72e6a762621c3c0ffd76007c3573685cb17af210df4644b9e0b8d5aa6e16dbeb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d366a12b7833232a80e992152414040_NeikiAnalytics.exe
Size

80KB
MD5

5d366a12b7833232a80e992152414040
SHA1

f4b7865c462f14619fcddcc946a4a0e80b436ab6
SHA256

72e6a762621c3c0ffd76007c3573685cb17af210df4644b9e0b8d5aa6e16dbeb
SHA512

a28e048239d2690e3f772a92937a3403b32fad2480a143d869f583d50c67568820ccbdbf4ef714202b3718eb591515113b8b0250472187be61989a305457a6f4
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroH4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroH4/wQRNrfrunMxVFAi

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FDF4D04-CFFF-4c51-A018-B65271588971}	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}\stubpath = "C:\\Windows\\{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe"	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}\stubpath = "C:\\Windows\\{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe"	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}	{65372EE6-6D48-467b-9671-1843136244A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}\stubpath = "C:\\Windows\\{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe"	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}\stubpath = "C:\\Windows\\{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe"	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6F8FED-4E40-485b-A317-D244D6599131}	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6F8FED-4E40-485b-A317-D244D6599131}\stubpath = "C:\\Windows\\{BE6F8FED-4E40-485b-A317-D244D6599131}.exe"	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FCA46B-AF99-4585-857C-55D6046DD6AF}	{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FCA46B-AF99-4585-857C-55D6046DD6AF}\stubpath = "C:\\Windows\\{D2FCA46B-AF99-4585-857C-55D6046DD6AF}.exe"	{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65372EE6-6D48-467b-9671-1843136244A8}\stubpath = "C:\\Windows\\{65372EE6-6D48-467b-9671-1843136244A8}.exe"	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468CE365-76C7-48c7-AA8A-6C32B8F7979A}	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D98CC70-9D6F-46da-87F0-3C0647F2E200}\stubpath = "C:\\Windows\\{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe"	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}\stubpath = "C:\\Windows\\{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe"	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468CE365-76C7-48c7-AA8A-6C32B8F7979A}\stubpath = "C:\\Windows\\{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe"	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D98CC70-9D6F-46da-87F0-3C0647F2E200}	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FDF4D04-CFFF-4c51-A018-B65271588971}\stubpath = "C:\\Windows\\{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe"	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65372EE6-6D48-467b-9671-1843136244A8}	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}\stubpath = "C:\\Windows\\{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe"	{65372EE6-6D48-467b-9671-1843136244A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe

Executes dropped EXE 12 IoCs

pid	Process
1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe
3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe
4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe
1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe
4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe
5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe
912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe
1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe
948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe
1320	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe
380	{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe
1388	{D2FCA46B-AF99-4585-857C-55D6046DD6AF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BE6F8FED-4E40-485b-A317-D244D6599131}.exe	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe
File created	C:\Windows\{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe
File created	C:\Windows\{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe
File created	C:\Windows\{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe
File created	C:\Windows\{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe
File created	C:\Windows\{D2FCA46B-AF99-4585-857C-55D6046DD6AF}.exe	{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe
File created	C:\Windows\{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe	{65372EE6-6D48-467b-9671-1843136244A8}.exe
File created	C:\Windows\{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe
File created	C:\Windows\{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe
File created	C:\Windows\{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe
File created	C:\Windows\{65372EE6-6D48-467b-9671-1843136244A8}.exe	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe
File created	C:\Windows\{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2620	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe
Token: SeIncBasePriorityPrivilege	3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe
Token: SeIncBasePriorityPrivilege	4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe
Token: SeIncBasePriorityPrivilege	1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe
Token: SeIncBasePriorityPrivilege	4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe
Token: SeIncBasePriorityPrivilege	5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe
Token: SeIncBasePriorityPrivilege	912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe
Token: SeIncBasePriorityPrivilege	1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe
Token: SeIncBasePriorityPrivilege	948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe
Token: SeIncBasePriorityPrivilege	1320	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe
Token: SeIncBasePriorityPrivilege	380	{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1568	2620	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe	95
PID 2620 wrote to memory of 1568	2620	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe	95
PID 2620 wrote to memory of 1568	2620	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe	95
PID 2620 wrote to memory of 756	2620	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe	96
PID 2620 wrote to memory of 756	2620	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe	96
PID 2620 wrote to memory of 756	2620	5d366a12b7833232a80e992152414040_NeikiAnalytics.exe	96
PID 1568 wrote to memory of 3212	1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe	97
PID 1568 wrote to memory of 3212	1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe	97
PID 1568 wrote to memory of 3212	1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe	97
PID 1568 wrote to memory of 2468	1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe	98
PID 1568 wrote to memory of 2468	1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe	98
PID 1568 wrote to memory of 2468	1568	{65372EE6-6D48-467b-9671-1843136244A8}.exe	98
PID 3212 wrote to memory of 4880	3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe	101
PID 3212 wrote to memory of 4880	3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe	101
PID 3212 wrote to memory of 4880	3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe	101
PID 3212 wrote to memory of 1572	3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe	102
PID 3212 wrote to memory of 1572	3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe	102
PID 3212 wrote to memory of 1572	3212	{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe	102
PID 4880 wrote to memory of 1564	4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe	103
PID 4880 wrote to memory of 1564	4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe	103
PID 4880 wrote to memory of 1564	4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe	103
PID 4880 wrote to memory of 4652	4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe	104
PID 4880 wrote to memory of 4652	4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe	104
PID 4880 wrote to memory of 4652	4880	{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe	104
PID 1564 wrote to memory of 4056	1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe	105
PID 1564 wrote to memory of 4056	1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe	105
PID 1564 wrote to memory of 4056	1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe	105
PID 1564 wrote to memory of 1912	1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe	106
PID 1564 wrote to memory of 1912	1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe	106
PID 1564 wrote to memory of 1912	1564	{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe	106
PID 4056 wrote to memory of 5012	4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe	108
PID 4056 wrote to memory of 5012	4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe	108
PID 4056 wrote to memory of 5012	4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe	108
PID 4056 wrote to memory of 1380	4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe	109
PID 4056 wrote to memory of 1380	4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe	109
PID 4056 wrote to memory of 1380	4056	{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe	109
PID 5012 wrote to memory of 912	5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe	110
PID 5012 wrote to memory of 912	5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe	110
PID 5012 wrote to memory of 912	5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe	110
PID 5012 wrote to memory of 4044	5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe	111
PID 5012 wrote to memory of 4044	5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe	111
PID 5012 wrote to memory of 4044	5012	{BE6F8FED-4E40-485b-A317-D244D6599131}.exe	111
PID 912 wrote to memory of 1252	912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe	113
PID 912 wrote to memory of 1252	912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe	113
PID 912 wrote to memory of 1252	912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe	113
PID 912 wrote to memory of 2016	912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe	114
PID 912 wrote to memory of 2016	912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe	114
PID 912 wrote to memory of 2016	912	{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe	114
PID 1252 wrote to memory of 948	1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe	120
PID 1252 wrote to memory of 948	1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe	120
PID 1252 wrote to memory of 948	1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe	120
PID 1252 wrote to memory of 1572	1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe	121
PID 1252 wrote to memory of 1572	1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe	121
PID 1252 wrote to memory of 1572	1252	{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe	121
PID 948 wrote to memory of 1320	948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe	122
PID 948 wrote to memory of 1320	948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe	122
PID 948 wrote to memory of 1320	948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe	122
PID 948 wrote to memory of 4828	948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe	123
PID 948 wrote to memory of 4828	948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe	123
PID 948 wrote to memory of 4828	948	{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe	123
PID 1320 wrote to memory of 380	1320	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe	124
PID 1320 wrote to memory of 380	1320	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe	124
PID 1320 wrote to memory of 380	1320	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe	124
PID 1320 wrote to memory of 1060	1320	{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe	125

C:\Users\Admin\AppData\Local\Temp\5d366a12b7833232a80e992152414040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d366a12b7833232a80e992152414040_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\{65372EE6-6D48-467b-9671-1843136244A8}.exe
  C:\Windows\{65372EE6-6D48-467b-9671-1843136244A8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe
    C:\Windows\{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe
      C:\Windows\{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe
        
        C:\Windows\{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe
        
        C:\Windows\{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\{BE6F8FED-4E40-485b-A317-D244D6599131}.exe
        
        C:\Windows\{BE6F8FED-4E40-485b-A317-D244D6599131}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe
        
        C:\Windows\{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe
        
        C:\Windows\{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe
        
        C:\Windows\{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe
        
        C:\Windows\{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe
        
        C:\Windows\{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\{D2FCA46B-AF99-4585-857C-55D6046DD6AF}.exe
        
        C:\Windows\{D2FCA46B-AF99-4585-857C-55D6046DD6AF}.exe
        13⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4820A~1.EXE > nul
        13⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7935~1.EXE > nul
        12⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FDF4~1.EXE > nul
        11⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6F25~1.EXE > nul
        10⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D98C~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6F8~1.EXE > nul
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6A71~1.EXE > nul
        7⤵
        
        PID:1380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{468CE~1.EXE > nul
        6⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AE54~1.EXE > nul
        5⤵
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3A34D~1.EXE > nul
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65372~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5D366A~1.EXE > nul
  2⤵
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AE54C7A-C6EC-43cf-A770-387BA1B270DC}.exe

Filesize
80KB

MD5
43bbe83fb4a571142d71ff9e3e1a6eba

SHA1
a835bc8fbd3ab5bb3facc0dda2ae6de071a80b42

SHA256
98b484e243065caea68a0e58f0b002455bb592a2aca1862e5bac4f97c17153b3

SHA512
4f76ec6eac9515196ce034a4bd9cb815b69068c6ac13211007a990708964eabf5144d630897bc51b333801d70bd31f6f4441b1dadff811fab9dc14210df10a53

Download Submit
C:\Windows\{3A34D2D3-885D-48e6-9F13-D69AFB4E3547}.exe

Filesize
80KB

MD5
cfa61d0aaf89601d96fd580b436e3024

SHA1
3f36c7e1035b514a0c02a404e6235a28013e1906

SHA256
807342d7a536edc4a957e305ae7062f7ffdb16231484401cfd8ffe6b8625e5a6

SHA512
7ae743ff848ea4d39f3cce1849add34be23571bc0d06263205412b7a04379e295afd59ae23679be937af3cc85750e1087d4096ffcb5bd054f5a6d4bb40556e22

Download Submit
C:\Windows\{468CE365-76C7-48c7-AA8A-6C32B8F7979A}.exe

Filesize
80KB

MD5
0fbcc65d526db748628f1024d8135fef

SHA1
ce1f6f36080763c5dff0cc6ef38c5b279bbe923f

SHA256
91e6a76bf550971a4ed3c33ea284632897b7334a0f139576dc42a4c1b1ad8446

SHA512
de3013fe8549e279a16f79d3072fd90a61faa3143e2d6725e2ec1b0b93d041b518c184cd76f498a1c3147c94fa7b9eba71be18d64acc0db93987e88e59449afd

Download Submit
C:\Windows\{4820A49B-8C21-4d1e-A50C-1F6F98A7E1CA}.exe

Filesize
80KB

MD5
9503b5ff493d0dd378447ea4169b6a42

SHA1
d0bbfecc50f60a42d952193824bee58bb941b8b2

SHA256
5a837183cde3200cd04da2910bf0bf79a56ff4f57e02368195513f31d3b90689

SHA512
2080efad7fb549c69dc137e18725bddb5cd2886d26a3168c1630c4c46219186a7ad215299b41ba18efc7b9f48cfcdd2681959b3852abaa2c2c2175d3ce4741fa

Download Submit
C:\Windows\{4FDF4D04-CFFF-4c51-A018-B65271588971}.exe

Filesize
80KB

MD5
52e729ac60d64c11d28aa72094dc8a28

SHA1
67f76e1ffa1f4ae04c9a456a875891785faebf1b

SHA256
a04d020da43edb9c80cc89fc67e6946ce95665d07ae7de44cd50ab8b99b22eff

SHA512
607a60ed43772c12d3277affc4fc3efa725a2996c8c80605b2534a4d4866e140ef43fbe27693b334e6cb46cab0cb6d68a6db6e18242ecaaf6636f3b0e24c823d

Download Submit
C:\Windows\{65372EE6-6D48-467b-9671-1843136244A8}.exe

Filesize
80KB

MD5
f2296e1d868f43782f20d6510156d5bd

SHA1
1f261197b80d7a6f76deb06de87238dbd5c58b37

SHA256
be3ca43db70dfd6e4b04b7adc744a8be680c69ec2b794bc0ab6cfab6b6e17a26

SHA512
10be2e39f69f4092c7cf51f83ac0bbdc8f668ffc24e66a027d969c66102f039b141cf0e8091a0008ef0428bff1bd027edf27c77c468f8599bd2f5ce68ccf5a88

Download Submit
C:\Windows\{7D98CC70-9D6F-46da-87F0-3C0647F2E200}.exe

Filesize
80KB

MD5
064ee409caf22b3eaf0c906b050b033b

SHA1
8a3f24b94585e0119161b57f307f024dd1fc2461

SHA256
d7557fc5a1fe6f3cdf0d19e65830db6038d3fb03581fa1d75ceb8e90e963a0ab

SHA512
fd33cfc2addd13a5020c45fdd41fed5cb8be87881651b9ca760cd51e6880a5eabdc135187560db170359d0d54343a725ee6bca00bc0f6ef3762e3082f3fbb7ac

Download Submit
C:\Windows\{B6A71BBC-E276-4fe5-89E9-F50550BDDD3D}.exe

Filesize
80KB

MD5
acc00fbe1dd6c02f51dd144b9d88e459

SHA1
77e25ea0ead7ea67aac1d7bd4b10e595e4640bd1

SHA256
ef255b1b4a508929eb73cfc89d0f30ef7a99554049c63a6df394401a324ee867

SHA512
f462472c7dcf39ab45daf0e681582c532f848af1650547e7f2cb6636748924db3d85a4760e52ba25aee8b0f02ababea76f7d2c248facd804c3b396dbfc265b27

Download Submit
C:\Windows\{B6F25D19-5991-4c5e-A4F9-57A94AAF87C1}.exe

Filesize
80KB

MD5
64693ea7281cb6c708912157d75cb5e2

SHA1
0880ac5a2e0b95bbbe4fca9d83b8f60a51dfa114

SHA256
1d97b68cb2e7b028b0ac1e00db4a0593a40d616f70ba39cd73a6fc76222643eb

SHA512
aec6addd23dde464950179df9352c5bc317df4eb0f34616c7a9f1c50054bd4b66b658a53072782bd2428c6870bf2dcd2b3b03a028ed3aa3d4e275ebc4dc49e61

Download Submit
C:\Windows\{BE6F8FED-4E40-485b-A317-D244D6599131}.exe

Filesize
80KB

MD5
328005053d397e2816341502d2dafc42

SHA1
66f26c7630285ac29454c8d0bc4463114416f23f

SHA256
af534c8cd8de5c5d6a8b40853969e6492f26309b660fce77277c6e2190eb1fdb

SHA512
85b3dbdfa8032ec4f92b4815bff5b4b63400b01db0f7e0336dfbe02d582e58b2ec2c7a5e9ebb3ffd946205ca028dfccc264a1bac42022bbf3654d27cd3c1a3ef

Download Submit
C:\Windows\{D2FCA46B-AF99-4585-857C-55D6046DD6AF}.exe

Filesize
80KB

MD5
78813826b37499dbbf4d0d23d11820f8

SHA1
71bb33247de02a7b51852165923eee1595d2c2ac

SHA256
c9b75e4177f2e0f67a087adf1eb461e26373d8c3a87b2eb9c336fe7a9d7e7390

SHA512
79cb5fb3e25954d2c58594f1b1ce74eefd1530e550f44ddccef03a3f80748061586b02c03727ea18e75b13fa6b7e06da0e961d8d0f5b9d1e099b62531eaa7a06

Download Submit
C:\Windows\{E793586F-DFA8-4de8-A3FD-2767FF65CBCA}.exe

Filesize
80KB

MD5
e4c1d9895a38cbe0dbd51fa90fc7b178

SHA1
7b07acabea35afad7d15ec3c165605327a2d7ace

SHA256
db1dbad9d37a22e491f7cf834ebc28e3640eab2162a45edccde9a6b4ce7da41c

SHA512
332e3021f5b6ce1fdb46a5024765b264122261bffe0f31a8a91d88c9368060f79f98b43503db7c3a43eaa98975774fab63aeda02eb137a81d6d32df80970a6f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads