2991ce4779ccd992f9fa8ac881a902e55aa83881f4bf27acb65888ab608e24d2

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 06:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe
Size

64KB
MD5

95d82a76bcf6d3a43a26a7632b376790
SHA1

3a0f45e0b63b404b04076b3b199dbfcfa6575fca
SHA256

2991ce4779ccd992f9fa8ac881a902e55aa83881f4bf27acb65888ab608e24d2
SHA512

e5270506c5df8894402655567e762768b7b06521c31477139251b449bf8a791ac4444fbdb80c5f450bfee774fb2619afefc8e5800afd946f6ebfaae1d82009ac
SSDEEP

768:O0w9816vhKQLroCu4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdi:pEGh0oCulwWMZQcpmgDagIyS1loL7Wri

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4178653-E74C-423f-BC27-A4AB4386B089}\stubpath = "C:\\Windows\\{F4178653-E74C-423f-BC27-A4AB4386B089}.exe"	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DE572E3-3485-47f1-A806-4BEB58B90524}\stubpath = "C:\\Windows\\{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe"	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F74DFE7-464F-4193-AE6E-A84773D248B9}	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F74DFE7-464F-4193-AE6E-A84773D248B9}\stubpath = "C:\\Windows\\{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe"	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{957AB7E5-C128-408c-8D77-8E44AF0F9E71}	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{957AB7E5-C128-408c-8D77-8E44AF0F9E71}\stubpath = "C:\\Windows\\{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe"	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4178653-E74C-423f-BC27-A4AB4386B089}	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD46A30D-2D5F-401d-A339-76FFF1203E59}	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{691B03AC-2839-4e7e-BD99-7F7487780EC8}	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39295F25-E741-4f77-9CB4-B72C01DC2169}	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{101B3728-0E60-4d16-BBED-82E16460A417}	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{859DDA48-054B-4452-90D3-2898BB8DF0ED}\stubpath = "C:\\Windows\\{859DDA48-054B-4452-90D3-2898BB8DF0ED}.exe"	{101B3728-0E60-4d16-BBED-82E16460A417}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}\stubpath = "C:\\Windows\\{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe"	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD46A30D-2D5F-401d-A339-76FFF1203E59}\stubpath = "C:\\Windows\\{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe"	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF99BC0E-730D-4029-BD71-98E5E0433280}\stubpath = "C:\\Windows\\{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe"	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DE572E3-3485-47f1-A806-4BEB58B90524}	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F844630-6730-4f1f-A9D5-6704740F57EC}\stubpath = "C:\\Windows\\{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe"	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{691B03AC-2839-4e7e-BD99-7F7487780EC8}\stubpath = "C:\\Windows\\{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe"	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{101B3728-0E60-4d16-BBED-82E16460A417}\stubpath = "C:\\Windows\\{101B3728-0E60-4d16-BBED-82E16460A417}.exe"	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF99BC0E-730D-4029-BD71-98E5E0433280}	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39295F25-E741-4f77-9CB4-B72C01DC2169}\stubpath = "C:\\Windows\\{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe"	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{859DDA48-054B-4452-90D3-2898BB8DF0ED}	{101B3728-0E60-4d16-BBED-82E16460A417}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F844630-6730-4f1f-A9D5-6704740F57EC}	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe

Executes dropped EXE 12 IoCs

pid	Process
1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe
2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe
3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe
2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe
2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe
4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe
3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe
4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe
1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe
1264	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe
4992	{101B3728-0E60-4d16-BBED-82E16460A417}.exe
3372	{859DDA48-054B-4452-90D3-2898BB8DF0ED}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe
File created	C:\Windows\{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe
File created	C:\Windows\{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe
File created	C:\Windows\{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe
File created	C:\Windows\{101B3728-0E60-4d16-BBED-82E16460A417}.exe	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe
File created	C:\Windows\{859DDA48-054B-4452-90D3-2898BB8DF0ED}.exe	{101B3728-0E60-4d16-BBED-82E16460A417}.exe
File created	C:\Windows\{F4178653-E74C-423f-BC27-A4AB4386B089}.exe	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe
File created	C:\Windows\{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe
File created	C:\Windows\{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe
File created	C:\Windows\{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe
File created	C:\Windows\{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe
File created	C:\Windows\{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4712	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe
Token: SeIncBasePriorityPrivilege	2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe
Token: SeIncBasePriorityPrivilege	3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe
Token: SeIncBasePriorityPrivilege	2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe
Token: SeIncBasePriorityPrivilege	2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe
Token: SeIncBasePriorityPrivilege	4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe
Token: SeIncBasePriorityPrivilege	3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe
Token: SeIncBasePriorityPrivilege	4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe
Token: SeIncBasePriorityPrivilege	1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe
Token: SeIncBasePriorityPrivilege	1264	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe
Token: SeIncBasePriorityPrivilege	4992	{101B3728-0E60-4d16-BBED-82E16460A417}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 1336	4712	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe	88
PID 4712 wrote to memory of 1336	4712	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe	88
PID 4712 wrote to memory of 1336	4712	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe	88
PID 4712 wrote to memory of 1296	4712	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe	89
PID 4712 wrote to memory of 1296	4712	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe	89
PID 4712 wrote to memory of 1296	4712	95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe	89
PID 1336 wrote to memory of 2352	1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe	90
PID 1336 wrote to memory of 2352	1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe	90
PID 1336 wrote to memory of 2352	1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe	90
PID 1336 wrote to memory of 4884	1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe	91
PID 1336 wrote to memory of 4884	1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe	91
PID 1336 wrote to memory of 4884	1336	{F4178653-E74C-423f-BC27-A4AB4386B089}.exe	91
PID 2352 wrote to memory of 3012	2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe	95
PID 2352 wrote to memory of 3012	2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe	95
PID 2352 wrote to memory of 3012	2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe	95
PID 2352 wrote to memory of 1544	2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe	96
PID 2352 wrote to memory of 1544	2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe	96
PID 2352 wrote to memory of 1544	2352	{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe	96
PID 3012 wrote to memory of 2056	3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe	97
PID 3012 wrote to memory of 2056	3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe	97
PID 3012 wrote to memory of 2056	3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe	97
PID 3012 wrote to memory of 1728	3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe	98
PID 3012 wrote to memory of 1728	3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe	98
PID 3012 wrote to memory of 1728	3012	{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe	98
PID 2056 wrote to memory of 2928	2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe	99
PID 2056 wrote to memory of 2928	2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe	99
PID 2056 wrote to memory of 2928	2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe	99
PID 2056 wrote to memory of 3552	2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe	100
PID 2056 wrote to memory of 3552	2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe	100
PID 2056 wrote to memory of 3552	2056	{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe	100
PID 2928 wrote to memory of 4948	2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe	101
PID 2928 wrote to memory of 4948	2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe	101
PID 2928 wrote to memory of 4948	2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe	101
PID 2928 wrote to memory of 1476	2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe	102
PID 2928 wrote to memory of 1476	2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe	102
PID 2928 wrote to memory of 1476	2928	{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe	102
PID 4948 wrote to memory of 3284	4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe	103
PID 4948 wrote to memory of 3284	4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe	103
PID 4948 wrote to memory of 3284	4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe	103
PID 4948 wrote to memory of 2220	4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe	104
PID 4948 wrote to memory of 2220	4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe	104
PID 4948 wrote to memory of 2220	4948	{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe	104
PID 3284 wrote to memory of 4580	3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe	105
PID 3284 wrote to memory of 4580	3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe	105
PID 3284 wrote to memory of 4580	3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe	105
PID 3284 wrote to memory of 1752	3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe	106
PID 3284 wrote to memory of 1752	3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe	106
PID 3284 wrote to memory of 1752	3284	{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe	106
PID 4580 wrote to memory of 1080	4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe	107
PID 4580 wrote to memory of 1080	4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe	107
PID 4580 wrote to memory of 1080	4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe	107
PID 4580 wrote to memory of 4344	4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe	108
PID 4580 wrote to memory of 4344	4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe	108
PID 4580 wrote to memory of 4344	4580	{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe	108
PID 1080 wrote to memory of 1264	1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe	109
PID 1080 wrote to memory of 1264	1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe	109
PID 1080 wrote to memory of 1264	1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe	109
PID 1080 wrote to memory of 4624	1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe	110
PID 1080 wrote to memory of 4624	1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe	110
PID 1080 wrote to memory of 4624	1080	{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe	110
PID 1264 wrote to memory of 4992	1264	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe	111
PID 1264 wrote to memory of 4992	1264	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe	111
PID 1264 wrote to memory of 4992	1264	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe	111
PID 1264 wrote to memory of 1616	1264	{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe	112

C:\Users\Admin\AppData\Local\Temp\95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\95d82a76bcf6d3a43a26a7632b376790_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\{F4178653-E74C-423f-BC27-A4AB4386B089}.exe
  C:\Windows\{F4178653-E74C-423f-BC27-A4AB4386B089}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe
    C:\Windows\{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe
      C:\Windows\{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe
        
        C:\Windows\{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe
        
        C:\Windows\{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe
        
        C:\Windows\{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe
        
        C:\Windows\{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe
        
        C:\Windows\{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe
        
        C:\Windows\{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe
        
        C:\Windows\{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{101B3728-0E60-4d16-BBED-82E16460A417}.exe
        
        C:\Windows\{101B3728-0E60-4d16-BBED-82E16460A417}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\{859DDA48-054B-4452-90D3-2898BB8DF0ED}.exe
        
        C:\Windows\{859DDA48-054B-4452-90D3-2898BB8DF0ED}.exe
        13⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{101B3~1.EXE > nul
        13⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39295~1.EXE > nul
        12⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{691B0~1.EXE > nul
        11⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD46A~1.EXE > nul
        10⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF58A~1.EXE > nul
        9⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{957AB~1.EXE > nul
        8⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F844~1.EXE > nul
        7⤵
        
        PID:1476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F74D~1.EXE > nul
        6⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DE57~1.EXE > nul
        5⤵
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AF99B~1.EXE > nul
      4⤵
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F4178~1.EXE > nul
    3⤵
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95D82A~1.EXE > nul
  2⤵
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{101B3728-0E60-4d16-BBED-82E16460A417}.exe

Filesize
64KB

MD5
5b19f6a36291fab02cf0cc2ada66a1da

SHA1
6633fbde4a9eb57eed1a2dfcfad4507d74ed962b

SHA256
5d81cdf04249a20aad52d185a462a1fa87c993f679d9c1fc3e1543f7057ec6ae

SHA512
86f23677266db24039df1123c99a3d2a6c972a957a49a1bdbd53f56749ecbb002751a732a531e8d88b1cd5ec878f0123abbce0b6b10c5bad1bcf0ad7ebb68345

Download Submit
C:\Windows\{39295F25-E741-4f77-9CB4-B72C01DC2169}.exe

Filesize
64KB

MD5
84f9316b1b82ad8560055307b8fcf9f2

SHA1
9a723554d3e06f3b3b4636652655ca0323017819

SHA256
9150cec18f8992ea25d11395002ad9bb9374b3e5e3c93e695365a7b6010d363d

SHA512
a6887fbbc1baead63873cd47432ea4364c4ed514d87172e05210c94ce2e09af367be96825754ebb2b8ae8f8a6d14057175b19b60318adb5bc09681fdd7189ff0

Download Submit
C:\Windows\{4DE572E3-3485-47f1-A806-4BEB58B90524}.exe

Filesize
64KB

MD5
624b368c1421765c8c7eeef915cde891

SHA1
0f38b16de24b75eeb3e876468f9c561854aa6895

SHA256
d9d7d9c17a8d3b6531a632fabe49d95285f9359c911870ced87ea19c6bff2188

SHA512
d7317602e969ae7a4cf5f0b948c75f55ae6a5f70c18ed3302f6883e0df03c73608adadb0b43458a598fece9bd307355727091a11edabf0179ee3fb1096a466f1

Download Submit
C:\Windows\{691B03AC-2839-4e7e-BD99-7F7487780EC8}.exe

Filesize
64KB

MD5
c3354a098e35d593d33a7266390a9241

SHA1
c416e036f2dc071eee451394d1338f1e07a6360f

SHA256
6ce30b2c16d9383bf54f36b6b406a38085f29ca3ba2f859fedad59f18ba93255

SHA512
91865563e4d09191995392a35000bf5a77a8296435c5c2d49662c57087d889f1747c1c8edef27153ae53754b49c8350ce60e27d99d6ebda7e213dc660902233a

Download Submit
C:\Windows\{7F74DFE7-464F-4193-AE6E-A84773D248B9}.exe

Filesize
64KB

MD5
3d00f59027598b6ef6a603af6934bb37

SHA1
8f1b0a0dd919a349b38fbc3b421db1f397d31d5b

SHA256
16056f54bce07cdbe308617703b81a8795b9393aff9aea06933743199ef68e2a

SHA512
9d33db22c63ecaad29973a641a73f58436dfcb1d7632225eb182cbd8455e042ccce2d8f154285e22f0bfde3d55ffd95f9f8c4623a7eaf7045521a2ea1f471fb5

