description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Services.url	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Services.url	Client.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .."	Client.exe

pid	Process
5060	schtasks.exe
3208	schtasks.exe
3420	schtasks.exe
4852	schtasks.exe
764	schtasks.exe
3920	schtasks.exe

pid	Process
1476	TASKKILL.exe
2520	TASKKILL.exe
4616	TASKKILL.exe
4188	TASKKILL.exe
368	TASKKILL.exe
3356	TASKKILL.exe

pid	Process
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe
4288	nagogy-Client.exe

description	pid	Process
Token: SeDebugPrivilege	4288	nagogy-Client.exe
Token: SeDebugPrivilege	3356	TASKKILL.exe
Token: SeDebugPrivilege	368	TASKKILL.exe
Token: SeDebugPrivilege	3252	Client.exe
Token: SeDebugPrivilege	2520	TASKKILL.exe
Token: SeDebugPrivilege	1476	TASKKILL.exe
Token: SeDebugPrivilege	4380	Client.exe
Token: SeDebugPrivilege	4188	TASKKILL.exe
Token: SeDebugPrivilege	4616	TASKKILL.exe
Token: 33	3252	Client.exe
Token: SeIncBasePriorityPrivilege	3252	Client.exe
Token: 33	3252	Client.exe
Token: SeIncBasePriorityPrivilege	3252	Client.exe
Token: 33	3252	Client.exe
Token: SeIncBasePriorityPrivilege	3252	Client.exe
Token: 33	3252	Client.exe
Token: SeIncBasePriorityPrivilege	3252	Client.exe

description	pid	Process	procid_target
PID 4288 wrote to memory of 4384	4288	nagogy-Client.exe	85
PID 4288 wrote to memory of 4384	4288	nagogy-Client.exe	85
PID 4288 wrote to memory of 4384	4288	nagogy-Client.exe	85
PID 4288 wrote to memory of 5060	4288	nagogy-Client.exe	87
PID 4288 wrote to memory of 5060	4288	nagogy-Client.exe	87
PID 4288 wrote to memory of 5060	4288	nagogy-Client.exe	87
PID 4288 wrote to memory of 368	4288	nagogy-Client.exe	89
PID 4288 wrote to memory of 368	4288	nagogy-Client.exe	89
PID 4288 wrote to memory of 368	4288	nagogy-Client.exe	89
PID 4288 wrote to memory of 3356	4288	nagogy-Client.exe	90
PID 4288 wrote to memory of 3356	4288	nagogy-Client.exe	90
PID 4288 wrote to memory of 3356	4288	nagogy-Client.exe	90
PID 4288 wrote to memory of 4876	4288	nagogy-Client.exe	99
PID 4288 wrote to memory of 4876	4288	nagogy-Client.exe	99
PID 4288 wrote to memory of 4876	4288	nagogy-Client.exe	99
PID 4288 wrote to memory of 3208	4288	nagogy-Client.exe	101
PID 4288 wrote to memory of 3208	4288	nagogy-Client.exe	101
PID 4288 wrote to memory of 3208	4288	nagogy-Client.exe	101
PID 4288 wrote to memory of 3252	4288	nagogy-Client.exe	103
PID 4288 wrote to memory of 3252	4288	nagogy-Client.exe	103
PID 4288 wrote to memory of 3252	4288	nagogy-Client.exe	103
PID 3252 wrote to memory of 700	3252	Client.exe	104
PID 3252 wrote to memory of 700	3252	Client.exe	104
PID 3252 wrote to memory of 700	3252	Client.exe	104
PID 3252 wrote to memory of 3420	3252	Client.exe	106
PID 3252 wrote to memory of 3420	3252	Client.exe	106
PID 3252 wrote to memory of 3420	3252	Client.exe	106
PID 3252 wrote to memory of 2520	3252	Client.exe	109
PID 3252 wrote to memory of 2520	3252	Client.exe	109
PID 3252 wrote to memory of 2520	3252	Client.exe	109
PID 3252 wrote to memory of 1476	3252	Client.exe	108
PID 3252 wrote to memory of 1476	3252	Client.exe	108
PID 3252 wrote to memory of 1476	3252	Client.exe	108
PID 3252 wrote to memory of 1852	3252	Client.exe	113
PID 3252 wrote to memory of 1852	3252	Client.exe	113
PID 3252 wrote to memory of 1852	3252	Client.exe	113
PID 3252 wrote to memory of 4852	3252	Client.exe	115
PID 3252 wrote to memory of 4852	3252	Client.exe	115
PID 3252 wrote to memory of 4852	3252	Client.exe	115
PID 4380 wrote to memory of 2084	4380	Client.exe	118
PID 4380 wrote to memory of 2084	4380	Client.exe	118
PID 4380 wrote to memory of 2084	4380	Client.exe	118
PID 4380 wrote to memory of 764	4380	Client.exe	120
PID 4380 wrote to memory of 764	4380	Client.exe	120
PID 4380 wrote to memory of 764	4380	Client.exe	120
PID 4380 wrote to memory of 4616	4380	Client.exe	121
PID 4380 wrote to memory of 4616	4380	Client.exe	121
PID 4380 wrote to memory of 4616	4380	Client.exe	121
PID 4380 wrote to memory of 4188	4380	Client.exe	124
PID 4380 wrote to memory of 4188	4380	Client.exe	124
PID 4380 wrote to memory of 4188	4380	Client.exe	124
PID 4380 wrote to memory of 3864	4380	Client.exe	126
PID 4380 wrote to memory of 3864	4380	Client.exe	126
PID 4380 wrote to memory of 3864	4380	Client.exe	126
PID 4380 wrote to memory of 3920	4380	Client.exe	128
PID 4380 wrote to memory of 3920	4380	Client.exe	128
PID 4380 wrote to memory of 3920	4380	Client.exe	128

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads