203189b420a0513926fc2871c203b8e39e0ae439fd45dbd460b2ce3617543099

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Size

90KB
MD5

64bab253ab95a039e7e44d52fcfb2930
SHA1

a822b7dd93a33e4c5933bc41da2ccc770709573c
SHA256

203189b420a0513926fc2871c203b8e39e0ae439fd45dbd460b2ce3617543099
SHA512

f146d108e72ac826579d001bed25b3e0477a098c26cdcbc19c6b20f12e04e833fddc16e16ce07a7b07090d7ccd78fe0a341012064698774043764af19b166eeb
SSDEEP

768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7gl/:YEGh0o7l2unMxVS3HgR

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85F49507-C2D6-4a0a-8568-49DDEFA53800}\stubpath = "C:\\Windows\\{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe"	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095C58BD-BAF9-4586-AED3-90E566BAB686}	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF62377-E32A-4d55-A91B-8A1FC0835164}\stubpath = "C:\\Windows\\{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe"	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}\stubpath = "C:\\Windows\\{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe"	{543DCF56-1189-4473-8F85-146C10513806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85F49507-C2D6-4a0a-8568-49DDEFA53800}	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}\stubpath = "C:\\Windows\\{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe"	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891A70D6-0B77-45f6-9699-0CB643144127}\stubpath = "C:\\Windows\\{891A70D6-0B77-45f6-9699-0CB643144127}.exe"	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543DCF56-1189-4473-8F85-146C10513806}	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}\stubpath = "C:\\Windows\\{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe"	{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}	{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095C58BD-BAF9-4586-AED3-90E566BAB686}\stubpath = "C:\\Windows\\{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe"	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF62377-E32A-4d55-A91B-8A1FC0835164}	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}	{891A70D6-0B77-45f6-9699-0CB643144127}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}\stubpath = "C:\\Windows\\{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe"	{891A70D6-0B77-45f6-9699-0CB643144127}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543DCF56-1189-4473-8F85-146C10513806}\stubpath = "C:\\Windows\\{543DCF56-1189-4473-8F85-146C10513806}.exe"	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}\stubpath = "C:\\Windows\\{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe"	{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{337CB30D-67DE-402e-A0BD-BDD83B633EAC}	{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891A70D6-0B77-45f6-9699-0CB643144127}	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}	{543DCF56-1189-4473-8F85-146C10513806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}	{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{337CB30D-67DE-402e-A0BD-BDD83B633EAC}\stubpath = "C:\\Windows\\{337CB30D-67DE-402e-A0BD-BDD83B633EAC}.exe"	{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe
2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe
2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe
2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe
2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe
3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe
2332	{543DCF56-1189-4473-8F85-146C10513806}.exe
1420	{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe
2056	{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe
2932	{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe
448	{337CB30D-67DE-402e-A0BD-BDD83B633EAC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe
File created	C:\Windows\{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe
File created	C:\Windows\{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	{891A70D6-0B77-45f6-9699-0CB643144127}.exe
File created	C:\Windows\{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe	{543DCF56-1189-4473-8F85-146C10513806}.exe
File created	C:\Windows\{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
File created	C:\Windows\{891A70D6-0B77-45f6-9699-0CB643144127}.exe	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe
File created	C:\Windows\{543DCF56-1189-4473-8F85-146C10513806}.exe	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe
File created	C:\Windows\{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe	{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe
File created	C:\Windows\{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe	{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe
File created	C:\Windows\{337CB30D-67DE-402e-A0BD-BDD83B633EAC}.exe	{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe
File created	C:\Windows\{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe
Token: SeIncBasePriorityPrivilege	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe
Token: SeIncBasePriorityPrivilege	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe
Token: SeIncBasePriorityPrivilege	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe
Token: SeIncBasePriorityPrivilege	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe
Token: SeIncBasePriorityPrivilege	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe
Token: SeIncBasePriorityPrivilege	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe
Token: SeIncBasePriorityPrivilege	1420	{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe
Token: SeIncBasePriorityPrivilege	2056	{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe
Token: SeIncBasePriorityPrivilege	2932	{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2480	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	28
PID 1680 wrote to memory of 2480	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	28
PID 1680 wrote to memory of 2480	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	28
PID 1680 wrote to memory of 2480	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	28
PID 1680 wrote to memory of 2808	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	29
PID 1680 wrote to memory of 2808	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	29
PID 1680 wrote to memory of 2808	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	29
PID 1680 wrote to memory of 2808	1680	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	29
PID 2480 wrote to memory of 2672	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	30
PID 2480 wrote to memory of 2672	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	30
PID 2480 wrote to memory of 2672	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	30
PID 2480 wrote to memory of 2672	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	30
PID 2480 wrote to memory of 2644	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	31
PID 2480 wrote to memory of 2644	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	31
PID 2480 wrote to memory of 2644	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	31
PID 2480 wrote to memory of 2644	2480	{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe	31
PID 2672 wrote to memory of 2800	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	32
PID 2672 wrote to memory of 2800	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	32
PID 2672 wrote to memory of 2800	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	32
PID 2672 wrote to memory of 2800	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	32
PID 2672 wrote to memory of 2748	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	33
PID 2672 wrote to memory of 2748	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	33
PID 2672 wrote to memory of 2748	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	33
PID 2672 wrote to memory of 2748	2672	{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe	33
PID 2800 wrote to memory of 2340	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	36
PID 2800 wrote to memory of 2340	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	36
PID 2800 wrote to memory of 2340	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	36
PID 2800 wrote to memory of 2340	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	36
PID 2800 wrote to memory of 1840	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	37
PID 2800 wrote to memory of 1840	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	37
PID 2800 wrote to memory of 1840	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	37
PID 2800 wrote to memory of 1840	2800	{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe	37
PID 2340 wrote to memory of 2828	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	38
PID 2340 wrote to memory of 2828	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	38
PID 2340 wrote to memory of 2828	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	38
PID 2340 wrote to memory of 2828	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	38
PID 2340 wrote to memory of 2696	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	39
PID 2340 wrote to memory of 2696	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	39
PID 2340 wrote to memory of 2696	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	39
PID 2340 wrote to memory of 2696	2340	{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe	39
PID 2828 wrote to memory of 3020	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	40
PID 2828 wrote to memory of 3020	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	40
PID 2828 wrote to memory of 3020	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	40
PID 2828 wrote to memory of 3020	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	40
PID 2828 wrote to memory of 1808	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	41
PID 2828 wrote to memory of 1808	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	41
PID 2828 wrote to memory of 1808	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	41
PID 2828 wrote to memory of 1808	2828	{891A70D6-0B77-45f6-9699-0CB643144127}.exe	41
PID 3020 wrote to memory of 2332	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	42
PID 3020 wrote to memory of 2332	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	42
PID 3020 wrote to memory of 2332	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	42
PID 3020 wrote to memory of 2332	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	42
PID 3020 wrote to memory of 1660	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	43
PID 3020 wrote to memory of 1660	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	43
PID 3020 wrote to memory of 1660	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	43
PID 3020 wrote to memory of 1660	3020	{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe	43
PID 2332 wrote to memory of 1420	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	44
PID 2332 wrote to memory of 1420	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	44
PID 2332 wrote to memory of 1420	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	44
PID 2332 wrote to memory of 1420	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	44
PID 2332 wrote to memory of 1860	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	45
PID 2332 wrote to memory of 1860	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	45
PID 2332 wrote to memory of 1860	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	45
PID 2332 wrote to memory of 1860	2332	{543DCF56-1189-4473-8F85-146C10513806}.exe	45

C:\Users\Admin\AppData\Local\Temp\64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe
  C:\Windows\{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe
    C:\Windows\{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe
      C:\Windows\{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe
        
        C:\Windows\{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\{891A70D6-0B77-45f6-9699-0CB643144127}.exe
        