Download Submit
C:\Windows\{7F844630-6730-4f1f-A9D5-6704740F57EC}.exe

Filesize
64KB

MD5
3f6fcea5e3711b0f991465d0c98f7ef4

SHA1
f4685e3a80ecaf752bbd35184ca10c1e5d12ad1f

SHA256
9f98eb029386f530ff7d9a1284754b3fabc0d59a3c1689e2c0efd810a6353599

SHA512
a8597449f157ceb9c2769d5757059fd27d18f4cafc80b700cb3d2c23a6d4b126eca970af3fc36053a9edb40b5fac089ea59b48af06cef1d7f2192d418be1c00f

Download Submit
C:\Windows\{859DDA48-054B-4452-90D3-2898BB8DF0ED}.exe

Filesize
64KB

MD5
903a2d07781ea05f477c844a7928da4b

SHA1
10aee79a51040e3cb073d6a092c5230d155c5d07

SHA256
7ce480603c277f036b9c44c64ff7b0bd4e4f557455934d34daaecbaae9cf7b1d

SHA512
4245cdb1698a5b26048d2c9c4d8f8ab0d1a98297070306ce64083bf6bcc76740aa5e331062e92c4441e375207a4a7a44fd8b5b69d45665aa632f5315a36f90ea

Download Submit
C:\Windows\{957AB7E5-C128-408c-8D77-8E44AF0F9E71}.exe

Filesize
64KB

MD5
325817c79b22a139f09ea0b2d7e8d921

SHA1
154579c920f1a2723f4f037e757cf2726baa2745

SHA256
90128f004633b389dbc948d9763c65c9101b670e4952089f463c51ffb2eb7801

SHA512
88f09aee8f55f740a17c61d98f9f0bdcc987001287aaaefcc8282b61bbd7ad4d70ddbbe73cc28473e33344a3e98929de1e1949d707ad19665cc0abee9afbe9c1

Download Submit
C:\Windows\{AD46A30D-2D5F-401d-A339-76FFF1203E59}.exe

Filesize
64KB

MD5
19a169571b392dc0215f72c01ef23a40

SHA1
622eab021be5a3db91b719c3adf90a573cd7b2a4

SHA256
52ba2ad680630da2e4c8b4bed585f9896f41cc3e4c008bb82a076a8a926ae56f

SHA512
427c83a8116499d6a667a4fbbc2b6ead2e5197974f706b88945c819de8ab5a367885c50878c6296e85f3a2d1e66484968ad00e680666e0eaafca14106349d948

Download Submit
C:\Windows\{AF99BC0E-730D-4029-BD71-98E5E0433280}.exe

Filesize
64KB

MD5
66371cf0dd9e5f455b7d781c7bbb6b64

SHA1
152df5a15d2660dae34a42b69c013a2fc5808d8c

SHA256
0f2de38b78f927e7db75e2927a7b60b0fb1dabaaf780e927d773a2c54c7fdb6d

SHA512
68bac6bd4a53178429c0bd4c6952781a36a7e7d4dc9706c9883eb44ef812f4e0d6fbee668476675efdcab0b7aa5b3fd72a2f3eb9db32b3f97b8bb3fdabc8268a

Download Submit
C:\Windows\{EF58AD85-31CB-4ed6-A530-4F781D9A14E3}.exe

Filesize
64KB

MD5
2675d6a96ad542729b5ac136cb87f74a

SHA1
704fb4eda4dce09953eb46906246dee275ae2d94

SHA256
acd678249e136cf2f488e709f14cc203f343b4ac0e44541df047e50b407c377a

SHA512
c14ccf935d1a57e5ee5f5c81273a17f620c59df6e8ba6d9d03a581a009a1035c4546287d72a80cf6a61638670fef8f70721f69a89061ec0f9aa0287d454562bd

Download Submit
C:\Windows\{F4178653-E74C-423f-BC27-A4AB4386B089}.exe

Filesize
64KB

MD5
dd70f9c2f5f8b70d06bc21eb4e993ef3

SHA1
f21f16f6066778766847d63807bb69d3da660d4c

SHA256
706216e1b97dd4bf105f3272d9a9b2e2123eeb284eb5f5259e445773af993ef3

SHA512
cb8b4c6de13f5aed67a520be1fb1d5f2c3a75e169eeb6cdf24a83ab6bfff5a0968f55ea4debb23e33e14fe67ad09c8e73c436e755f2de99f270dc7142cb70aa7

Download Submit
memory/1080-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1264-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1264-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1336-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1336-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2056-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2056-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2352-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2352-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2928-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2928-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3012-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3284-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3284-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3372-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4580-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4580-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4712-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4712-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4948-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4948-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4992-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4992-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads