Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-06-2024 16:17
Behavioral task
behavioral1
Sample
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe
-
Size
5.9MB
-
MD5
13bac35cdeae107cd56f33b442b9dc20
-
SHA1
45cbae0c14db9b22108645478a3b9f45bc098c0b
-
SHA256
f29e66ee2be3e0daabe3053d8d54ab2e82c502c9009d4f8beca0be55681efaab
-
SHA512
69577f6d8bfe11ad710fc2568942284bac3798777365b0bf8e58dc9580f36882eae3f477f1e85617c9e4c6dfe197921ad1630335668599c77e4fb1837acdac0b
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUr:Q+856utgpPF8u/7r
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule C:\Windows\System\TqsKxeY.exe cobalt_reflective_dll C:\Windows\System\KAZKQPV.exe cobalt_reflective_dll C:\Windows\System\TqERGPp.exe cobalt_reflective_dll C:\Windows\System\IDvsqKD.exe cobalt_reflective_dll C:\Windows\System\tCCzfNL.exe cobalt_reflective_dll C:\Windows\System\gjVSBUZ.exe cobalt_reflective_dll C:\Windows\System\azBnKtE.exe cobalt_reflective_dll C:\Windows\System\aGAndkA.exe cobalt_reflective_dll C:\Windows\System\nPspIFl.exe cobalt_reflective_dll C:\Windows\System\oIXBezu.exe cobalt_reflective_dll C:\Windows\System\RVvNojd.exe cobalt_reflective_dll C:\Windows\System\JYdmwdg.exe cobalt_reflective_dll C:\Windows\System\upVxwIg.exe cobalt_reflective_dll C:\Windows\System\ArsXBMh.exe cobalt_reflective_dll C:\Windows\System\awvCMWI.exe cobalt_reflective_dll C:\Windows\System\ZMAVJSY.exe cobalt_reflective_dll C:\Windows\System\HrJWOrO.exe cobalt_reflective_dll C:\Windows\System\EQZoOZi.exe cobalt_reflective_dll C:\Windows\System\KJFerlg.exe cobalt_reflective_dll C:\Windows\System\nHVTAeO.exe cobalt_reflective_dll C:\Windows\System\vkZbstX.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/648-0-0x00007FF677620000-0x00007FF677974000-memory.dmp xmrig C:\Windows\System\TqsKxeY.exe xmrig behavioral2/memory/568-8-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp xmrig C:\Windows\System\KAZKQPV.exe xmrig behavioral2/memory/3296-14-0x00007FF6604D0000-0x00007FF660824000-memory.dmp xmrig C:\Windows\System\TqERGPp.exe xmrig behavioral2/memory/2876-20-0x00007FF7452C0000-0x00007FF745614000-memory.dmp xmrig C:\Windows\System\IDvsqKD.exe xmrig C:\Windows\System\tCCzfNL.exe xmrig behavioral2/memory/2028-26-0x00007FF7970D0000-0x00007FF797424000-memory.dmp xmrig behavioral2/memory/2560-32-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp xmrig C:\Windows\System\gjVSBUZ.exe xmrig behavioral2/memory/220-38-0x00007FF670840000-0x00007FF670B94000-memory.dmp xmrig C:\Windows\System\azBnKtE.exe xmrig behavioral2/memory/1724-42-0x00007FF7211E0000-0x00007FF721534000-memory.dmp xmrig C:\Windows\System\aGAndkA.exe xmrig behavioral2/memory/4864-52-0x00007FF747430000-0x00007FF747784000-memory.dmp xmrig C:\Windows\System\nPspIFl.exe xmrig C:\Windows\System\oIXBezu.exe xmrig behavioral2/memory/648-60-0x00007FF677620000-0x00007FF677974000-memory.dmp xmrig behavioral2/memory/3956-61-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp xmrig behavioral2/memory/4968-59-0x00007FF671E90000-0x00007FF6721E4000-memory.dmp xmrig C:\Windows\System\RVvNojd.exe xmrig C:\Windows\System\JYdmwdg.exe xmrig C:\Windows\System\upVxwIg.exe xmrig behavioral2/memory/1248-78-0x00007FF7671E0000-0x00007FF767534000-memory.dmp xmrig behavioral2/memory/3296-79-0x00007FF6604D0000-0x00007FF660824000-memory.dmp xmrig behavioral2/memory/4080-81-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp xmrig behavioral2/memory/1048-75-0x00007FF6659B0000-0x00007FF665D04000-memory.dmp xmrig C:\Windows\System\ArsXBMh.exe xmrig behavioral2/memory/2876-88-0x00007FF7452C0000-0x00007FF745614000-memory.dmp xmrig C:\Windows\System\awvCMWI.exe xmrig behavioral2/memory/1776-94-0x00007FF6E6D30000-0x00007FF6E7084000-memory.dmp xmrig behavioral2/memory/2028-97-0x00007FF7970D0000-0x00007FF797424000-memory.dmp xmrig behavioral2/memory/3896-100-0x00007FF7F0C70000-0x00007FF7F0FC4000-memory.dmp xmrig C:\Windows\System\ZMAVJSY.exe xmrig behavioral2/memory/636-103-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp xmrig C:\Windows\System\HrJWOrO.exe xmrig behavioral2/memory/2608-104-0x00007FF637C40000-0x00007FF637F94000-memory.dmp xmrig C:\Windows\System\EQZoOZi.exe xmrig behavioral2/memory/220-112-0x00007FF670840000-0x00007FF670B94000-memory.dmp xmrig C:\Windows\System\KJFerlg.exe xmrig behavioral2/memory/3480-120-0x00007FF67B720000-0x00007FF67BA74000-memory.dmp xmrig C:\Windows\System\nHVTAeO.exe xmrig C:\Windows\System\vkZbstX.exe xmrig behavioral2/memory/916-123-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp xmrig behavioral2/memory/1724-122-0x00007FF7211E0000-0x00007FF721534000-memory.dmp xmrig behavioral2/memory/2652-132-0x00007FF686830000-0x00007FF686B84000-memory.dmp xmrig behavioral2/memory/3956-133-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp xmrig behavioral2/memory/232-134-0x00007FF77AD70000-0x00007FF77B0C4000-memory.dmp xmrig behavioral2/memory/1248-135-0x00007FF7671E0000-0x00007FF767534000-memory.dmp xmrig behavioral2/memory/4080-136-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp xmrig behavioral2/memory/636-137-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp xmrig behavioral2/memory/2608-138-0x00007FF637C40000-0x00007FF637F94000-memory.dmp xmrig behavioral2/memory/916-139-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp xmrig behavioral2/memory/2652-140-0x00007FF686830000-0x00007FF686B84000-memory.dmp xmrig behavioral2/memory/568-141-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp xmrig behavioral2/memory/3296-142-0x00007FF6604D0000-0x00007FF660824000-memory.dmp xmrig behavioral2/memory/2876-143-0x00007FF7452C0000-0x00007FF745614000-memory.dmp xmrig behavioral2/memory/2028-144-0x00007FF7970D0000-0x00007FF797424000-memory.dmp xmrig behavioral2/memory/2560-145-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp xmrig behavioral2/memory/220-146-0x00007FF670840000-0x00007FF670B94000-memory.dmp xmrig behavioral2/memory/1724-147-0x00007FF7211E0000-0x00007FF721534000-memory.dmp xmrig behavioral2/memory/4864-148-0x00007FF747430000-0x00007FF747784000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
TqsKxeY.exeKAZKQPV.exeTqERGPp.exeIDvsqKD.exetCCzfNL.exegjVSBUZ.exeazBnKtE.exeaGAndkA.exenPspIFl.exeoIXBezu.exeRVvNojd.exeJYdmwdg.exeupVxwIg.exeArsXBMh.exeawvCMWI.exeHrJWOrO.exeZMAVJSY.exeEQZoOZi.exeKJFerlg.exenHVTAeO.exevkZbstX.exepid process 568 TqsKxeY.exe 3296 KAZKQPV.exe 2876 TqERGPp.exe 2028 IDvsqKD.exe 2560 tCCzfNL.exe 220 gjVSBUZ.exe 1724 azBnKtE.exe 4864 aGAndkA.exe 4968 nPspIFl.exe 3956 oIXBezu.exe 1048 RVvNojd.exe 1248 JYdmwdg.exe 4080 upVxwIg.exe 1776 ArsXBMh.exe 3896 awvCMWI.exe 2608 HrJWOrO.exe 636 ZMAVJSY.exe 3480 EQZoOZi.exe 916 KJFerlg.exe 2652 nHVTAeO.exe 232 vkZbstX.exe -
Processes:
resource yara_rule behavioral2/memory/648-0-0x00007FF677620000-0x00007FF677974000-memory.dmp upx C:\Windows\System\TqsKxeY.exe upx behavioral2/memory/568-8-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp upx C:\Windows\System\KAZKQPV.exe upx behavioral2/memory/3296-14-0x00007FF6604D0000-0x00007FF660824000-memory.dmp upx C:\Windows\System\TqERGPp.exe upx behavioral2/memory/2876-20-0x00007FF7452C0000-0x00007FF745614000-memory.dmp upx C:\Windows\System\IDvsqKD.exe upx C:\Windows\System\tCCzfNL.exe upx behavioral2/memory/2028-26-0x00007FF7970D0000-0x00007FF797424000-memory.dmp upx behavioral2/memory/2560-32-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp upx C:\Windows\System\gjVSBUZ.exe upx behavioral2/memory/220-38-0x00007FF670840000-0x00007FF670B94000-memory.dmp upx C:\Windows\System\azBnKtE.exe upx behavioral2/memory/1724-42-0x00007FF7211E0000-0x00007FF721534000-memory.dmp upx C:\Windows\System\aGAndkA.exe upx behavioral2/memory/4864-52-0x00007FF747430000-0x00007FF747784000-memory.dmp upx C:\Windows\System\nPspIFl.exe upx C:\Windows\System\oIXBezu.exe upx behavioral2/memory/648-60-0x00007FF677620000-0x00007FF677974000-memory.dmp upx behavioral2/memory/3956-61-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp upx behavioral2/memory/4968-59-0x00007FF671E90000-0x00007FF6721E4000-memory.dmp upx C:\Windows\System\RVvNojd.exe upx C:\Windows\System\JYdmwdg.exe upx C:\Windows\System\upVxwIg.exe upx behavioral2/memory/1248-78-0x00007FF7671E0000-0x00007FF767534000-memory.dmp upx behavioral2/memory/3296-79-0x00007FF6604D0000-0x00007FF660824000-memory.dmp upx behavioral2/memory/4080-81-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp upx behavioral2/memory/1048-75-0x00007FF6659B0000-0x00007FF665D04000-memory.dmp upx C:\Windows\System\ArsXBMh.exe upx behavioral2/memory/2876-88-0x00007FF7452C0000-0x00007FF745614000-memory.dmp upx C:\Windows\System\awvCMWI.exe upx behavioral2/memory/1776-94-0x00007FF6E6D30000-0x00007FF6E7084000-memory.dmp upx behavioral2/memory/2028-97-0x00007FF7970D0000-0x00007FF797424000-memory.dmp upx behavioral2/memory/3896-100-0x00007FF7F0C70000-0x00007FF7F0FC4000-memory.dmp upx C:\Windows\System\ZMAVJSY.exe upx behavioral2/memory/636-103-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp upx C:\Windows\System\HrJWOrO.exe upx behavioral2/memory/2608-104-0x00007FF637C40000-0x00007FF637F94000-memory.dmp upx C:\Windows\System\EQZoOZi.exe upx behavioral2/memory/220-112-0x00007FF670840000-0x00007FF670B94000-memory.dmp upx C:\Windows\System\KJFerlg.exe upx behavioral2/memory/3480-120-0x00007FF67B720000-0x00007FF67BA74000-memory.dmp upx C:\Windows\System\nHVTAeO.exe upx C:\Windows\System\vkZbstX.exe upx behavioral2/memory/916-123-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp upx behavioral2/memory/1724-122-0x00007FF7211E0000-0x00007FF721534000-memory.dmp upx behavioral2/memory/2652-132-0x00007FF686830000-0x00007FF686B84000-memory.dmp upx behavioral2/memory/3956-133-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp upx behavioral2/memory/232-134-0x00007FF77AD70000-0x00007FF77B0C4000-memory.dmp upx behavioral2/memory/1248-135-0x00007FF7671E0000-0x00007FF767534000-memory.dmp upx behavioral2/memory/4080-136-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp upx behavioral2/memory/636-137-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp upx behavioral2/memory/2608-138-0x00007FF637C40000-0x00007FF637F94000-memory.dmp upx behavioral2/memory/916-139-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp upx behavioral2/memory/2652-140-0x00007FF686830000-0x00007FF686B84000-memory.dmp upx behavioral2/memory/568-141-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp upx behavioral2/memory/3296-142-0x00007FF6604D0000-0x00007FF660824000-memory.dmp upx behavioral2/memory/2876-143-0x00007FF7452C0000-0x00007FF745614000-memory.dmp upx behavioral2/memory/2028-144-0x00007FF7970D0000-0x00007FF797424000-memory.dmp upx behavioral2/memory/2560-145-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp upx behavioral2/memory/220-146-0x00007FF670840000-0x00007FF670B94000-memory.dmp upx behavioral2/memory/1724-147-0x00007FF7211E0000-0x00007FF721534000-memory.dmp upx behavioral2/memory/4864-148-0x00007FF747430000-0x00007FF747784000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exedescription ioc process File created C:\Windows\System\JYdmwdg.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\ArsXBMh.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\HrJWOrO.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\nHVTAeO.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\TqsKxeY.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\TqERGPp.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\RVvNojd.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\awvCMWI.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\EQZoOZi.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\KJFerlg.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\KAZKQPV.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\IDvsqKD.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\tCCzfNL.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\gjVSBUZ.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\azBnKtE.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\aGAndkA.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\ZMAVJSY.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\nPspIFl.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\oIXBezu.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\upVxwIg.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\vkZbstX.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exedescription pid process Token: SeLockMemoryPrivilege 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe Token: SeLockMemoryPrivilege 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exedescription pid process target process PID 648 wrote to memory of 568 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe TqsKxeY.exe PID 648 wrote to memory of 568 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe TqsKxeY.exe PID 648 wrote to memory of 3296 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe KAZKQPV.exe PID 648 wrote to memory of 3296 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe KAZKQPV.exe PID 648 wrote to memory of 2876 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe TqERGPp.exe PID 648 wrote to memory of 2876 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe TqERGPp.exe PID 648 wrote to memory of 2028 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe IDvsqKD.exe PID 648 wrote to memory of 2028 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe IDvsqKD.exe PID 648 wrote to memory of 2560 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe tCCzfNL.exe PID 648 wrote to memory of 2560 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe tCCzfNL.exe PID 648 wrote to memory of 220 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe gjVSBUZ.exe PID 648 wrote to memory of 220 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe gjVSBUZ.exe PID 648 wrote to memory of 1724 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe azBnKtE.exe PID 648 wrote to memory of 1724 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe azBnKtE.exe PID 648 wrote to memory of 4864 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe aGAndkA.exe PID 648 wrote to memory of 4864 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe aGAndkA.exe PID 648 wrote to memory of 4968 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nPspIFl.exe PID 648 wrote to memory of 4968 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nPspIFl.exe PID 648 wrote to memory of 3956 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe oIXBezu.exe PID 648 wrote to memory of 3956 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe oIXBezu.exe PID 648 wrote to memory of 1048 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe RVvNojd.exe PID 648 wrote to memory of 1048 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe RVvNojd.exe PID 648 wrote to memory of 1248 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JYdmwdg.exe PID 648 wrote to memory of 1248 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JYdmwdg.exe PID 648 wrote to memory of 4080 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe upVxwIg.exe PID 648 wrote to memory of 4080 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe upVxwIg.exe PID 648 wrote to memory of 1776 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe ArsXBMh.exe PID 648 wrote to memory of 1776 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe ArsXBMh.exe PID 648 wrote to memory of 3896 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe awvCMWI.exe PID 648 wrote to memory of 3896 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe awvCMWI.exe PID 648 wrote to memory of 2608 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe HrJWOrO.exe PID 648 wrote to memory of 2608 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe HrJWOrO.exe PID 648 wrote to memory of 636 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe ZMAVJSY.exe PID 648 wrote to memory of 636 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe ZMAVJSY.exe PID 648 wrote to memory of 3480 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe EQZoOZi.exe PID 648 wrote to memory of 3480 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe EQZoOZi.exe PID 648 wrote to memory of 916 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe KJFerlg.exe PID 648 wrote to memory of 916 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe KJFerlg.exe PID 648 wrote to memory of 2652 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nHVTAeO.exe PID 648 wrote to memory of 2652 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nHVTAeO.exe PID 648 wrote to memory of 232 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe vkZbstX.exe PID 648 wrote to memory of 232 648 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe vkZbstX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\System\TqsKxeY.exeC:\Windows\System\TqsKxeY.exe2⤵
- Executes dropped EXE
PID:568 -
C:\Windows\System\KAZKQPV.exeC:\Windows\System\KAZKQPV.exe2⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\System\TqERGPp.exeC:\Windows\System\TqERGPp.exe2⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\System\IDvsqKD.exeC:\Windows\System\IDvsqKD.exe2⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\System\tCCzfNL.exeC:\Windows\System\tCCzfNL.exe2⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\System\gjVSBUZ.exeC:\Windows\System\gjVSBUZ.exe2⤵
- Executes dropped EXE
PID:220 -
C:\Windows\System\azBnKtE.exeC:\Windows\System\azBnKtE.exe2⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\System\aGAndkA.exeC:\Windows\System\aGAndkA.exe2⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\System\nPspIFl.exeC:\Windows\System\nPspIFl.exe2⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\System\oIXBezu.exeC:\Windows\System\oIXBezu.exe2⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\System\RVvNojd.exeC:\Windows\System\RVvNojd.exe2⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\System\JYdmwdg.exeC:\Windows\System\JYdmwdg.exe2⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\System\upVxwIg.exeC:\Windows\System\upVxwIg.exe2⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\System\ArsXBMh.exeC:\Windows\System\ArsXBMh.exe2⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\System\awvCMWI.exeC:\Windows\System\awvCMWI.exe2⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\System\HrJWOrO.exeC:\Windows\System\HrJWOrO.exe2⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\System\ZMAVJSY.exeC:\Windows\System\ZMAVJSY.exe2⤵
- Executes dropped EXE
PID:636 -
C:\Windows\System\EQZoOZi.exeC:\Windows\System\EQZoOZi.exe2⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\System\KJFerlg.exeC:\Windows\System\KJFerlg.exe2⤵
- Executes dropped EXE
PID:916 -
C:\Windows\System\nHVTAeO.exeC:\Windows\System\nHVTAeO.exe2⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\System\vkZbstX.exeC:\Windows\System\vkZbstX.exe2⤵
- Executes dropped EXE
PID:232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:3412
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5ddaa55af632bf6a483245d1e8c10f675
SHA13fd34f0c77e257bacd76037028bcbb0c590f48eb
SHA2569914ba73e59a9630ec2e0844e7481741573ac89de3102b3bc00000ecdd9f3553
SHA51242c1551e5c0d35a0446c4ccbbfcc1cab2c6180703a884a43788c0a7026e8a22f069c21d7cc136e0849860f3ad2d503c1c4a073e8361d62bfa5b1dd373c574e86
-
Filesize
5.9MB
MD56d6ee21b34db8849f4b15d075aaf6773
SHA150ea1fcca16d61f9c4d8eb482054719ff6766de1
SHA256126b97c4d64271e7bf66de6b58860b68ee08677a728624e4c17167b7d0c449f5
SHA512b7206b9b49fab9cd77c9e7377e0a8eb61ae74782872010d4bfd42a275c08d021fd273d658f6b6e222b868ebe6d8e179fd2d77b78f23bdb3c7327ac2de7927015
-
Filesize
5.9MB
MD5871d0da222c9d94ead4befb04e33c2ed
SHA182e6e0b77cecdf56992929e2272fa53062e2b2f3
SHA256470ac5b6905dcb1ffb2ef9624b548a34775717ff00044718b917bcdfa6d2f782
SHA51221634ae2d57160b9509a9dd57109044d468ad2a906374f344c74cd23e37399a93775d184ece9c6dcd0b83f5b868923cc72fac6ccc83a7aaf8ee7d4e22e9b8db0
-
Filesize
5.9MB
MD579804d3d1c6b2c1b2fdadc5c1f0c9e6a
SHA1f4569bfc309a9c589b8cab557451197658322851
SHA256f4b70ee827b91f9c80b2f928e40a4b036fa3cc816bcca289e04439103eb3c1c5
SHA51281c0d5bfe65199956bd82ca9885a20c2b9cb88350ad688b8ff6c7261acc13cdf3013bc294dad4479be8745338c3d0a22d2762b5bad286c512fba3848b9cd06ee
-
Filesize
5.9MB
MD57160b2652d126e556f39bd02a1dbd9dc
SHA1c3b576710f504bd49f22d1ed02bbd9abdb0c6e06
SHA25667e091bfd6e9ab60d07d3ceca53e507d91489f4c241efed7624d50b17faa9e12
SHA512ba88bb97b737d68bbde336b88569febb484ece4e22aabe03a3ee780319387c93be5baaf171f9a53b9e311482e17da15e446b2fae7a2ae76dea06de27f8023666
-
Filesize
5.9MB
MD5ee6ff1ddddd8967e067f05f011f508a7
SHA1afcdbcfba5e86f61e7ca1ed8184a149614467be7
SHA256fbfe0a846d1534fa29da0b658bcf702bca4e731e05ef97f793db77c7e144bc95
SHA512854084501f82805943b1c8ec521c78d1d743b2ef4ad58b87af7e0165e4f61f39e30d9efe643d8f8dc36c0c9c1175d2cb50579f3672336ae1cac32a1a6892aa28
-
Filesize
5.9MB
MD5532c88093d91a16792249834dac21b93
SHA165f22bbedb5957ccf912316257398777a471bd99
SHA2567bbfbb702e8cf16187e5a74a30c6c9d2f661fc05495dce8c2d51488de03a4896
SHA512dac5e20c59712c49216304bed8587308a6907d3824452f17abb2e1a28c5eb81b05f6a1ac25b29aad72a76f0e2df9ceb3fba5f509cd4cf30299fc845a3b9580e8
-
Filesize
5.9MB
MD5753f9aa258291d9ac794aa4ca222946e
SHA16cb59e1592db051a700c537886e1025311628702
SHA256b9f34b3dda953f3470678d85bb4174fd79ffe02f321fa4b93e27e9c47c56d095
SHA5124d44f67d17b3446bf53596b443a575dbb878242b391d46cc1b0c1e294a99477cfaafafa611361942e6c9eea61e2a9e3e1b05bf6d517e9c425be518fa55cd5e4a
-
Filesize
5.9MB
MD5a6f2f2adf5fc97e5ed285aba6cb8cdb3
SHA12ff949b2770049c6ab202e3609c922d69874ccf2
SHA256285e05e69a29fae46ca74dd96c19f71856a6d56de3802ab717d3e3e15be2ecd2
SHA51202c00079a84be955d51a40809ad286da8899e64c1a13c41e4b4513a0f5d6c23337beb6804ae10ac2f8c64723ba928ff2efae96de59b6d631babca61be84cbf85
-
Filesize
5.9MB
MD5ef98777f47106cdfac665291da42f2ca
SHA11cceda2ad7edcb63a8e299dd5ec78f9e08870598
SHA2569ebf7b3683e6f005c10eae0f1468bacb13e8b6e61c906e489b7cbeef7dd4d71c
SHA512997c7bb13157a173ec751e602c1444189dbec9741b8657fc34ebedfa0d37cdbba00176cac8f62c2998dcbd4af1e6ec62ae4c0fbc4849b99ba840b644ff28feb7
-
Filesize
5.9MB
MD568a8741639dbbf1b67b9ac5f50252ac9
SHA1e2d03dc0083fa3ec834ea37a2e1389f17542ea75
SHA2560b0abc22bc601a8c6e2aa53c282bcd3af8c1c355151a6268ea7036235ae8e898
SHA5129812839d364efea2ea7ea02764b006de6e0ce932fee042cad11cd5d5bc982efff69389d11650c4a264255a560753deb88f8389b8406d16bad682a20dc02256e7
-
Filesize
5.9MB
MD531e79ccd5f717f0560ae3bd5681d7728
SHA13165fd87e636907ac801957136cd11cfc5c66bd1
SHA25661c032182f57fcc5a724c32e024e1ecdec21ab597f7690a4aa164f618b07bb56
SHA512d265ec85e05c325032696dba82dcddefb1d890aa9cf913dae2d52e9a1ca413a56ad7fa7c5ead3ad1971d62bf2e47354c8bc0828dbf41db27f5120df1234d7149
-
Filesize
5.9MB
MD580694d3a226f1deb7344bb2899d03022
SHA199cc2c7baf9de031c906e4659909c46e9cdc5b94
SHA2569ca0d0f6655b2c6eb7bd4268e24a8b7b377bd25ce5f6354167262a8deec98d69
SHA512815bcaa6f823b3633f5e4388c59d818d8bd9da88be556867233465669ea15fb979e907d03ea5db7a3a44fcb103448dc50cb01604259a0b39d9fd53b82c901343
-
Filesize
5.9MB
MD56e43bc34086f27f5e355a76e2d8afb77
SHA1e485de21b6f1c20828fcf0d5220cc8769ca5ff53
SHA256d86b03afef60ae78ca5bc3a64a3e83c79bb8d99750a3980d9f8e6238e63622f6
SHA512ad5a0876855bb9ad0b923caff1136a3d8545449c2bf34487e4b1ee010b75407f699e1c350c005c324e557f768606c85d107b9a9c99d16646341f7a27e2d0f4b2
-
Filesize
5.9MB
MD5aa26dbb1319e92987d35775159e14349
SHA19764b5838fb70410dd3180caaaa1e4e109522aaa
SHA25646c98a2a014eca23f11ca82e3b3e126059c0c0fce2f57472c5d6749cdcb8e7be
SHA512f4a2e1da486e6fae35093682c8a63e93e6a32d7fc7684f2a772e95eb3d468b93f92d4a3e9e23f3b35fb68a27cbbeac87a3d428ab7da62d640a0e0ba991952bfc
-
Filesize
5.9MB
MD53930fd8d36ea0a45ecfb928841ef1662
SHA1fb1c76f018a7f213402a6844c40b95923de6f617
SHA25663fdc043bc1f476a4c9a83efc4a5c91aa17f84725463362d5018e7e16e433bb0
SHA512edf26d67f4c354dac7f008dcbb3098903d9e4e1fee5dc6456cb06db7e79ec9c853c4a804113267ac873841c7da10c92d641129a7a87941d3308ec63089fe10b6
-
Filesize
5.9MB
MD53a6b7638960b17f3bcc2dbadfd5ae306
SHA1875ee68df8e62a1c745641d1171f93ba199e2141
SHA2565d97f8dd5a8f0d4da22771952d8f044469010528a712ac45a9acbfea929307b1
SHA512853ecbb70b889c8e3832a7325e1afd812f88803f2f8d80bd8c72b7e2c2f366a2ebb36855ee640847421d9a5cd02959ef2b623320c48ae505461aacb7aeba58a8
-
Filesize
5.9MB
MD51078ede2b0d344470aa8911b1921cdd9
SHA1ee0f9a675b552ec6e37bb5da3d35c620545d2c5f
SHA256d9a2b72d93d7d3214232743b7aa8a6cbc0bc72e6a587329d03567156350451eb
SHA51268acb2235e0aedc0f33c9a796ba5154a463c4cfc531a57a32096f385b0a28a0abbd58f40aeff3027d6ed63e28a64d5124c9df11b4579fa1420cf443c0821587e
-
Filesize
5.9MB
MD5bb03404ddc702e6d2bc80797f0229b27
SHA1ccee1c11291705ca4552a44c45237dd1e8e03a2c
SHA256bdea32ca3583678c4bf2cd211ad8468048eeca44ae7c30cb6857f54487c5d8e7
SHA512eb133661e37d848625d5fafc231f3ed3d4ad3f75a8a0de46f1675f312afddcdedd91c004758c67c9c91f5f39541fd781340651c0c2cfafc2acdcdcf8b53e48ee
-
Filesize
5.9MB
MD5f99084a98201f91fefa33f0c35e4cb44
SHA1a654c48257d25cfda2f6613651e77b0690083eea
SHA2568051ba6385678226a4a037f9ad1fd2c50bccd40f24543a193c461da5eec10321
SHA51261555d3f877a53aa8933e6bf7b6a2cc64251dd83b9d092718c1b880f7c966ed6582ff27d4d4cef5928f30622e8224db6c8cbd08238574b1f2e8ec36c0420de8a
-
Filesize
5.9MB
MD5a07f7db49e9ae3a782bc06a2fb20ec4d
SHA1869801e7c83013df567f0ac773ca1cdf5e1eeb59
SHA2561694fc2b9c196a137976f2455a3375f0f762b6d52b5631ca306a9975cc3bd40e
SHA512614c687b58f85833268bc42bd62a829f537f6fca6942e841026b9a90b8354ff6676810bd7a1f29ae86fb39835413f291291f7dd8996a49ec544fc243e322ca4c