        C:\Windows\{891A70D6-0B77-45f6-9699-0CB643144127}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe
        
        C:\Windows\{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{543DCF56-1189-4473-8F85-146C10513806}.exe
        
        C:\Windows\{543DCF56-1189-4473-8F85-146C10513806}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe
        
        C:\Windows\{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe
        
        C:\Windows\{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe
        
        C:\Windows\{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{337CB30D-67DE-402e-A0BD-BDD83B633EAC}.exe
        
        C:\Windows\{337CB30D-67DE-402e-A0BD-BDD83B633EAC}.exe
        12⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F90~1.EXE > nul
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1C3E~1.EXE > nul
        11⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{880CB~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{543DC~1.EXE > nul
        9⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCDE2~1.EXE > nul
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{891A7~1.EXE > nul
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF62~1.EXE > nul
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{715BE~1.EXE > nul
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{095C5~1.EXE > nul
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{85F49~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\64BAB2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{095C58BD-BAF9-4586-AED3-90E566BAB686}.exe

Filesize
90KB

MD5
fc63d9b550d0f424a99abb548bd2bf1b

SHA1
43577118cca99205db7b1d80bf24c7975a5086ed

SHA256
fb22f6252c92751fdb6a72881eb71e9bfb942a7717bb7a4b2be6dd69a6a16717

SHA512
07798b012f9695dd64436d295cb4744d31c27a74d803fdad6c847f8dd1be09a8ca9049c837338a552b57f36f8ace04b9a4d6c7a46328ca20c0d86d52022018d5

Download Submit
C:\Windows\{337CB30D-67DE-402e-A0BD-BDD83B633EAC}.exe

Filesize
90KB

MD5
681e6c48a74116e589e839c9cf396110

SHA1
d4060cb71340bff90a508239aaf8faa36eaabb7e

SHA256
c45c566e57c99a942b34f0e9c0c9da45796f3f8bfd4ca60a150862151cd21608

SHA512
92c45977073a10d5f130d61ea0eea5a7a9f2f8a0934bd4ebaeb227e51cfa0fb7e22d91f0d14e06db5874559a8250ea38bc8f7e0f35de3e4cc1bfee385470482f

Download Submit
C:\Windows\{543DCF56-1189-4473-8F85-146C10513806}.exe

Filesize
90KB

MD5
20ba9d73d5a5c122f44fe04d938fe658

SHA1
fe9e445c4a57470a590294f4c13c5765557f0a23

SHA256
9103a89c2b61ab093b236f7a1ccaf8048622faac22640bc855338fc72a33081d

SHA512
b0b049b52ee769a68ae5d37113d2954d8da32afc5109d43ebc3f294cdf14785c21564be338db0b156f2576867a332ddd2338db8c29621e1e311ce4b0fb445170

Download Submit
C:\Windows\{715BE8A7-ECB5-4bbd-8B6A-4F29CE264258}.exe

Filesize
90KB

MD5
66e226dc0f5d136c4218a9e852c54022

SHA1
4c36a3baa1fe400bd9fbbede596bc9819b016ce8

SHA256
ad7dbed176e92e6f39731d16ac31b554a1388c125c30b16a67cb19d99985e68c

SHA512
d6e4d6aed479839ec1cfad7d4e8d17247639c31e6848ab31fd3556105b785f41e0affc7ba0ea12befe1b82b1180b08ce4da92650880eb2ee7cc5a92dfbe02616

Download Submit
C:\Windows\{7EF62377-E32A-4d55-A91B-8A1FC0835164}.exe

Filesize
90KB

MD5
9c43f369414775d94371f48e957bd6d3

SHA1
506128f30f3944be9f64385c3628771120e6df50

SHA256
7546fe96192fd4ba117f132d4ad10fc06e388ead1126cba0f08109667b05d39f

SHA512
146b92fa47752d28dc09be201650a5f194c1e70a089a3cf1ce7a3c43d599184adfc318de0798933d19a5bfecbd5b1e6e2e90e6d259bfaef5ea68fa007e9956fa

Download Submit
C:\Windows\{85F49507-C2D6-4a0a-8568-49DDEFA53800}.exe

Filesize
90KB

MD5
f4684f9c18075c24c8fb5e5e2e205b1e

SHA1
177d3bcbc0762203b606683f57d40f5bc3a28366

SHA256
aaaaf68c26664cdfda249c085739f341a94145cbc22c5708a204f9e35dfd505f

SHA512
9f2d57763f5da26938a68ccb18500c10af769b0fb829c55039492c3a2ff31343bb587d1ce45d32c4d4b096d75f95d16fbb35194628d2f47e2b2fe2edac9fc450

Download Submit
C:\Windows\{880CB5FB-5270-4ae5-89A9-0C79B31DE5EC}.exe

Filesize
90KB

MD5
7f16a4645c83654a0a9390d535837227

SHA1
7b4161584dfdb1a611379b401a3e41b9829bf5ba

SHA256
0557dafabbc53706c704c7605a7e7b4c5352b98a0209ec3065f6961b4194f50c

SHA512
6bdac59faa94d92dfff6fd24e86ca807d7da02fbcba33e1344f9b2e7600198c9f79194783676cf4cb789e3edaf7e90f6c5f5c0ffa095c9ab0ff02cf29a5eb57a

Download Submit
C:\Windows\{891A70D6-0B77-45f6-9699-0CB643144127}.exe

Filesize
90KB

MD5
caca5370397e57e1b4c1cc5b64de4234

SHA1
cc2150ec9bed8ba5a2e3f7d2b8013a123b57378b

SHA256
0467b243fbec5e0acbef531be4ed1ee98e215286b8ae65a74bced8fbb02c8533

SHA512
37a122e8e6b41ca8a2e9487aad0b3ea7b1b8db614f746cdf8644f71d763be68c423419b33994dc12b7a4743273c09569e8830574811a65d4b7165e76aa360798

Download Submit
C:\Windows\{91F90FDA-2A64-4c46-9A82-F2C6909E3F13}.exe

Filesize
90KB

MD5
94be58ff4f7ff01370e1aa55f6591e4d

SHA1
1022b4205d6690f551299b4e7211706ec2f4e2eb

SHA256
3951008f61c01ef9356c7cf9dc6075c8d172d485ec731d8cf8491398faff318f

SHA512
05c1db058bed56a73e3cc17813a241700b93c04d1264a30cf67b620534660c3bad3a776d2be5aa127efc5d0fe57e5b9f64d8f3ae6e1c1488df3a73682622509f

Download Submit
C:\Windows\{BCDE2F9B-E53B-4d8e-8AE3-E8EC290D6740}.exe

Filesize
90KB

MD5
f605b84fe8a1a46aaf02e413a01e2656

SHA1
7ec35bedf442b9c985be8e732417ac087aac7119

SHA256
0318378fc8b5a0efc86e74749e37edb42f0a37959383e91a9bf0cd776bbba788

SHA512
d6dac7cf988453a982eb8f0b1e61f02f4dc82939db85b434fb359b817526ed08545c49b85368371edce0ce9dc24e8c45dc5e41aaae0910bcce909f46d1efc77d

Download Submit
C:\Windows\{F1C3ECA7-0F1B-43a6-B7E1-A5F2D4C6D488}.exe

Filesize
90KB

MD5
6ee558bfe46436bdfce37d760e43ca3d

SHA1
d421ee4c7f54fe8dab66a48cc04885d0a0618091

SHA256
33450ebde20a760f157ffd6ae2012fc755a7c5124e2ab1a68dac20d536daf985

SHA512
3473489b55c2d11f4d7a99ff9ccf9f78cc2ea9f18db956614406adcb101bbe37c15a8f6f3b7e15e9334bc62a19bc5451d6fddc8d441234a28b0dbdbd1c70f4fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads