337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071

Analysis

max time kernel
112s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Size

91KB
MD5

f3384879e45ffa0dc17f2812d67a2ef0
SHA1

345338b35a7fc6383cb2055d8d325d0a9b27422a
SHA256

337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071
SHA512

24281e76667bc5960bcd9b3b1f90c34e054c606d670309023108d489c0eb56a1690904a55b9dfe016d3da0e134974f4fa24812d04ac286b435f1819870a4eb50
SSDEEP

768:5vw9816uhKirowL4/wQNNrfrunMxVFA3b7t:lEGkmowLlCunMxVS3Ht

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe{9A950F69-8525-431d-B20A-6841507AD3CF}.exe337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe{7514D008-E918-4cea-B9E9-E30721843337}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}\stubpath = "C:\\Windows\\{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe"	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}\stubpath = "C:\\Windows\\{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe"	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82B785B8-7B93-490b-9A88-980F7B950448}\stubpath = "C:\\Windows\\{82B785B8-7B93-490b-9A88-980F7B950448}.exe"	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CEEDB8A-3219-418a-B298-4ED308824BE4}	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{263C66FD-2E8D-4df0-B49F-BF100F2BC867}\stubpath = "C:\\Windows\\{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe"	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{263C66FD-2E8D-4df0-B49F-BF100F2BC867}	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7514D008-E918-4cea-B9E9-E30721843337}\stubpath = "C:\\Windows\\{7514D008-E918-4cea-B9E9-E30721843337}.exe"	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A950F69-8525-431d-B20A-6841507AD3CF}	{7514D008-E918-4cea-B9E9-E30721843337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A950F69-8525-431d-B20A-6841507AD3CF}\stubpath = "C:\\Windows\\{9A950F69-8525-431d-B20A-6841507AD3CF}.exe"	{7514D008-E918-4cea-B9E9-E30721843337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CEEDB8A-3219-418a-B298-4ED308824BE4}\stubpath = "C:\\Windows\\{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe"	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}\stubpath = "C:\\Windows\\{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe"	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82B785B8-7B93-490b-9A88-980F7B950448}	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}\stubpath = "C:\\Windows\\{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe"	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7514D008-E918-4cea-B9E9-E30721843337}	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe

Executes dropped EXE 9 IoCs

Processes:

{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe{7514D008-E918-4cea-B9E9-E30721843337}.exe{9A950F69-8525-431d-B20A-6841507AD3CF}.exe{82B785B8-7B93-490b-9A88-980F7B950448}.exe

pid	process
3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe
2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
220	{82B785B8-7B93-490b-9A88-980F7B950448}.exe

Drops file in Windows directory 9 IoCs

Processes:

{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe{7514D008-E918-4cea-B9E9-E30721843337}.exe337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe{9A950F69-8525-431d-B20A-6841507AD3CF}.exe

description	ioc	process
File created	C:\Windows\{7514D008-E918-4cea-B9E9-E30721843337}.exe	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
File created	C:\Windows\{9A950F69-8525-431d-B20A-6841507AD3CF}.exe	{7514D008-E918-4cea-B9E9-E30721843337}.exe
File created	C:\Windows\{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
File created	C:\Windows\{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
File created	C:\Windows\{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
File created	C:\Windows\{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
File created	C:\Windows\{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
File created	C:\Windows\{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
File created	C:\Windows\{82B785B8-7B93-490b-9A88-980F7B950448}.exe	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe{7514D008-E918-4cea-B9E9-E30721843337}.exe{9A950F69-8525-431d-B20A-6841507AD3CF}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1224	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
Token: SeIncBasePriorityPrivilege	5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
Token: SeIncBasePriorityPrivilege	4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
Token: SeIncBasePriorityPrivilege	4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
Token: SeIncBasePriorityPrivilege	1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
Token: SeIncBasePriorityPrivilege	4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
Token: SeIncBasePriorityPrivilege	4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe
Token: SeIncBasePriorityPrivilege	2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

description	pid	process	target process
PID 1224 wrote to memory of 3176	1224	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
PID 1224 wrote to memory of 3176	1224	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
PID 1224 wrote to memory of 3176	1224	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
PID 1224 wrote to memory of 3520	1224	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	cmd.exe
PID 1224 wrote to memory of 3520	1224	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	cmd.exe
PID 1224 wrote to memory of 3520	1224	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	cmd.exe
PID 3176 wrote to memory of 5088	3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
PID 3176 wrote to memory of 5088	3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
PID 3176 wrote to memory of 5088	3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
PID 3176 wrote to memory of 5072	3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe	cmd.exe
PID 3176 wrote to memory of 5072	3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe	cmd.exe
PID 3176 wrote to memory of 5072	3176	{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe	cmd.exe
PID 5088 wrote to memory of 4444	5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
PID 5088 wrote to memory of 4444	5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
PID 5088 wrote to memory of 4444	5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
PID 5088 wrote to memory of 3764	5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe	cmd.exe
PID 5088 wrote to memory of 3764	5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe	cmd.exe
PID 5088 wrote to memory of 3764	5088	{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe	cmd.exe
PID 4444 wrote to memory of 4800	4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
PID 4444 wrote to memory of 4800	4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
PID 4444 wrote to memory of 4800	4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
PID 4444 wrote to memory of 2464	4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe	cmd.exe
PID 4444 wrote to memory of 2464	4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe	cmd.exe
PID 4444 wrote to memory of 2464	4444	{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe	cmd.exe
PID 4800 wrote to memory of 1032	4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
PID 4800 wrote to memory of 1032	4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
PID 4800 wrote to memory of 1032	4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
PID 4800 wrote to memory of 2220	4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe	cmd.exe
PID 4800 wrote to memory of 2220	4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe	cmd.exe
PID 4800 wrote to memory of 2220	4800	{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe	cmd.exe
PID 1032 wrote to memory of 4476	1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
PID 1032 wrote to memory of 4476	1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
PID 1032 wrote to memory of 4476	1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
PID 1032 wrote to memory of 5100	1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe	cmd.exe
PID 1032 wrote to memory of 5100	1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe	cmd.exe
PID 1032 wrote to memory of 5100	1032	{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe	cmd.exe
PID 4476 wrote to memory of 4804	4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe	{7514D008-E918-4cea-B9E9-E30721843337}.exe
PID 4476 wrote to memory of 4804	4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe	{7514D008-E918-4cea-B9E9-E30721843337}.exe
PID 4476 wrote to memory of 4804	4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe	{7514D008-E918-4cea-B9E9-E30721843337}.exe
PID 4476 wrote to memory of 3640	4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe	cmd.exe
PID 4476 wrote to memory of 3640	4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe	cmd.exe
PID 4476 wrote to memory of 3640	4476	{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe	cmd.exe
PID 4804 wrote to memory of 2624	4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
PID 4804 wrote to memory of 2624	4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
PID 4804 wrote to memory of 2624	4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
PID 4804 wrote to memory of 3348	4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe	cmd.exe
PID 4804 wrote to memory of 3348	4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe	cmd.exe
PID 4804 wrote to memory of 3348	4804	{7514D008-E918-4cea-B9E9-E30721843337}.exe	cmd.exe
PID 2624 wrote to memory of 220	2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe	{82B785B8-7B93-490b-9A88-980F7B950448}.exe
PID 2624 wrote to memory of 220	2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe	{82B785B8-7B93-490b-9A88-980F7B950448}.exe
PID 2624 wrote to memory of 220	2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe	{82B785B8-7B93-490b-9A88-980F7B950448}.exe
PID 2624 wrote to memory of 4436	2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe	cmd.exe
PID 2624 wrote to memory of 4436	2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe	cmd.exe
PID 2624 wrote to memory of 4436	2624	{9A950F69-8525-431d-B20A-6841507AD3CF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
C:\Windows\{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
C:\Windows\{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
C:\Windows\{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
C:\Windows\{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
C:\Windows\{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
C:\Windows\{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\{7514D008-E918-4cea-B9E9-E30721843337}.exe
C:\Windows\{7514D008-E918-4cea-B9E9-E30721843337}.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
C:\Windows\{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\{82B785B8-7B93-490b-9A88-980F7B950448}.exe
C:\Windows\{82B785B8-7B93-490b-9A88-980F7B950448}.exe
10⤵
- Executes dropped EXE
PID:220

C:\Windows\{CFAF2CFD-748A-4f12-9EA0-D351CEBFE5CB}.exe
C:\Windows\{CFAF2CFD-748A-4f12-9EA0-D351CEBFE5CB}.exe
11⤵
PID:828

C:\Windows\{4B3096A7-759B-48ad-932C-4DCA5AEA7EE9}.exe
C:\Windows\{4B3096A7-759B-48ad-932C-4DCA5AEA7EE9}.exe
12⤵
PID:740

C:\Windows\{11F1298A-56C4-490a-BC28-62B2FAE68602}.exe
C:\Windows\{11F1298A-56C4-490a-BC28-62B2FAE68602}.exe
13⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4B309~1.EXE > nul
13⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAF2~1.EXE > nul
12⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{82B78~1.EXE > nul
11⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9A950~1.EXE > nul
10⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7514D~1.EXE > nul
9⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7FEA4~1.EXE > nul
8⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F1ED2~1.EXE > nul
7⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{263C6~1.EXE > nul
6⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB8AD~1.EXE > nul
5⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DC520~1.EXE > nul
4⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9CEED~1.EXE > nul
3⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\337FB0~1.EXE > nul
2⤵
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11F1298A-56C4-490a-BC28-62B2FAE68602}.exe
Filesize
91KB

MD5
2d3f22b7c5149f2695d68ac1a70dc13d

SHA1
e0873cd64e3c6192b4b1f4f364c6bf290de5786d

SHA256
53339e6e42b7c5eb101e1e1f91f9169a449699e601be9f60a0e7a5b4481ac2f0

SHA512
e01575ebc836912017b07c6517ec4c40d0835e742b403efa1530fce33c946cd90570abcd1dfadaa4380b60885440bd6e7a938f9ac2d372a4dd5b92030749c227

Download Submit
C:\Windows\{263C66FD-2E8D-4df0-B49F-BF100F2BC867}.exe
Filesize
91KB

MD5
70588fe8b11949f4be9f8136fd6b3f9d

SHA1
d2daad30b738c45ab92fbabacffed6c44949e688

SHA256
26d540e836f35473af9d290baddd5913bddfddfb109855042dd17a550ae27069

SHA512
301eeb714ec31e498e0383d4ae4505b0df10b0d4e143626483025d36e8b1c9c4e65d3a7bfb03cf3fcbed9d1c7d18e074998340c9548bc5a85107b70f936a7ea4

Download Submit
C:\Windows\{4B3096A7-759B-48ad-932C-4DCA5AEA7EE9}.exe
Filesize
91KB

MD5
acdaa68927c4c0dfca387f79ac805aa9

SHA1
6cd5f84f1186926dc180ff15df106ba3d49381c1

SHA256
3d38627bd7fede8db698556a7f804e4d6ec33181baaec25bb2cf925bd5d8360d

SHA512
40269bede1c4865aa69dd14d574de8bec3f900fe62990a6827e60ae218ca09ca88df66b08ab6ae2f4b9fe00e5edb1c1ba6c2307d00cf1f9bab3bd1cc0905d616

Download Submit
C:\Windows\{7514D008-E918-4cea-B9E9-E30721843337}.exe
Filesize
91KB

MD5
049e16879bcfea640cff95927eccc887

SHA1
d90114f04d3a378cffd66eea5dac24f0fb185e50

SHA256
0ba08c9e309024283dbe0148e8bbd7e8860679833b3ed1b920535220e59dcb14

SHA512
5362e40e36291f1fb14ab69e77a7ddf50fbef3735d48c818416ace7f644f9b9ad13f0aa7c610963eedc63343f97dfd1bc8f6d9bb2a249394cc35d6788ed01736

Download Submit
C:\Windows\{7FEA4802-C499-46bf-8EFA-05E47BCE4D41}.exe
Filesize
91KB

MD5
6f3cfc6483b513166cf67268bea95016

SHA1
f7dd1b0ee921ff51bfc63b41022933201634d3e6

SHA256
8a73ff689988a1cd07bb0993d7510f0ce28a8af8831de61e8b3d6ef9d1d35e3b

SHA512
611e21d8f1cfd1004f69e729770d5d8b57f8499b257684b4dc77a3a6f183e3c65e5f30c8723148ec6f4c80f762e25cbaaa87d1ca5e72d1305c8315ff48bcbb20

Download Submit
C:\Windows\{82B785B8-7B93-490b-9A88-980F7B950448}.exe
Filesize
91KB

MD5
706aa49ec449639723d0bb03d8791f0b

SHA1
d058a0f18c492c65928176bdde31ffe0572fe3d5

SHA256
9e736bb1ea487c5c500c9abd963550b97b6cbc2d4c2dc5da3d72102c1dfc95a2

SHA512
59cb12380bf2f03aa2376cc4ae3738d8c5eb3f5310932a9eea8b58cd97a688cd4dbaf32e91932e3cada9f3e08fe11537faa31a6b781379f57880c45a6e6099e2

Download Submit
C:\Windows\{9A950F69-8525-431d-B20A-6841507AD3CF}.exe
Filesize
91KB

MD5
cea0fe928a1eba072fe60960e586c0bc

SHA1
451422c83131a362d9ed113e43e7cf3577457ea6

SHA256
fe83de6001d8566dc79e2d6691d6a5f1bc820719fa5b4a96706be661caff7ea8

SHA512
d81be1dfcc929bbf5703735c9ec513456e0fb1ad90b76a93819914f29ad715107fec5283a4418adec61cc7d1c48f6856e9a75b0bc382f6294d20599da79cd7a9

Download Submit
C:\Windows\{9CEEDB8A-3219-418a-B298-4ED308824BE4}.exe
Filesize
91KB

MD5
828397d3ac91ae95b33ce2fd4f4eab98

SHA1
5cd1825b84333813b7a8d2860a913ac0a12c4d34

SHA256
a35c1b77d2e4f8984583f46e1c04c9744c99f26fc232791f1d8a22253f7ec3eb

SHA512
3b4384580a67abe1daeb7a73be5dda76e2d9c9718d7793d42311e45f93f54b71a3a6825b89a351c2947343ab247002611cb43ebcb21fe348488ffdd084d93dd1

Download Submit
C:\Windows\{CFAF2CFD-748A-4f12-9EA0-D351CEBFE5CB}.exe
Filesize
91KB

MD5
32dcc0d61be3e7b84516fc6f92e4d7f4

SHA1
17363f666e04abddd955a4a67a7d8b4852175ee5

SHA256
53f00b4fedffa24253d5aff3584a9e55b1e528f4b35f817e53a90706a52f6557

SHA512
a22e62b5972c04f405ce1d63630ec1b5fdf446e5a012ee71331198222bd1deb1e593fcf493c64dc7f7f269c943fd2cf8bbfde42b8406245f5458b235b64f4504

Download Submit
C:\Windows\{DC5200AA-F331-4d4f-BA1D-FAAFC93EC0AE}.exe
Filesize
91KB

MD5
2745884e54852961a5619e1ef47370dd

SHA1
d3bedf378a506ccef453ca899c0fb79a75d788c3

SHA256
0d494e92fab455405f34bb481ef0705740b4380d4bee3fc0f535f055aadb6666

SHA512
9de52b9c82cd8d8fd40f237f6f05cd0a319c08716c0593408ce91e82ca363aedf23ae1861491f85263ce6d646970fd2f4af3cabf2b71b12b2990537ecd0a144c

Download Submit
C:\Windows\{F1ED23A4-3BAC-4453-8DFB-F70E4AD6AA48}.exe
Filesize
91KB

MD5
efde686774d6e41c1a21b07127c09419

SHA1
a9fcdd8a0a7a176fbe3a1de578c1a22b3be009d4

SHA256
4c681971631c9a5b905cf3f03875af2effd6ca5048b97d5e9bf4972b8560c054

SHA512
89cd4c6eb5c6bae43e98e9e4eafd7485a19b60bbeedd551ac4ccd88a776a6896df820cb412ea8ab087ff73a0b8638cce192b31e19fd5efdd9a0943323fd9e9a6

Download Submit
C:\Windows\{FB8ADBBD-6F83-48f6-8057-22E78FE1F57A}.exe
Filesize
91KB

MD5
7b547fc6170f8bbb41e16991f6b26b1a

SHA1
001b56d670a2f4a05c7e44ace3f30e50f0c54b7f

SHA256
96877c90e402e937c2c75059a295914b2d93cf26a4e57396b67817443d93132c

SHA512
cee4797c276c4c260e8112ad6d6b7343d84a8429c5df6630beef68072d8b26f2304ccecce77b97cb4f98541e023671e3fbca5c7af1826adc80f961d0a474e794

Download Submit
memory/220-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/740-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/740-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/828-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1032-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1032-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1224-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1224-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2516-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2624-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2624-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3176-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3176-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4444-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4444-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4476-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4476-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4804-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4804-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5088-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5088-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download