Malware Analysis Report

2025-01-18 02:00

Sample ID 240613-jke3ystekj
Target 6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe
SHA256 45c52877909bcc36452efffff620733a9a645e71cb79f0044d415512674e73fa
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

45c52877909bcc36452efffff620733a9a645e71cb79f0044d415512674e73fa

Threat Level: Likely malicious

The file 6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:43

Reported

2024-06-13 07:45

Platform

win7-20240611-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}\stubpath = "C:\\Windows\\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe" C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72516768-150C-4f08-9631-809AF9597FE9} C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C} C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}\stubpath = "C:\\Windows\\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe" C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}\stubpath = "C:\\Windows\\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe" C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A95ADB73-9F70-48cf-A9C7-89BBC581D44E} C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{140879EB-2334-4b92-B1EF-F15B26160272}\stubpath = "C:\\Windows\\{140879EB-2334-4b92-B1EF-F15B26160272}.exe" C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1} C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA} C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72516768-150C-4f08-9631-809AF9597FE9}\stubpath = "C:\\Windows\\{72516768-150C-4f08-9631-809AF9597FE9}.exe" C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}\stubpath = "C:\\Windows\\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe" C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{527BBDAE-65F2-4c94-971F-42E6AEE594C5} C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{140879EB-2334-4b92-B1EF-F15B26160272} C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42} C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}\stubpath = "C:\\Windows\\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe" C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}\stubpath = "C:\\Windows\\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe" C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE} C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A95ADB73-9F70-48cf-A9C7-89BBC581D44E}\stubpath = "C:\\Windows\\{A95ADB73-9F70-48cf-A9C7-89BBC581D44E}.exe" C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93} C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}\stubpath = "C:\\Windows\\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe" C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{670A2B86-C141-4c90-98D8-5EAAB48F2F35} C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}\stubpath = "C:\\Windows\\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe" C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe N/A
File created C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe N/A
File created C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe N/A
File created C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe N/A
File created C:\Windows\{A95ADB73-9F70-48cf-A9C7-89BBC581D44E}.exe C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe N/A
File created C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
File created C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe N/A
File created C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe N/A
File created C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe N/A
File created C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe N/A
File created C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe
PID 2192 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe
PID 2192 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe
PID 2192 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe
PID 2192 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2744 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe
PID 2096 wrote to memory of 2744 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe
PID 2096 wrote to memory of 2744 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe
PID 2096 wrote to memory of 2744 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe
PID 2096 wrote to memory of 2812 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2812 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2812 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2812 N/A C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2852 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe
PID 2744 wrote to memory of 2852 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe
PID 2744 wrote to memory of 2852 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe
PID 2744 wrote to memory of 2852 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe
PID 2744 wrote to memory of 2680 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2680 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2680 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2680 N/A C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2424 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe
PID 2852 wrote to memory of 2424 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe
PID 2852 wrote to memory of 2424 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe
PID 2852 wrote to memory of 2424 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe
PID 2852 wrote to memory of 1616 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1616 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1616 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1616 N/A C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1968 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe
PID 2424 wrote to memory of 1968 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe
PID 2424 wrote to memory of 1968 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe
PID 2424 wrote to memory of 1968 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe
PID 2424 wrote to memory of 1820 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1820 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1820 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1820 N/A C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe
PID 1968 wrote to memory of 2456 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2456 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2456 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2456 N/A C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1344 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe
PID 2180 wrote to memory of 1344 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe
PID 2180 wrote to memory of 1344 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe
PID 2180 wrote to memory of 1344 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe
PID 2180 wrote to memory of 1680 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1680 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1680 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1680 N/A C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2420 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe
PID 1344 wrote to memory of 2420 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe
PID 1344 wrote to memory of 2420 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe
PID 1344 wrote to memory of 2420 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe
PID 1344 wrote to memory of 2836 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2836 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2836 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2836 N/A C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe"

C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe

C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A06CA~1.EXE > nul

C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe

C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{14087~1.EXE > nul

C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe

C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5D79C~1.EXE > nul

C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe

C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4086~1.EXE > nul

C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe

C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5F70A~1.EXE > nul

C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe

C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{670A2~1.EXE > nul

C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe

C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C8860~1.EXE > nul

C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe

C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{72516~1.EXE > nul

C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe

C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DBD2F~1.EXE > nul

C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe

C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2BE~1.EXE > nul

C:\Windows\{A95ADB73-9F70-48cf-A9C7-89BBC581D44E}.exe

C:\Windows\{A95ADB73-9F70-48cf-A9C7-89BBC581D44E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{527BB~1.EXE > nul

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{140879EB-2334-4b92-B1EF-F15B26160272}.exe

MD5 7b925f66aefc6425931f9a2e510aa842
SHA1 a331ce0298fe6972d2b9e79bd1058981d7429ee4
SHA256 ccf363677bb2c98d000ca25c9721052658f7a3ecf1d77acbd93f80cc0faeda90
SHA512 2f42bb532925c6f67e0d28647e9b16b4e5298a2dc1094b585cc6098c0cccf3c1d541b3b066206f13f004d1b624fda48c627341670a7a41bf8b6b771c40cf5013

memory/2096-9-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2192-8-0x0000000000390000-0x00000000003A1000-memory.dmp

memory/2192-7-0x0000000000390000-0x00000000003A1000-memory.dmp

memory/2192-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2096-18-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{5D79C996-A9AA-49ee-A0D1-1306F67BBF93}.exe

MD5 14a3bb6e2be8e33c040a13f391318959
SHA1 dabfc2e86dbc22d65ee0d57c6b073384fb6e151b
SHA256 5a737adb53a0b6d97672ca0c93036b327484603fc75afc00ccf3eb709cd91546
SHA512 9e45992d9bb068c25ad2e9f4235323d456efb05ff3adf58901f0159309006bfde75f4ce8b77872ed38e238ba058947f22dfa70335cdff2e23469f3a86a0c3e30

memory/2744-19-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{E4086B9F-583E-45e1-8FDD-3D070CCF1E42}.exe

MD5 d302f60b2fc8bbf43553ec28b8411da1
SHA1 e28f9543c5d001d878cb6f2d86be01dea3331020
SHA256 03969310ddb9bde03443918f558115f828acc2c78daf8ea8c8725a0de4faa766
SHA512 4530ae858a8fc16f191fab7ae5dd6b36e666f69d42bac37de0c164ce843db5cf54661f75a578d4e72adc08391b7766761f6830570fe3aa9c8044176b53c41085

memory/2744-26-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{5F70AD48-23D5-4d62-A2F6-9616FA33B2C1}.exe

MD5 331342f1ff6d265bf288bfebfa138bdd
SHA1 86394d8a5a6f747f21bfad9f4257403e6befe2be
SHA256 dcf01755e50069f170b130f3dcb2dc0397fff46aaafbde0f30c0763ec2036c26
SHA512 5614f08919f9257016f1919554524eecd1219c2856da38482935f33ec30ac8ab78f52c75669e6ac1dadceb707ed603b2ad2f4e5c8a6444ec98dcbc1fb870f182

memory/2852-34-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2424-39-0x0000000000390000-0x00000000003A1000-memory.dmp

memory/2424-44-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{670A2B86-C141-4c90-98D8-5EAAB48F2F35}.exe

MD5 9ec1e8e843f81fcc3c609107b72bd92f
SHA1 c573b90311fce75f2708c3fa21eee759c8c29f17
SHA256 a17a86e93bc55a421f9f9b90d7e63c9c7127973c7c890f6920cefeb0fea1830e
SHA512 714a64d887ab2ce47d30f328f40994e64600adf002e28f6e21ce3eb978117ce36d6cac41a5336b4f59318401766207a2558a4429f9b78edf1d90db2e3ea10483

C:\Windows\{C8860D48-9BF1-4df2-BCE6-E43BDAD3FDEA}.exe

MD5 9c260f2e3429d252b13d3bf329d2a6fd
SHA1 60bbd6cd1cb84a375ce47503b8dad3c34de1bdab
SHA256 1e710c57bb4d0d25ad2cb2ed77e6ee827a0b441a28822f430ad0c3116e8be0a0
SHA512 51c4e1a0cfc4e36291f9d5c479330ca5e57888b6358f1051db04082a09cd57c65f929bf5f573d11c75546acc051c7bb340155709b4eea2309bf61fd427f238da

memory/1968-51-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2180-60-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{72516768-150C-4f08-9631-809AF9597FE9}.exe

MD5 9b3629f1cd22ecc46f334410e7350bfc
SHA1 688b12340128c81da3427c023c54f23e1ddab24e
SHA256 81f163c68146b378dcab07874e4c76e5291df8f6ba6caec9da0a561257d4b7a9
SHA512 8fe7aa7826cc24e52ffa6b5d048dd9d6f0c1ee07332667467b4ea8dca98ad8c9b88ffdfcfae541eeba3ab73e1e154dfafdd401a613f67cc7aa26356b68f15f94

memory/1344-67-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{DBD2FA70-D58D-4e50-837C-BA6F9307C2EE}.exe

MD5 b749e05384ea832e41e0ff0c683cb8e4
SHA1 2c2b7035de32463ef31c257ade7a7effcbd690ba
SHA256 66979e9a47a47bbe54fbe04e62d5b86bf9966c07ca47dab86cb617a22a0d0a33
SHA512 9814b32497bd23f0e76e6c5338023dcec4e2ed4a60fee6fcb6c61ec2b3bb04d43dcf10dbf1eed18e8314b6a86f78e5d4bb19bf61947e8dabd17e0a9a7239242b

C:\Windows\{8F2BE241-5A24-4fd3-8AB5-A7B7559ED72C}.exe

MD5 7860f2c49bb224d829c2cdf5a8bab873
SHA1 a5db14cf3b7b955bf06701ff0758eb68210a5275
SHA256 0ff64b2d080a1bcb71a59611d265965d44d1b3f55ef68532c2b1bd605c760ae0
SHA512 119d155c022df71fe0924080a51517de1827a452eafbe83de2493e1e54506e70fb5f2ed96f35ff638e6f56b037e2a17464e7b5f8cfda608449c79c01568f4495

memory/2520-77-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2420-76-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{527BBDAE-65F2-4c94-971F-42E6AEE594C5}.exe

MD5 c0cb440b7e84c9b18b41c7f3fc993b01
SHA1 3bf70ccda64385bca7f0af17f1cc3f6b100983b5
SHA256 47da267b66df1dc65607d1f9bae23e2f2b529307f0e0d8888d57bb18da4f02d7
SHA512 5d1ad4046894e8ecaf8e8362963d8a6012a8d8baf6b541a70b401bc1e6e0941df27d70cc5041042b65be8100f45c5b4d5e8f17099e2dd01d223b5ce0dce400dd

memory/2520-84-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{A95ADB73-9F70-48cf-A9C7-89BBC581D44E}.exe

MD5 f4855c8f3986df6a5f223513fc661e11
SHA1 218a1c01ade42a2cc24d39d0cc13a16b493a376d
SHA256 43dd540dd462722ef1aa4fedc92193e954bf1859763bc8d0bf57524bf15fb516
SHA512 190b0ccf28a15f6371731c75421c290373c8e1d678c637585d2864c70b1722f4e5e5db83f1ac839db007638be915de4c8f5952479ac3f94f1279774813032d79

memory/600-92-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1876-94-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:43

Reported

2024-06-13 07:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F} C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}\stubpath = "C:\\Windows\\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe" C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}\stubpath = "C:\\Windows\\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe" C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31AA55E1-333F-4851-8E30-4D24A9FE2982} C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31AA55E1-333F-4851-8E30-4D24A9FE2982}\stubpath = "C:\\Windows\\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe" C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88} C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}\stubpath = "C:\\Windows\\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe" C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D} C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94C474C7-2212-439a-95CF-7AC25F371F1E} C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94C474C7-2212-439a-95CF-7AC25F371F1E}\stubpath = "C:\\Windows\\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe" C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5C99BE-E3BD-4342-AE4B-106E2C5CC911} C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5C99BE-E3BD-4342-AE4B-106E2C5CC911}\stubpath = "C:\\Windows\\{5D5C99BE-E3BD-4342-AE4B-106E2C5CC911}.exe" C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{827C9B22-2DE0-4760-AF6E-EE4057A76208}\stubpath = "C:\\Windows\\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe" C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}\stubpath = "C:\\Windows\\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe" C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}\stubpath = "C:\\Windows\\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe" C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}\stubpath = "C:\\Windows\\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe" C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1032D186-74CF-4296-A7E7-BB4AEDC526F9} C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E94A4D-7524-421d-B8FF-0D527D7C1230}\stubpath = "C:\\Windows\\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe" C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E} C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{827C9B22-2DE0-4760-AF6E-EE4057A76208} C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E} C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB} C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}\stubpath = "C:\\Windows\\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe" C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E94A4D-7524-421d-B8FF-0D527D7C1230} C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
File created C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe N/A
File created C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe N/A
File created C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe N/A
File created C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe N/A
File created C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe N/A
File created C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe N/A
File created C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe N/A
File created C:\Windows\{5D5C99BE-E3BD-4342-AE4B-106E2C5CC911}.exe C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe N/A
File created C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe N/A
File created C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe N/A
File created C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe
PID 2248 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe
PID 2248 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe
PID 2248 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2664 N/A C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe
PID 2760 wrote to memory of 2664 N/A C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe
PID 2760 wrote to memory of 2664 N/A C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe
PID 2760 wrote to memory of 1136 N/A C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1136 N/A C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 1136 N/A C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 3100 N/A C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe
PID 2664 wrote to memory of 3100 N/A C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe
PID 2664 wrote to memory of 3100 N/A C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe
PID 2664 wrote to memory of 2464 N/A C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2464 N/A C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2464 N/A C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 1012 N/A C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe
PID 3100 wrote to memory of 1012 N/A C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe
PID 3100 wrote to memory of 1012 N/A C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe
PID 3100 wrote to memory of 2172 N/A C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2172 N/A C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2172 N/A C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 4380 N/A C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe
PID 1012 wrote to memory of 4380 N/A C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe
PID 1012 wrote to memory of 4380 N/A C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe
PID 1012 wrote to memory of 4376 N/A C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 4376 N/A C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 4376 N/A C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3852 N/A C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe
PID 4380 wrote to memory of 3852 N/A C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe
PID 4380 wrote to memory of 3852 N/A C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe
PID 4380 wrote to memory of 5104 N/A C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 5104 N/A C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 5104 N/A C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 2428 N/A C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe
PID 3852 wrote to memory of 2428 N/A C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe
PID 3852 wrote to memory of 2428 N/A C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe
PID 3852 wrote to memory of 5080 N/A C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 5080 N/A C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 5080 N/A C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1424 N/A C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe
PID 2428 wrote to memory of 1424 N/A C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe
PID 2428 wrote to memory of 1424 N/A C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe
PID 2428 wrote to memory of 5052 N/A C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 5052 N/A C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 5052 N/A C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1096 N/A C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe
PID 1424 wrote to memory of 1096 N/A C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe
PID 1424 wrote to memory of 1096 N/A C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe
PID 1424 wrote to memory of 1100 N/A C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1100 N/A C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1100 N/A C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1576 N/A C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe
PID 1096 wrote to memory of 1576 N/A C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe
PID 1096 wrote to memory of 1576 N/A C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe
PID 1096 wrote to memory of 900 N/A C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 900 N/A C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 900 N/A C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 2692 N/A C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe
PID 1576 wrote to memory of 2692 N/A C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe
PID 1576 wrote to memory of 2692 N/A C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe
PID 1576 wrote to memory of 3804 N/A C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6a06ca6aec77be6b6b4ac2a0ade5fe30_NeikiAnalytics.exe"

C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe

C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A06CA~1.EXE > nul

C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe

C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3B6A3~1.EXE > nul

C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe

C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9B9BA~1.EXE > nul

C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe

C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0CAC7~1.EXE > nul

C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe

C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{94C47~1.EXE > nul

C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe

C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{94E94~1.EXE > nul

C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe

C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7E19E~1.EXE > nul

C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe

C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{31AA5~1.EXE > nul

C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe

C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1032D~1.EXE > nul

C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe

C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{827C9~1.EXE > nul

C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe

C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1F2F7~1.EXE > nul

C:\Windows\{5D5C99BE-E3BD-4342-AE4B-106E2C5CC911}.exe

C:\Windows\{5D5C99BE-E3BD-4342-AE4B-106E2C5CC911}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4E5FB~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2248-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{3B6A3DD9-90EB-461d-96A8-8AEB98E50CDB}.exe

MD5 c948a8bb51cbf493f8ec49c7d204ae44
SHA1 653ec2e502e61aa3e581e1ae325fbbab4c2cc864
SHA256 23cb56d58c017a69bf5315fc4d30b79f39b5fe4012fcc1da49945aa8499422c2
SHA512 a0134302cf782e048bce24acc3044a47f0468e671da4341eeccee808875334b9b2de9efc7d807f48e8b49f2969e941da3434a0fde74a8f942714513eff5a58aa

memory/2248-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2760-6-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{9B9BA068-28FB-4e19-AA0C-A3D7FCB46E9D}.exe

MD5 11b17cfe0d75ed9a4b1e97556c3e01f6
SHA1 334d401dc8d98714c639b98d1694389b1fcf78dd
SHA256 6e83d62fb75a336f3a2ad12794d7cb9e1924f190471069bddb4bd2e12019d3c8
SHA512 737b8dbb0037517045185b8dff36ce1ee41583d9d431c3c9d0665bb9bf590f11f556d88154577db4dd8a74e9791ae003d0c134d55e93be121d951585dd124938

memory/2760-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2664-12-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{0CAC7D6F-9B99-4af6-B1D6-000295017A4F}.exe

MD5 8a3658a1dd4fe5fe375660635d556d80
SHA1 94b65c3fc91542fae1afaa7c234123e4340f23bb
SHA256 291e79dcc03bd54b6804124224b64c821066dd2894bd940fd1a99f1fe0c4f28d
SHA512 187211b61d9b19d173c94ab4e75a284c15a059b0d8a96a7b49164dcb51633920a26a0e42f55165ccdfa7fe2121517151e809a66a78c64e15556bc6c6a48068dd

memory/2664-16-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3100-18-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1012-24-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{94C474C7-2212-439a-95CF-7AC25F371F1E}.exe

MD5 761fcf07d55782991d914e2f11bf210e
SHA1 5a7266a1d63f5d7b9fd6e8fb829617eb960e7d43
SHA256 3f8c297ac9b4eced764c39a022a5b737d9c582130631b585cb47d88db4acfff1
SHA512 b1132ffc34613bbf6b352142ed5aa10e8d3fe0712f9c8f1d63e7ad012164fb8e5e7e3bbf906e08f82d19c790cded70a55d3565e73bf70f44719b2b688a060360

memory/3100-22-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{94E94A4D-7524-421d-B8FF-0D527D7C1230}.exe

MD5 bd5855c23a7a3220d560d4a2db3ac9b7
SHA1 b8a6abb300ddb6bc4cf70f13809a274c5e2c5732
SHA256 cfa2d5b1ef23bc334017c9063fb29afd727410e578b40462dedb1988e8a7f762
SHA512 6f491408e9dc8201328badfd3066c3b660a0f7f74feddbdbcebd9d5f1eb45bf7bd8bd49a2204eef3c137aa778cae0062c74475f468fd3a3e053ab1d80c2e9c0a

memory/1012-29-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4380-30-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{7E19E9EF-8FE3-45bf-9FD9-D8F1E8F8B21E}.exe

MD5 991c6aa089d9530d067379002e8093ba
SHA1 0e5960bdc2b7d303472ced827a3e9a8820d37b8a
SHA256 4357618ffdc9a2b8c2fdddc929d833b044ec8176ea948ea10359f56934579030
SHA512 973454a460ea30ad9d83a1378abd06426b206dbbe4d96d60f77fe0f152d57c3793a16c843f3c23c87816fe83a4852808f5425aace6fa0ebb21aebcd196af7786

memory/3852-35-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4380-33-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2428-41-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{31AA55E1-333F-4851-8E30-4D24A9FE2982}.exe

MD5 a053faf20d8c69ebac87926bbb9c42a6
SHA1 860cbf9ebd1c7b107b4491c2448297d21b2921db
SHA256 3fbb0d5d1f673e5bea74dd986b2f5cbd145fd748785c0cd1a5c01b0370ef4202
SHA512 599e00baf96a0b46af84772af776666ec8b0eb3fcf1c1c3e26db270686f80243a8a873b1582be200db3d3ec291d57cd1390e7d3724ba6f54455dac40fcd08e24

memory/3852-39-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{1032D186-74CF-4296-A7E7-BB4AEDC526F9}.exe

MD5 19c8bd7e056d10293a766bb8213ad6e4
SHA1 80d0ea926bd458dc2b09a97d07914acef5299f8a
SHA256 3f1f9497a12753935bdb86f1624bcd7adee18736a8a517061f3e8dda9363edce
SHA512 4cc31cc1cd874b2c5172956956ab234d6b0b630efe85a5888d952b3adba498e3dea4db9ad8214cba15fe2555160fd328fb54dfaa0a5e2fe96682dae64953dd16

memory/2428-47-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1424-48-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{827C9B22-2DE0-4760-AF6E-EE4057A76208}.exe

MD5 98ae9c96e68964f512f39abe2e7b8419
SHA1 166a58bacf968c9d1ddfd1dfcf843fee035eb9d2
SHA256 2b365f70dd5ae682ef78c632bde6bba4502826b53ad2c41d23088cb994dd0c0f
SHA512 187491fab54f4b155cdd9ba90b1af37380e732870a205c874810f1d3af0dce3ad0e6e93a5803d81332790b1db05029121fdf3e30774d629dfcfd1ae5321606e3

memory/1096-54-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1424-53-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{1F2F7A1B-F119-4abc-BFF7-A686A0C4DE88}.exe

MD5 990dacb772207db7b7da1ea500231223
SHA1 ac9eaf2ed16ba7ac96b93b32b6cc2ccdbf66360a
SHA256 96e9e2b5229e9ceca9718efc32754b6ceaf5242045e2d98907bdae2bdd81ed7b
SHA512 26ef962c50c90d2b284a74f8cf44e4d944d3091ab51b4dc8293bc28b78774f4719885bcb59f5c6c978aba83ef74b6d84e2b33e398ab826098e3c17930002da51

memory/1096-57-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1576-60-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{4E5FB694-79CA-4f1d-8113-82F4B0922C7E}.exe

MD5 7aeac9c15467fc260882b8687ec3db3c
SHA1 75e94df89ec15bfd22f5a47560d4396b6dcbb429
SHA256 8ea76a2d114178572defd931116c357140294454742bfce5e9ba165e23cd1f67
SHA512 a3c0f1b2bd1b25f1ad9a4a1ba5f556ff2091b697f29d0cc776c44da4e30ba766c63365d8f124fa78cb99e39545c9bde6f673c594bfedd7379a8b339f476b3c89

memory/1576-64-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\{5D5C99BE-E3BD-4342-AE4B-106E2C5CC911}.exe

MD5 f7c5647481ebb2f29a4e5cbbea5596d5
SHA1 18befba8540063c43efa3f0efd36f1b68dfc0781
SHA256 662badfdd14706ace1bad20d406ed00ee72e9dd8c7c4bfd2436c279cc4e8a2e9
SHA512 dbc249efeb3deefad944d2a08b64aef6c8a37dc11d38ec602f8083f1a88936364c14feed132af689945a2cbb6aea5cb8329cb5d52e87d7518133806db9f7619d

memory/2692-69-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1900-71-0x0000000000400000-0x0000000000411000-memory.dmp