32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6

Analysis

max time kernel
132s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe
Size

90KB
MD5

2698a207addcb605d3e815d1a3fb55b0
SHA1

81d04adacd5ff729d9c3062490e85dc0d7034e70
SHA256

32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6
SHA512

c340a7a601ead965de36576afcacdd30373f126e7e8068ac98bfc0e889e74535aff418117b4d48f5a4b91648c730f837547ec32e7e0f07701e1a77ace0f05e9f
SSDEEP

768:vvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glw6:nEGh0ovl2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 20 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe{816F32C7-421D-48e8-9039-1B509B038B40}.exe{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe{F13C1FC5-F023-4965-BF45-96560027950E}.exe{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816F32C7-421D-48e8-9039-1B509B038B40}\stubpath = "C:\\Windows\\{816F32C7-421D-48e8-9039-1B509B038B40}.exe"	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4825842-B323-4038-9030-EF37B3B2BAC2}\stubpath = "C:\\Windows\\{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe"	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F13C1FC5-F023-4965-BF45-96560027950E}\stubpath = "C:\\Windows\\{F13C1FC5-F023-4965-BF45-96560027950E}.exe"	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E858B1-13E7-45c6-807A-EC3E58586C5D}\stubpath = "C:\\Windows\\{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe"	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E875D882-6F77-47c1-855B-EEBAB6EB7D53}	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E875D882-6F77-47c1-855B-EEBAB6EB7D53}\stubpath = "C:\\Windows\\{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe"	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816F32C7-421D-48e8-9039-1B509B038B40}	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E09DC52-4DBD-4f45-898D-A079F985943B}\stubpath = "C:\\Windows\\{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe"	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}\stubpath = "C:\\Windows\\{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe"	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}\stubpath = "C:\\Windows\\{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe"	{F13C1FC5-F023-4965-BF45-96560027950E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}\stubpath = "C:\\Windows\\{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe"	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E858B1-13E7-45c6-807A-EC3E58586C5D}	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA0CC58-47EA-4f00-B004-273C25B14140}	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4825842-B323-4038-9030-EF37B3B2BAC2}	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F13C1FC5-F023-4965-BF45-96560027950E}	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E09DC52-4DBD-4f45-898D-A079F985943B}	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA0CC58-47EA-4f00-B004-273C25B14140}\stubpath = "C:\\Windows\\{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe"	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}	{F13C1FC5-F023-4965-BF45-96560027950E}.exe

Executes dropped EXE 10 IoCs

Processes:

{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe{816F32C7-421D-48e8-9039-1B509B038B40}.exe{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe{F13C1FC5-F023-4965-BF45-96560027950E}.exe{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe

pid	process
4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe
3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
3792	{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe

Drops file in Windows directory 10 IoCs

Processes:

{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe{816F32C7-421D-48e8-9039-1B509B038B40}.exe32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe{F13C1FC5-F023-4965-BF45-96560027950E}.exe{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe

description	ioc	process
File created	C:\Windows\{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
File created	C:\Windows\{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
File created	C:\Windows\{816F32C7-421D-48e8-9039-1B509B038B40}.exe	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
File created	C:\Windows\{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
File created	C:\Windows\{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe
File created	C:\Windows\{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
File created	C:\Windows\{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
File created	C:\Windows\{F13C1FC5-F023-4965-BF45-96560027950E}.exe	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
File created	C:\Windows\{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe	{F13C1FC5-F023-4965-BF45-96560027950E}.exe
File created	C:\Windows\{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe{816F32C7-421D-48e8-9039-1B509B038B40}.exe{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe{F13C1FC5-F023-4965-BF45-96560027950E}.exe{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4900	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
Token: SeIncBasePriorityPrivilege	4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
Token: SeIncBasePriorityPrivilege	1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
Token: SeIncBasePriorityPrivilege	1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
Token: SeIncBasePriorityPrivilege	4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
Token: SeIncBasePriorityPrivilege	4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
Token: SeIncBasePriorityPrivilege	2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
Token: SeIncBasePriorityPrivilege	4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe
Token: SeIncBasePriorityPrivilege	3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

description	pid	process	target process
PID 4900 wrote to memory of 4232	4900	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
PID 4900 wrote to memory of 4232	4900	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
PID 4900 wrote to memory of 4232	4900	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
PID 4900 wrote to memory of 4820	4900	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe	cmd.exe
PID 4900 wrote to memory of 4820	4900	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe	cmd.exe
PID 4900 wrote to memory of 4820	4900	32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe	cmd.exe
PID 4232 wrote to memory of 4336	4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
PID 4232 wrote to memory of 4336	4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
PID 4232 wrote to memory of 4336	4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
PID 4232 wrote to memory of 4388	4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe	cmd.exe
PID 4232 wrote to memory of 4388	4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe	cmd.exe
PID 4232 wrote to memory of 4388	4232	{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe	cmd.exe
PID 4336 wrote to memory of 1920	4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
PID 4336 wrote to memory of 1920	4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
PID 4336 wrote to memory of 1920	4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
PID 4336 wrote to memory of 1824	4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe	cmd.exe
PID 4336 wrote to memory of 1824	4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe	cmd.exe
PID 4336 wrote to memory of 1824	4336	{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe	cmd.exe
PID 1920 wrote to memory of 1148	1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
PID 1920 wrote to memory of 1148	1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
PID 1920 wrote to memory of 1148	1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
PID 1920 wrote to memory of 3800	1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe	cmd.exe
PID 1920 wrote to memory of 3800	1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe	cmd.exe
PID 1920 wrote to memory of 3800	1920	{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe	cmd.exe
PID 1148 wrote to memory of 4804	1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
PID 1148 wrote to memory of 4804	1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
PID 1148 wrote to memory of 4804	1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe	{816F32C7-421D-48e8-9039-1B509B038B40}.exe
PID 1148 wrote to memory of 636	1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe	cmd.exe
PID 1148 wrote to memory of 636	1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe	cmd.exe
PID 1148 wrote to memory of 636	1148	{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe	cmd.exe
PID 4804 wrote to memory of 4664	4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
PID 4804 wrote to memory of 4664	4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
PID 4804 wrote to memory of 4664	4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
PID 4804 wrote to memory of 4816	4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe	cmd.exe
PID 4804 wrote to memory of 4816	4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe	cmd.exe
PID 4804 wrote to memory of 4816	4804	{816F32C7-421D-48e8-9039-1B509B038B40}.exe	cmd.exe
PID 4664 wrote to memory of 2972	4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
PID 4664 wrote to memory of 2972	4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
PID 4664 wrote to memory of 2972	4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
PID 4664 wrote to memory of 3060	4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe	cmd.exe
PID 4664 wrote to memory of 3060	4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe	cmd.exe
PID 4664 wrote to memory of 3060	4664	{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe	cmd.exe
PID 2972 wrote to memory of 4988	2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe	{F13C1FC5-F023-4965-BF45-96560027950E}.exe
PID 2972 wrote to memory of 4988	2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe	{F13C1FC5-F023-4965-BF45-96560027950E}.exe
PID 2972 wrote to memory of 4988	2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe	{F13C1FC5-F023-4965-BF45-96560027950E}.exe
PID 2972 wrote to memory of 1856	2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe	cmd.exe
PID 2972 wrote to memory of 1856	2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe	cmd.exe
PID 2972 wrote to memory of 1856	2972	{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe	cmd.exe
PID 4988 wrote to memory of 3856	4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
PID 4988 wrote to memory of 3856	4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
PID 4988 wrote to memory of 3856	4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
PID 4988 wrote to memory of 1488	4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe	cmd.exe
PID 4988 wrote to memory of 1488	4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe	cmd.exe
PID 4988 wrote to memory of 1488	4988	{F13C1FC5-F023-4965-BF45-96560027950E}.exe	cmd.exe
PID 3856 wrote to memory of 3792	3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe	{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe
PID 3856 wrote to memory of 3792	3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe	{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe
PID 3856 wrote to memory of 3792	3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe	{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe
PID 3856 wrote to memory of 1188	3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe	cmd.exe
PID 3856 wrote to memory of 1188	3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe	cmd.exe
PID 3856 wrote to memory of 1188	3856	{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32f9f7cfa36f841964a45beae23d792ad070780bf80bdd33630772e79b03ebc6_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
C:\Windows\{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
C:\Windows\{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
C:\Windows\{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
C:\Windows\{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\{816F32C7-421D-48e8-9039-1B509B038B40}.exe
C:\Windows\{816F32C7-421D-48e8-9039-1B509B038B40}.exe
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
C:\Windows\{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
C:\Windows\{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\{F13C1FC5-F023-4965-BF45-96560027950E}.exe
C:\Windows\{F13C1FC5-F023-4965-BF45-96560027950E}.exe
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
C:\Windows\{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe
C:\Windows\{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe
11⤵
- Executes dropped EXE
PID:3792

C:\Windows\{628F392F-33E6-493b-8B33-C41BC113CD88}.exe
C:\Windows\{628F392F-33E6-493b-8B33-C41BC113CD88}.exe
12⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{93744~1.EXE > nul
12⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0B0~1.EXE > nul
11⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F13C1~1.EXE > nul
10⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B5CFA~1.EXE > nul
9⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D4825~1.EXE > nul
8⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{816F3~1.EXE > nul
7⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA0C~1.EXE > nul
6⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E875D~1.EXE > nul
5⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E85~1.EXE > nul
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3E09D~1.EXE > nul
3⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\32F9F7~1.EXE > nul
2⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DA0CC58-47EA-4f00-B004-273C25B14140}.exe
Filesize
90KB

MD5
fbb8d8e0bf3089afbb493c72b547ab3e

SHA1
df76d7a035585b1ecf6583b7a3852adc9cd0c1ce

SHA256
4f98b5be6b9651295f15053ecd62ce0e354b968e05836551f53d7a796936f1a4

SHA512
ff4e17bce0a8af34cfdab2c2dbf94dc35ec323ecf2760cafa4d49dd4f7a6b9f34275283d6fba1111077d304c64ee21fa6527cd137ad2bbdb8ded95c1d4e0baf3

Download Submit
C:\Windows\{2B0B0387-B4AF-4a63-8302-54EDDBB19FCC}.exe
Filesize
90KB

MD5
da61053302f2be12db8433dfe4cdef08

SHA1
bb37f8a5904e181a46d1a73891fc56e49b080306

SHA256
4b52e7365a77f9f1905860f097cb964f76a2c28a5110fdd1d1b0c424ac47470d

SHA512
eab7bdbc7e40b332a379d288017eb4b4773665bf206ee038fc1e19af7df5f1413f4907724b31b5960e16278c900843e58cf8b3d33af93d80a1e75dd99e7d88b1

Download Submit
C:\Windows\{3E09DC52-4DBD-4f45-898D-A079F985943B}.exe
Filesize
90KB

MD5
38669a8b5583eefd1c093b75fc099c56

SHA1
8fb9e8f860b3f747a369dc9a877a759ac24efebb

SHA256
9b86d35145a99bcea15aee3efca0d2c5d1a4f3fcd21d0cca5e09ba851084d138

SHA512
e4155ae603dd0e57154cba0a6031f5413c0f21a79e8d2698974ad15e5b64473ebd41f64031c8e86f4790cac4e500dd34e98c1731d58669d68d9a07093aebb1ce

Download Submit
C:\Windows\{628F392F-33E6-493b-8B33-C41BC113CD88}.exe
Filesize
90KB

MD5
d942918c347f35ee09cc1c6c8c697bc1

SHA1
ecd5cdc23d6e029b860529b806cb8c4a07d9a755

SHA256
d18d05dbb049b2c783e311751800ed1d16305ef2952cab4f68fbba2bd7e283fd

SHA512
281077d1b0786b2bf9d944468477464e6891ebf7a5cc576cd2f3a81e2da22da9fbf9b16df711207b241c3245984af40cf8c03d8773afce22056052c3d3f957c7

Download Submit
C:\Windows\{816F32C7-421D-48e8-9039-1B509B038B40}.exe
Filesize
90KB

MD5
eb59905c37e910ca8f9a2be90cb3feaf

SHA1
e59729c7d7dd34e90546bf9cc9e04e1b61953e4c

SHA256
7e60cdfb3d428ba2a337caf53cf98a973a5472e327c12cca8473c562bcf1189e

SHA512
12c300e34263c4aca0940cc1c9023f1ef3d1ccbc257c86138fd8ec23f53f6f1b8f6eefcad857cded173863d010b3c3a771b06206840a6b86e3ef12d6232b6202

Download Submit
C:\Windows\{93744AD3-2C29-4d13-99EE-E4AC0D735F2D}.exe
Filesize
90KB

MD5
38c3597342eb32adb3f7e40741e5c156

SHA1
af504a466add40f0287b298da32e3c98f5321289

SHA256
0033dc6cf4b9455f8291fbcb8d0af62cd95892fcf5b618a3afa416767fca8d05

SHA512
00ea147ee69007efb2bd470377860de721794f6a6f45420c7566cb948825cbfb5a58a476977a3b7776fc7f61fcc8063d74f62b32191a78ada900221fb2fd2283

Download Submit
C:\Windows\{B5CFAFDA-088D-4493-8CB4-E1B4086D535F}.exe
Filesize
90KB

MD5
1d64567237bf0a77ec7748c389ec347a

SHA1
94887c7e7c7c69a3a1191c44c39d9e1549def541

SHA256
a6177307298210e21aa25f0a8c4acf4f534710f8e86aa052abc04c517e37f0cf

SHA512
e11aeb42c3a31da1e69dc05ce972b6dacaa6c146150cb566229cc0b59cae8a18e920ed4ca8d03e5ab2ece7fae9aa525b2a25a644ab4e704d8a5c764d118b6bf0

Download Submit
C:\Windows\{C6E858B1-13E7-45c6-807A-EC3E58586C5D}.exe
Filesize
90KB

MD5
f61c06b9278fcea8ca023bce83daa0d3

SHA1
6927698d85c257b1c99c34f12bc3832b8d047b03

SHA256
ef0c892d401dabf57235693e7a9dd90f18ffee451043d390d37313d674783b99

SHA512
8cf1f4820257159167052dc3824beda8029799a9fc53da374139a9cbeef46629a86a4b3f77ea26509fb3e4c2dc44b954b20df85e202a213f296fa9fe64ddddd9

Download Submit
C:\Windows\{D4825842-B323-4038-9030-EF37B3B2BAC2}.exe
Filesize
90KB

MD5
def6efea5aa538551eddcc5a505ad655

SHA1
d23d22909e01889ad3085d6cc4cae9ec7db01e11

SHA256
3727bfb8d19cd5ae7a4f2ca8b9c4078bf86573c265ad35fe7472e504f1022e7b

SHA512
38727ae6ddeb9a809d2da9109ac896b2776daa71f6da01871d6cefc5d9d64d21045b74b049796b3a8497504b3dfc62b14021a7cf50e195aa6f4459316a9c6bc8

Download Submit
C:\Windows\{E875D882-6F77-47c1-855B-EEBAB6EB7D53}.exe
Filesize
90KB

MD5
e7cc2bd4cc52192f3fac8d8776c47417

SHA1
ae00344530c476e10773804a165c28336e5fa6e0

SHA256
1976b4462f936fcc93b36df073cf73e54ab5c4d12e99380fd94ee81a2d97e5fb

SHA512
3efccbfbc9ee00bd585f3a5b6de1abcdf483ce0c899cd9e48333d9ad063db43f6a2fdb1f8619e094b5d079b8dd7645f2200a0b2fbb205220435a629eae2a75dd

Download Submit
C:\Windows\{F13C1FC5-F023-4965-BF45-96560027950E}.exe
Filesize
90KB

MD5
f4456df99c455bb2f5f1d4ae31ed98fc

SHA1
c5cd8e4529dad1c123c23620531930fee7a1b1a9

SHA256
674bdbff42956786e9d677d532513a3e6dfd486d9484ec8bbff8af86eeb9910b

SHA512
602dc4b5db7f0c728cef1987108107a87db454d11753703a4e5cc2fe1b3e4bfa2f4b48f517e6cf5fee36dc54c2a458dece81c1b5707e17856fb0b4de7b07f085

Download Submit