8FBEE502AD42} C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{346F32AA-0167-406a-AF51-34FAB444A1F7}\stubpath = "C:\\Windows\\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe" C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF018AC-F190-40cf-9B7E-DD28534B8FB3} C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF018AC-F190-40cf-9B7E-DD28534B8FB3}\stubpath = "C:\\Windows\\{2FF018AC-F190-40cf-9B7E-DD28534B8FB3}.exe" C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED} C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}\stubpath = "C:\\Windows\\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe" C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{135F71E4-7F07-49e2-BBF6-D8ED25551467} C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{346F32AA-0167-406a-AF51-34FAB444A1F7} C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47} C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}\stubpath = "C:\\Windows\\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe" C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77E30250-A43D-4f80-B961-69E1293E418D}\stubpath = "C:\\Windows\\{77E30250-A43D-4f80-B961-69E1293E418D}.exe" C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{135F71E4-7F07-49e2-BBF6-D8ED25551467}\stubpath = "C:\\Windows\\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe" C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}\stubpath = "C:\\Windows\\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe" C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EF36E23-AB07-40e2-9345-3C124496BF33}\stubpath = "C:\\Windows\\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe" C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}\stubpath = "C:\\Windows\\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe" C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EF36E23-AB07-40e2-9345-3C124496BF33} C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74} C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77E30250-A43D-4f80-B961-69E1293E418D} C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}\stubpath = "C:\\Windows\\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe" C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5} C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4A5CDA-AF27-488d-82CD-39919C1818D6} C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe N/A
File created C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe N/A
File created C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe N/A
File created C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe N/A
File created C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe N/A
File created C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe N/A
File created C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe N/A
File created C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe N/A
File created C:\Windows\{2FF018AC-F190-40cf-9B7E-DD28534B8FB3}.exe C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe N/A
File created C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A
File created C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe
PID 1424 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe
PID 1424 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe
PID 1424 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe
PID 1424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2892 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe
PID 2976 wrote to memory of 2892 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe
PID 2976 wrote to memory of 2892 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe
PID 2976 wrote to memory of 2892 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe
PID 2976 wrote to memory of 2628 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2628 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2628 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2628 N/A C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2264 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe
PID 2892 wrote to memory of 2264 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe
PID 2892 wrote to memory of 2264 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe
PID 2892 wrote to memory of 2264 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe
PID 2892 wrote to memory of 2768 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2768 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2768 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2768 N/A C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2964 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe
PID 2264 wrote to memory of 2964 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe
PID 2264 wrote to memory of 2964 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe
PID 2264 wrote to memory of 2964 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe
PID 2264 wrote to memory of 1640 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1640 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1640 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1640 N/A C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe
PID 2964 wrote to memory of 2828 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe
PID 2964 wrote to memory of 2840 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2840 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2840 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2840 N/A C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 344 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe
PID 2828 wrote to memory of 344 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe
PID 2828 wrote to memory of 344 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe
PID 2828 wrote to memory of 344 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe
PID 2828 wrote to memory of 1952 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1952 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1952 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1952 N/A C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1964 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe
PID 344 wrote to memory of 1964 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe
PID 344 wrote to memory of 1964 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe
PID 344 wrote to memory of 1964 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe
PID 344 wrote to memory of 1632 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1632 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1632 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1632 N/A C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1728 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe
PID 1964 wrote to memory of 1728 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe
PID 1964 wrote to memory of 1728 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe
PID 1964 wrote to memory of 1728 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe
PID 1964 wrote to memory of 1496 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1496 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1496 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1496 N/A C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe"

C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe

C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9DA8E0~1.EXE > nul

C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe

C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ED4A5~1.EXE > nul

C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe

C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4EF36~1.EXE > nul

C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe

C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EF4F7~1.EXE > nul

C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe

C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BB9C8~1.EXE > nul

C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe

C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{77E30~1.EXE > nul

C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe

C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0F1BA~1.EXE > nul

C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe

C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BCBE8~1.EXE > nul

C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe

C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{135F7~1.EXE > nul

C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe

C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{ADB18~1.EXE > nul

C:\Windows\{2FF018AC-F190-40cf-9B7E-DD28534B8FB3}.exe

C:\Windows\{2FF018AC-F190-40cf-9B7E-DD28534B8FB3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{346F3~1.EXE > nul

Network

N/A

Files

C:\Windows\{ED4A5CDA-AF27-488d-82CD-39919C1818D6}.exe

MD5 617b0fc8d29f5c7f1251381bbdffee49
SHA1 d3891c6c07841abc9257341283ebc2e6d7524980
SHA256 e45eece56a5b317840f5be3b91215565ecd578b04e10a9097c7dad49e5a0d135
SHA512 bdc484a0ac236944697948541bee9b2a50325976fad2fcf59ad42f18e90f9d2d32415d996c29a6ea0f64f297187bab8bfb007572d3af9920e8e2a8695ee1ee01

C:\Windows\{4EF36E23-AB07-40e2-9345-3C124496BF33}.exe

MD5 bd1f3c52465631bef812bdf5b8de07bd
SHA1 685d0ee5aecd09070ca8a3c7cda6535bee5d0d54
SHA256 4ccc9afd471173af9539d1106ddc75e6e7c731378e23aae5e042f67b6dc6d244
SHA512 c57c62b5ac6e3a967ce1ab807e16db8b78ca7f25567cbbde727cd3db5704245504c257b342973e1f614977886754e5c20503fbfefe80b2b5cab5d8555e0a0751

C:\Windows\{EF4F793F-0C2C-40cc-B31D-5B4D40493D74}.exe

MD5 e1e281275e2e583f7d63da304e323d57
SHA1 6a09e3d0b5ea814782354b2e27925827975669a8
SHA256 8d7f52557901608af384c8047f6b9cc1de3e5a9ebab7c8e6e2b2ea1c3709bec7
SHA512 d3bebc32c2330da25c6a401aa46acabcc678f3a3dd7c2941310ca94fa1e687246c39e428a334f2ec654af6bea17c85b5b91cafdd7466a12ada848ea50afbc9ee

C:\Windows\{BB9C81B9-44B5-40a6-A9FA-145F42BF4CED}.exe

MD5 78c7fb7a921a936e111276fa5c1a73f8
SHA1 40604e50cfd8aa5e40d2c89611f188a7fd547425
SHA256 fe4ec279a68e22d8d6560c2bdbabd7ab3c3d4afe149b2d79ff0d5b2365c8561d
SHA512 02e67bd951708a0c7c97ce4477761f75c9025393bff270445bb89aadefefde71225c6ad5e500b93b187fd5ad0f2d73f49b5867c5f25b809688e2f94bef380534

C:\Windows\{77E30250-A43D-4f80-B961-69E1293E418D}.exe

MD5 1f3af4c1fd7b85edad9122a4866ca789
SHA1 40bb7eefba7c90e43c33bf12f5e3176c70a79b75
SHA256 bf6ddc352e13bad42950200469c538275a05252f56c11792cf703f28fc81b03a
SHA512 3b88ed17989ef307bc529807193bcd1bb970d96bd1422b298041e1f908eca66fe1060b07c1d5a9ff8ddea60264417842f48efdb8e7bc825a3cb3c91f26fcfd77

C:\Windows\{0F1BAAC8-8F59-480e-BF15-8E6DCC656F47}.exe

MD5 43f40316e41b7868976b1a4d202aeb77
SHA1 810a6ce3795aaaf663d0dfaf892411138669edf5
SHA256 ddc2d18ee91edbfb9b1db472d4b057efd3ddcafacedc6f746fddafb56e9cf786
SHA512 46731075aa9e86b2ee7a0a5ad62d3d5020ca70b9c7e00bd1969c4ddcf3cccf3b00e2f54b880cd7e303ec4eaa2a7d7d17c97387fa35453418aa0b1a390994585a

C:\Windows\{BCBE8BC2-6DB7-4eae-94D7-124416C181F5}.exe

MD5 5380d3ec426c6fb9fe158977583b6c8e
SHA1 398b966c23b4f12f852ebdd2a36a5fb50ce8becf
SHA256 c20eb4eb19ae2aa58b4513b3ab60de981975726d17c3b30a7bde67bd0fbe6705
SHA512 4196ee6e966c156938d73ee137eda7bc4f09e47b43e08e3568035c2a363035f5f4257be27b8810429217d0daf57b8795a09a68c8a5da9c141de8f80db1603961

C:\Windows\{135F71E4-7F07-49e2-BBF6-D8ED25551467}.exe

MD5 0dcf0ed4465fc286813f85e9fff80369
SHA1 5a2e7501a2a53d7a8e52cd24c29e96bf1cdd8e93
SHA256 43499da25237b1928a5b4805216c0cea16714cccb0f7c7bfb49ca0e333288290
SHA512 9eee71945ec69b765dcd4174a33e5dd9d10ad14ba2cebde8d5f12958bba9373140c8e9b239ece8652c0d1c91f8c72aade8beb3c44fd785eccd6a9db72e00da32

C:\Windows\{ADB18692-2104-4feb-AFEF-8FBEE502AD42}.exe

MD5 e85b3d60f95de4a9883722140c0107ed
SHA1 9b7fa18fa2c5a1be5d414241c1036e1d1711ea60
SHA256 3ec0466d9a53b1c51a2899f0992f81aa39f74026ffec6148103026361c09e8cd
SHA512 d507c3a51360cd9987e1c50ae091d3a6314c960a56f10150ac88d31f95bcaef650caecae2ed80554ce4e10ff6276b5314beb8dd280e5995871dfb3885022ef83

C:\Windows\{346F32AA-0167-406a-AF51-34FAB444A1F7}.exe

MD5 f2826dd6c834575501100b534135436f
SHA1 ffbeb51ca072341c4783c292f36c4f4d3111118f
SHA256 b0826529a7b10fa7ce5f59adf09070de04e487b007d133c930d71429c388519a
SHA512 a7322a72a4c34073faffcc71373a1e3523384514e578d6cfe7080efaccbc8b65b4605ad5a7325957e3d8fdf005224cc6100473c591125fb3a5307ddcff16d0a3

C:\Windows\{2FF018AC-F190-40cf-9B7E-DD28534B8FB3}.exe

MD5 c4e46bb2830534a10937b79619ab4e25
SHA1 f1eac80f13fe7e3eb13d7d66cb3cdde05a5cf406
SHA256 61e99ee41aaed721fa07c504fe866e66f46e2e1b8a3497646d87d565be033e6b
SHA512 b5a476769153244d401b5ed4eeba982a9a3a9959331b65a53dfc3160aabee831553913ee3403fe0c7516be2cdf5220cbb918acc4c7b0edb7b44ffe55ac5ce0a1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:50

Reported

2024-06-03 05:52

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}\stubpath = "C:\\Windows\\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe" C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}\stubpath = "C:\\Windows\\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe" C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04570477-B235-461a-BA53-2B7BE1CC14DB}\stubpath = "C:\\Windows\\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe" C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2} C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}\stubpath = "C:\\Windows\\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe" C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0} C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A47E12-F15A-481f-97E0-AB3A45A605F0} C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A47E12-F15A-481f-97E0-AB3A45A605F0}\stubpath = "C:\\Windows\\{87A47E12-F15A-481f-97E0-AB3A45A605F0}.exe" C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7B7156-33F2-4c41-83C6-CEB626247873}\stubpath = "C:\\Windows\\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe" C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A547D2E8-F829-413d-96ED-C15434670AEF}\stubpath = "C:\\Windows\\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe" C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E5D1F00-C086-494c-AE73-47982FD39BE2}\stubpath = "C:\\Windows\\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe" C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BAB3403-1762-44b1-BFDE-6C934790DFA6} C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}\stubpath = "C:\\Windows\\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe" C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}\stubpath = "C:\\Windows\\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe" C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}\stubpath = "C:\\Windows\\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe" C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7B7156-33F2-4c41-83C6-CEB626247873} C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A547D2E8-F829-413d-96ED-C15434670AEF} C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E5D1F00-C086-494c-AE73-47982FD39BE2} C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96} C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15} C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F} C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6} C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04570477-B235-461a-BA53-2B7BE1CC14DB} C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}\stubpath = "C:\\Windows\\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe" C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe N/A
File created C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe N/A
File created C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe N/A
File created C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe N/A
File created C:\Windows\{87A47E12-F15A-481f-97E0-AB3A45A605F0}.exe C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe N/A
File created C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A
File created C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe N/A
File created C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe N/A
File created C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe N/A
File created C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe N/A
File created C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe N/A
File created C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe
PID 3976 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe
PID 3976 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe
PID 3976 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 1776 N/A C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe
PID 4628 wrote to memory of 1776 N/A C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe
PID 4628 wrote to memory of 1776 N/A C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe
PID 4628 wrote to memory of 4436 N/A C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 4436 N/A C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 4436 N/A C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 4660 N/A C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe
PID 1776 wrote to memory of 4660 N/A C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe
PID 1776 wrote to memory of 4660 N/A C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe
PID 1776 wrote to memory of 208 N/A C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 208 N/A C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 208 N/A C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 544 N/A C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe
PID 4660 wrote to memory of 544 N/A C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe
PID 4660 wrote to memory of 544 N/A C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe
PID 4660 wrote to memory of 4272 N/A C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 4272 N/A C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 4272 N/A C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 860 N/A C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe
PID 544 wrote to memory of 860 N/A C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe
PID 544 wrote to memory of 860 N/A C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe
PID 544 wrote to memory of 4232 N/A C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 4232 N/A C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 4232 N/A C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 2444 N/A C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe
PID 860 wrote to memory of 2444 N/A C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe
PID 860 wrote to memory of 2444 N/A C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe
PID 860 wrote to memory of 4036 N/A C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 4036 N/A C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 4036 N/A C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 4948 N/A C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe
PID 2444 wrote to memory of 4948 N/A C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe
PID 2444 wrote to memory of 4948 N/A C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe
PID 2444 wrote to memory of 5096 N/A C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 5096 N/A C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 5096 N/A C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 2448 N/A C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe
PID 4948 wrote to memory of 2448 N/A C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe
PID 4948 wrote to memory of 2448 N/A C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe
PID 4948 wrote to memory of 4112 N/A C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 4112 N/A C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 4112 N/A C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 4956 N/A C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe
PID 2448 wrote to memory of 4956 N/A C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe
PID 2448 wrote to memory of 4956 N/A C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe
PID 2448 wrote to memory of 1544 N/A C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 1544 N/A C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 1544 N/A C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1728 N/A C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe
PID 4956 wrote to memory of 1728 N/A C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe
PID 4956 wrote to memory of 1728 N/A C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe
PID 4956 wrote to memory of 3928 N/A C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 3928 N/A C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 3928 N/A C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2876 N/A C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe
PID 1728 wrote to memory of 2876 N/A C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe
PID 1728 wrote to memory of 2876 N/A C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe
PID 1728 wrote to memory of 3436 N/A C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9da8e0e562a197dd7dda132040880160_NeikiAnalytics.exe"

C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe

C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9DA8E0~1.EXE > nul

C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe

C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C4644~1.EXE > nul

C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe

C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6A7B7~1.EXE > nul

C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe

C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A547D~1.EXE > nul

C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe

C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2E5D1~1.EXE > nul

C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe

C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4BAB3~1.EXE > nul

C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe

C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8C646~1.EXE > nul

C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe

C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F323F~1.EXE > nul

C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe

C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{04570~1.EXE > nul

C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe

C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2F030~1.EXE > nul

C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe

C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4C7CD~1.EXE > nul

C:\Windows\{87A47E12-F15A-481f-97E0-AB3A45A605F0}.exe

C:\Windows\{87A47E12-F15A-481f-97E0-AB3A45A605F0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3F108~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\{C4644A9C-84E7-40d6-B674-FFBB1CF2AED6}.exe

MD5 11dad28eb2f73c7c52b464c75b82d01c
SHA1 b876ce3f13ab72af6d419ee0ef2746ed9461085e
SHA256 2ee47c8dc432e48b0c449eb973d427386909cac7e098aa5395f5c4db687526ac
SHA512 e38d3a1711ce2146553a9c32d32dd390dcffc4e7cc00b55d910781f2783da0620fbce36d1d4e2f9e037019bfc2f3db062f3af35ea47ca7e99bf64be0e50ce305

C:\Windows\{6A7B7156-33F2-4c41-83C6-CEB626247873}.exe

MD5 5c45186549e4b508797028358f21bf9c
SHA1 404db68a73b01244a7c97a68ee541e9267a862f5
SHA256 0990b189d0e023bf38830273a33a473cd5fa2fb49c8eceaa0746e25bd95c1dbb
SHA512 5843ebec36137f531463d84a230fe06c212415221355474d862b41752b137bd4a724817099fbf4a5d0a748639aade63025931f20c1df41d46cb9d6ba1ba560fe

C:\Windows\{A547D2E8-F829-413d-96ED-C15434670AEF}.exe

MD5 d9021d2f1e8f0953c069da60e4c29786
SHA1 049adad38349070153a0a2ff43ba103c321b17da
SHA256 951bc49564cfc5ab72563a960f0b4b250c082b4a64943ef6605824fd10a22a2e
SHA512 37d69c1423d7cf3d2d2a1d02a0b7612fb061bea101596d463369cd9f4b8e68b48b1ee48e2d5adce7ffa7cd334974fcef0cf82c99821c9de37479f493d786da7f

C:\Windows\{2E5D1F00-C086-494c-AE73-47982FD39BE2}.exe

MD5 cf0ff9ff8bfe9213ba144986bd9221b7
SHA1 624ee9d38920fdf46eb7132ebf601d7b37e28a45
SHA256 36d03cc6c0a277cef82fce305f0ae48395a5d6692ec3bb20888b3575ea1000be
SHA512 77440934d5af49f878feab94d7cbb89820350d9e66103c11115b108ccc9455766ede7b57a4df5ba56eb9ffb6fa4616d8e5d8cb0edd7ccf8a75d01cc6fb887f15

C:\Windows\{4BAB3403-1762-44b1-BFDE-6C934790DFA6}.exe

MD5 c866cbf6975ca28d353e04f0834f67c9
SHA1 8ad8e13ada1925eba400a56cb13c70589d30b71a
SHA256 5cc031312d89905f33c38e1bcef99f2966b358ea18c7ab55eb1e5b35d47725c2
SHA512 20a7a8a28003dabc89e0d693c857d60475005d2ef0d748093e1948556ce92c3d709232f3a006721dafdc89e2d66762dc78228f642ff3f3c8c0583aac5487d7be

C:\Windows\{8C6465FE-3941-4ca0-B6B8-D9F66A824C96}.exe

MD5 9622ac70118693f8f75ff7e198e4f82e
SHA1 a3531e58331e89b3c28df3e1e10db6e772e0e055
SHA256 77278b8a0bf6db32a6ab1d47eb9b44dc6e09a7c3d1c14cfbeab7a8f4ec6336e2
SHA512 bc1c0299e27ecb0b912b61c54894e1f5d871ad4b0aba7020f9be8f085ddb5a888e9f736ff5d95a47217da9b1824adf74b151ee4b0b4d9c35b51c2c933242e41b

C:\Windows\{F323F5D8-B3FE-4eca-A4E4-EEEE123FBA15}.exe

MD5 8c251e09684fb11a56e86f62770d87ea
SHA1 e163bc48b1dc500e1d309715cf4e6e4858654a74
SHA256 eb2bb89f454cbbfe026c68e8db9571be862a32aedffe09106a83011ff4cbf8e8
SHA512 334374ad1fd1d299e7ebacf8c9acaeae2f30cc9cc8cc55287eaba351854ad189893894780ae0e074b99515eaf8d3ed8c00d7cbfb06866a1772a03f10f4043a66

C:\Windows\{04570477-B235-461a-BA53-2B7BE1CC14DB}.exe

MD5 db5ebd62f3f5f217cf9df4fc2026e26d
SHA1 c1c75b597aa04a53b23f19f8263a86c385221dad
SHA256 5646ac7d8a92576717e055b0e8c9a5c1e7a75dfff0bc8e768da90ad686edb86a
SHA512 025b5a3aaaf13062e209806351646244aae5a6a40081663084f78690fca45e1107f60bdeab0a55cc6fa8cae884418c03a68deb6899e7b65fa7332be1accab220

C:\Windows\{2F030361-A76E-41d5-B68E-DBDDCD2BA7C2}.exe

MD5 243a36aca3a0b772569cebf0ecff8ef6
SHA1 88380f1c22110fb0dc3a6e93f8185bfd86f29bab
SHA256 29b0ea8a1687c16f6f6bbb9ac2a67529086df428756d1067f6ed7b5310861268
SHA512 0e3ecef7daf919a3cc534d1afc649f7c4433dd5d0547ec5849e2c7a10a3e83af15d6cc769fb1162d5fa881bbd1f2195cf7257b8647757619500da43b5a976534

C:\Windows\{4C7CDB67-23B0-4f41-BFDB-9689174F8D7F}.exe

MD5 28499399e78bda04caf3fa2952a9c877
SHA1 407371880d52ccbc22cdc8d7093d82b45eea6d40
SHA256 4e5db95148e44ca246fe3b53874b4fbc8a1f46e0afb4ca1553303293571354f9
SHA512 5a41b66483e8281373a55c0c8d8589bb2954563c540d66db84d91d32efb6ac6ce60e699eacad1daf4aac1e6807207d4276dca8fb20437469b8c6985866f8106f

C:\Windows\{3F108ADD-7EF2-4b5c-A746-1B13A32F11D0}.exe

MD5 80cf7edbf65f77cb268cd395cd04b5e3
SHA1 e35d74e9b58d8eada6faf026a3741a9b428d102c
SHA256 94abc1119669206a2d53740482fd7ca1881588bf4b30508bd3c9e552c0fb6836
SHA512 4d5509420fdd63a47d171bec73534f3bfe2ec3a19dfb0f2322c2789d474ede6b4f578ba5f054d33dd02c30228387666a8289fcd995ec76aa43e524149469751b

C:\Windows\{87A47E12-F15A-481f-97E0-AB3A45A605F0}.exe

MD5 fd10bf21a548b7422a9d10818792acf5
SHA1 691efb8c48d7d78b6c5108f8badb6f3fcf39b087
SHA256 4f28f0ef5f14add394c6903f10de223a9ae484cb90d3a718fe3fb5dda41d5025
SHA512 0d2cff631e8816c023022f4cde6b6b0bb1bdc2664f06f7d56474da4bd3dea74064f603b34a623e84feb5d8877483db096d550b3728d618fdc90defc1a8b40db4