47f0a799d971820be72771946603ca1e87282732e38ba08452c0a984d356d973

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Size

116KB
MD5

8026b8038e153f514f7918d4823a59b0
SHA1

21872ffc47b71aeb03be413e6d008d925ef72e2b
SHA256

47f0a799d971820be72771946603ca1e87282732e38ba08452c0a984d356d973
SHA512

a099745034f7bfd979e6b6edf89e8de5153faa4d04554dd4f94f101c3ff11b4847f83d4728a737f566dc33ede0cd6a04c086a1933e35f4f09ed846cc4874bd65
SSDEEP

768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0o7l2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A3FA89-050D-47f5-BA58-7A1F8997609A}\stubpath = "C:\\Windows\\{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe"	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}\stubpath = "C:\\Windows\\{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe"	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}\stubpath = "C:\\Windows\\{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe"	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}\stubpath = "C:\\Windows\\{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe"	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDD45101-F23E-4ddc-8B9F-22D2F2188955}\stubpath = "C:\\Windows\\{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe"	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A3FA89-050D-47f5-BA58-7A1F8997609A}	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}\stubpath = "C:\\Windows\\{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe"	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45E3E545-EDD9-40be-924B-EC39F8A19224}\stubpath = "C:\\Windows\\{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe"	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7809C31-8958-4d8a-85AD-6EFE03514F8E}\stubpath = "C:\\Windows\\{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe"	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDD45101-F23E-4ddc-8B9F-22D2F2188955}	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{793FA1EC-1822-4326-8219-5098B12C72FA}	{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A5922D-47F3-4564-81C5-285CC9A70142}	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A5922D-47F3-4564-81C5-285CC9A70142}\stubpath = "C:\\Windows\\{42A5922D-47F3-4564-81C5-285CC9A70142}.exe"	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}\stubpath = "C:\\Windows\\{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe"	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45E3E545-EDD9-40be-924B-EC39F8A19224}	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7809C31-8958-4d8a-85AD-6EFE03514F8E}	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}\stubpath = "C:\\Windows\\{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe"	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{793FA1EC-1822-4326-8219-5098B12C72FA}\stubpath = "C:\\Windows\\{793FA1EC-1822-4326-8219-5098B12C72FA}.exe"	{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe

Executes dropped EXE 12 IoCs

pid	Process
4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe
848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe
4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe
4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe
4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe
2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe
4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe
3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe
1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe
1064	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe
4640	{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe
3268	{793FA1EC-1822-4326-8219-5098B12C72FA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe
File created	C:\Windows\{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe
File created	C:\Windows\{793FA1EC-1822-4326-8219-5098B12C72FA}.exe	{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe
File created	C:\Windows\{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe
File created	C:\Windows\{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe
File created	C:\Windows\{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe
File created	C:\Windows\{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe
File created	C:\Windows\{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe
File created	C:\Windows\{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe
File created	C:\Windows\{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe
File created	C:\Windows\{42A5922D-47F3-4564-81C5-285CC9A70142}.exe	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
File created	C:\Windows\{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4844	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe
Token: SeIncBasePriorityPrivilege	848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe
Token: SeIncBasePriorityPrivilege	4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe
Token: SeIncBasePriorityPrivilege	4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe
Token: SeIncBasePriorityPrivilege	4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe
Token: SeIncBasePriorityPrivilege	2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe
Token: SeIncBasePriorityPrivilege	4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe
Token: SeIncBasePriorityPrivilege	3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe
Token: SeIncBasePriorityPrivilege	1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe
Token: SeIncBasePriorityPrivilege	1064	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe
Token: SeIncBasePriorityPrivilege	4640	{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4780	4844	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	92
PID 4844 wrote to memory of 4780	4844	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	92
PID 4844 wrote to memory of 4780	4844	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	92
PID 4844 wrote to memory of 4052	4844	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	93
PID 4844 wrote to memory of 4052	4844	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	93
PID 4844 wrote to memory of 4052	4844	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	93
PID 4780 wrote to memory of 848	4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe	95
PID 4780 wrote to memory of 848	4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe	95
PID 4780 wrote to memory of 848	4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe	95
PID 4780 wrote to memory of 632	4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe	96
PID 4780 wrote to memory of 632	4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe	96
PID 4780 wrote to memory of 632	4780	{42A5922D-47F3-4564-81C5-285CC9A70142}.exe	96
PID 848 wrote to memory of 4596	848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe	99
PID 848 wrote to memory of 4596	848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe	99
PID 848 wrote to memory of 4596	848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe	99
PID 848 wrote to memory of 2276	848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe	100
PID 848 wrote to memory of 2276	848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe	100
PID 848 wrote to memory of 2276	848	{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe	100
PID 4596 wrote to memory of 4428	4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe	101
PID 4596 wrote to memory of 4428	4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe	101
PID 4596 wrote to memory of 4428	4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe	101
PID 4596 wrote to memory of 4912	4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe	102
PID 4596 wrote to memory of 4912	4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe	102
PID 4596 wrote to memory of 4912	4596	{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe	102
PID 4428 wrote to memory of 4364	4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe	103
PID 4428 wrote to memory of 4364	4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe	103
PID 4428 wrote to memory of 4364	4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe	103
PID 4428 wrote to memory of 2824	4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe	104
PID 4428 wrote to memory of 2824	4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe	104
PID 4428 wrote to memory of 2824	4428	{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe	104
PID 4364 wrote to memory of 2548	4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe	106
PID 4364 wrote to memory of 2548	4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe	106
PID 4364 wrote to memory of 2548	4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe	106
PID 4364 wrote to memory of 820	4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe	107
PID 4364 wrote to memory of 820	4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe	107
PID 4364 wrote to memory of 820	4364	{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe	107
PID 2548 wrote to memory of 4900	2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe	108
PID 2548 wrote to memory of 4900	2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe	108
PID 2548 wrote to memory of 4900	2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe	108
PID 2548 wrote to memory of 3624	2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe	109
PID 2548 wrote to memory of 3624	2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe	109
PID 2548 wrote to memory of 3624	2548	{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe	109
PID 4900 wrote to memory of 3528	4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe	110
PID 4900 wrote to memory of 3528	4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe	110
PID 4900 wrote to memory of 3528	4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe	110
PID 4900 wrote to memory of 4380	4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe	111
PID 4900 wrote to memory of 4380	4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe	111
PID 4900 wrote to memory of 4380	4900	{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe	111
PID 3528 wrote to memory of 1776	3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe	115
PID 3528 wrote to memory of 1776	3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe	115
PID 3528 wrote to memory of 1776	3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe	115
PID 3528 wrote to memory of 4744	3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe	116
PID 3528 wrote to memory of 4744	3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe	116
PID 3528 wrote to memory of 4744	3528	{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe	116
PID 1776 wrote to memory of 1064	1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe	122
PID 1776 wrote to memory of 1064	1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe	122
PID 1776 wrote to memory of 1064	1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe	122
PID 1776 wrote to memory of 4188	1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe	123
PID 1776 wrote to memory of 4188	1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe	123
PID 1776 wrote to memory of 4188	1776	{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe	123
PID 1064 wrote to memory of 4640	1064	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe	124
PID 1064 wrote to memory of 4640	1064	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe	124
PID 1064 wrote to memory of 4640	1064	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe	124
PID 1064 wrote to memory of 3524	1064	{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe	125

C:\Users\Admin\AppData\Local\Temp\8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\{42A5922D-47F3-4564-81C5-285CC9A70142}.exe
  C:\Windows\{42A5922D-47F3-4564-81C5-285CC9A70142}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe
    C:\Windows\{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe
      C:\Windows\{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe
        
        C:\Windows\{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe
        
        C:\Windows\{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe
        
        C:\Windows\{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe
        
        C:\Windows\{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe
        
        C:\Windows\{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe
        
        C:\Windows\{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe
        
        C:\Windows\{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe
        
        C:\Windows\{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\{793FA1EC-1822-4326-8219-5098B12C72FA}.exe
        
        C:\Windows\{793FA1EC-1822-4326-8219-5098B12C72FA}.exe
        13⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B788~1.EXE > nul
        13⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDD45~1.EXE > nul
        12⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7809~1.EXE > nul
        11⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D439~1.EXE > nul
        10⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45E3E~1.EXE > nul
        9⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11E49~1.EXE > nul
        8⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E67A7~1.EXE > nul
        7⤵
        
        PID:820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94FC5~1.EXE > nul
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1CB6~1.EXE > nul
        5⤵
        
        PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9A3F~1.EXE > nul
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{42A59~1.EXE > nul
    3⤵
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8026B8~1.EXE > nul
  2⤵
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11E49E1B-0B3B-4d11-8DC4-8CD73B03FD17}.exe

Filesize
116KB

MD5
624c112804ee34e29a1b0e8c988b1b3d

SHA1
46c35bdf5e3ade6be5817309456b836562e66e4b

SHA256
8ce132faccead71bcd4af49d1f01d56b70592fa0ced8b3af191888fe6d84b0fb

SHA512
208f556202eec28189010bf7c052ec5c962ed39b30638a6f675faade5531497e26911f976f15683dc8ca4c6dae870555ea6d2eeea87a5349ef95b76a59b7c240

Download Submit
C:\Windows\{2D439C7C-1CCA-4225-B1DA-4998C953F2CA}.exe

Filesize
116KB

MD5
d546bb2466516894a5528e36b753e028

SHA1
683fcdb96dab1caaa5f100ff1b0df9b5c462e054

SHA256
647076d47f460bde2b48948ad3b67138927b4ce01c761cf92b8b6ad8a6729437

SHA512
81de0bd5f1cb5cae6836160ae187bf940e378b1342eef518677fd876b2c9d88343e01223da3e83bedfd85386f41a469689f3e5201dec2000392f9f6073c3a50e

Download Submit
C:\Windows\{3B788DB9-7046-4b9f-88D5-80CC66A6FB42}.exe

Filesize
116KB

MD5
877946b3f2659f7b2fa82884c1de0bdb

SHA1
861436c3734dc403b72ab6089dd9b163ba640acb

SHA256
c31a7f2073b9c53c1f5bb06fe2268796e4a227447a4e9a1f6c4255fabb8b005b

SHA512
04f7dc09b5d5547b576349f94b321a5c23ab13ad890fa5d06cdadf6ba2dc3c1bfdc1d58efc00ff0d0338238d2f07d41b8e50ce25eb629987c5a2c16c6f5c37a3

Download Submit
C:\Windows\{42A5922D-47F3-4564-81C5-285CC9A70142}.exe

Filesize
116KB

MD5
f5b7d8aa103bc75ec6a575127482e762

SHA1
4976d392a8595e2d26ecac0aa7f90a5d4dffe881

SHA256
7bb3dd8d14d35f56030f2e4eed56442f7d2321c9d627121a80f670b931070db1

SHA512
88a532cf7e294b7d2a7e09fe2943943b29bc1818db1fcfc4d4ee82b12d81dd8e16d2df56670a87a1924fc53d170b1be731654b570d8fb39251cc4f763bd05968

Download Submit
C:\Windows\{45E3E545-EDD9-40be-924B-EC39F8A19224}.exe

Filesize
116KB

MD5
49dcd0de76e2fd0b0802349dd6da7fb8

SHA1
07c26ea1696e2921faee5f08d78239fdf8dade8c

SHA256
cd3d33a979af78ac7d562b15859350060aadfba97d3c01519ceb5eec8c13b886

SHA512
014c9d0f9348a51c08c2ebbe2178e93dcb719e9b081ca74ca09979e3bce0de10a5d184b4785cb12619d63c57f9f20e275e6c608d7b9f4489ced3d99ccd4d51d9

Download Submit
C:\Windows\{793FA1EC-1822-4326-8219-5098B12C72FA}.exe

Filesize
116KB

MD5
25e9ad2ea629d71dcfbaa22a9438d4ed

SHA1
c472aecd3bae2daec59e50627c3dfaee28b2bb04

SHA256
adf6ab4a80f7d5f546eb6f569c4fc0aee6e055c93b7352f9a1e53a5679eb18c2

SHA512
94b1a23a10c7b9447d56163bf017f247db9b73d0aefc007ca75e4feda29eb7dacb4bc34126090c749e32eb21109fcbc146c9c230880787cefc5a88ab075a98d1

Download Submit
C:\Windows\{94FC5909-BC34-4aa0-AC7E-A5F4C1888340}.exe

Filesize
116KB

MD5
59ad5f68ed54b6c7f40c80d5fe0a13f9

SHA1
893a8d7d98ff190ee69e3fc91e49325323bed9e7

SHA256
20a752464236be400928caa138d934d5c0f8ccbc790083d09a593a1cb877cf96

SHA512
88d7b230fad3d21f1e1369618321b618285f1079a9a2f94b7b67afe08f8daf50dbcd7267d918ec6f96d0491c783f2409c226e101c151d84ec14fce73dd97c0ac

Download Submit
C:\Windows\{D1CB6AE6-EE04-4b7c-890C-443E9E3DFFF0}.exe

Filesize
116KB

MD5
1bfa46b344ca6da236b37edd4e2688d4

SHA1
54f7d559adeb55c5f55c7ee9e4cb0d149fc112d6

SHA256
2159f4c9e9c73ed285938e606ab3144cf78663586402c74c5d3fca97639dbb91

SHA512
2369ce17741cb857d7953d1ad1f8fe793b196ddeef16cab33e032aed36e2ca9bc92e206b77babd22c67bb4bab8333a0ed02c511d298a6661fb91c135d951905f

Download Submit
C:\Windows\{E67A75F6-7560-42a9-929B-59BFD2CA2AE4}.exe

Filesize
116KB

MD5
6ba9dff6ad16e9d5bd09b79520122db9

SHA1
080eead88816a4d041e7ee351c0cd6be63da37a5

SHA256
92592ca1e934eac92a17f991a401dd36d632c32157286d464963fb7b0c7e9667

SHA512
3f93dc769bf7b33c84829e7d7ffde225e14173f60a0ea6ba33828027c3ac127910c5bc1b15c73e5b1ccaebb5ed713784096247065cb5b7bc8892d34f8ac0ebf2

Download Submit
C:\Windows\{E7809C31-8958-4d8a-85AD-6EFE03514F8E}.exe

Filesize
116KB

MD5
8f2ecef5b6560d9a4fa9f7c59f352bb5

SHA1
442b11354b07b51b3f64e5250ea46a3638024e33

SHA256
70f2b29d64b568631fb4eb4d0388b9529cb1cf5ed80961d92dd0db1c8c0f6701

SHA512
ae94562c3379960b53ae455383a4e7ad5843d87a7e869c1db49599c32aa1865497e974994887422ab773535e997d04a5c63f678cdb89724dd51b8c7a87573f95

Download Submit
C:\Windows\{EDD45101-F23E-4ddc-8B9F-22D2F2188955}.exe

Filesize
116KB

MD5
246066a9ab8c87d72ce139e0bdbfdd92

SHA1
d5c1c2f493793efe8b329add7cfb425fc8960452

SHA256
177e589c965611f7a0a1486e6008bc562fea77062ae770e5bb66cc517d2d25d2

SHA512
58aa4ec39903eaf13b1fcd57479d7472602ee2f9f10d43cd37ec9113b2d73288fe5b145251f459a0385b138a7b935ffd86b98a6282342d0572d8ca43ef58d81f

Download Submit
C:\Windows\{F9A3FA89-050D-47f5-BA58-7A1F8997609A}.exe

Filesize
116KB

MD5
1d133ac8aafb24bb8cf79dad70970736

SHA1
b62e75a7a619d5541a37204b926d5e7c9f9eda93

SHA256
3d06b5ee68f9c3a7095647b979bbe931ca33c2e51472862167daff677487f1b4

SHA512
d7c626b7a68db383f43027e7df7432d505203dc3b5abf131224ef2fd2c65e20279eeeff6067e4365d7ad70371e21970b268a0adb2adb330681de6075abe1f945

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads