3e6147f279e58e144adc38350aea3ba7c45ed37ee40877aca2e7a02975f5c956

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 16:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe
Size

64KB
MD5

18c7475396a2db3cc5bd8f47c1626670
SHA1

d44bdb7e0fadf4f301471ad4a4c3010153777de7
SHA256

3e6147f279e58e144adc38350aea3ba7c45ed37ee40877aca2e7a02975f5c956
SHA512

deaa1bebabdbb4025d322552db40bc11d9398012aee2eeae177cf89d22f56a4d13b75a464b669a2a1624266654bed65a71ab5e1e52cda59dee75a4607134ed95
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLror4/CFsrdHWMZw:Ovw981xvhKQLror4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}\stubpath = "C:\\Windows\\{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe"	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA98C6D-B472-4a01-9709-CD734CF440FD}	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37E07335-ED10-464c-AAA1-7ED5858C5B7E}	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}\stubpath = "C:\\Windows\\{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe"	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61851A57-C6AB-4275-A652-B5F9AE84F32C}	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61851A57-C6AB-4275-A652-B5F9AE84F32C}\stubpath = "C:\\Windows\\{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe"	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F487A832-01CB-4bf0-9186-28C9AB1E526E}	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}\stubpath = "C:\\Windows\\{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe"	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C72A64-B1FD-4930-BBF4-674828BAB8EF}\stubpath = "C:\\Windows\\{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe"	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84D143C2-3BC2-4008-8D4C-BB9543A6C557}	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84D143C2-3BC2-4008-8D4C-BB9543A6C557}\stubpath = "C:\\Windows\\{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe"	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA98C6D-B472-4a01-9709-CD734CF440FD}\stubpath = "C:\\Windows\\{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe"	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F487A832-01CB-4bf0-9186-28C9AB1E526E}\stubpath = "C:\\Windows\\{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe"	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C72A64-B1FD-4930-BBF4-674828BAB8EF}	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}	{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37E07335-ED10-464c-AAA1-7ED5858C5B7E}\stubpath = "C:\\Windows\\{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe"	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E525959-CA01-47bf-9779-095E0C8D9C3E}	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E525959-CA01-47bf-9779-095E0C8D9C3E}\stubpath = "C:\\Windows\\{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe"	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}\stubpath = "C:\\Windows\\{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe"	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}\stubpath = "C:\\Windows\\{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}.exe"	{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe

Executes dropped EXE 12 IoCs

pid	Process
4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe
2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe
4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe
8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe
1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe
1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe
4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe
2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe
4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe
316	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe
2908	{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe
3948	{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe
File created	C:\Windows\{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe
File created	C:\Windows\{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe
File created	C:\Windows\{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe
File created	C:\Windows\{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe
File created	C:\Windows\{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe
File created	C:\Windows\{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe
File created	C:\Windows\{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe
File created	C:\Windows\{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe
File created	C:\Windows\{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe
File created	C:\Windows\{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe
File created	C:\Windows\{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}.exe	{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3708	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe
Token: SeIncBasePriorityPrivilege	2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe
Token: SeIncBasePriorityPrivilege	4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe
Token: SeIncBasePriorityPrivilege	8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe
Token: SeIncBasePriorityPrivilege	1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe
Token: SeIncBasePriorityPrivilege	1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe
Token: SeIncBasePriorityPrivilege	4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe
Token: SeIncBasePriorityPrivilege	2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe
Token: SeIncBasePriorityPrivilege	4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe
Token: SeIncBasePriorityPrivilege	316	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe
Token: SeIncBasePriorityPrivilege	2908	{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 4636	3708	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe	99
PID 3708 wrote to memory of 4636	3708	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe	99
PID 3708 wrote to memory of 4636	3708	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe	99
PID 3708 wrote to memory of 3716	3708	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe	100
PID 3708 wrote to memory of 3716	3708	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe	100
PID 3708 wrote to memory of 3716	3708	18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe	100
PID 4636 wrote to memory of 2872	4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe	101
PID 4636 wrote to memory of 2872	4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe	101
PID 4636 wrote to memory of 2872	4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe	101
PID 4636 wrote to memory of 768	4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe	102
PID 4636 wrote to memory of 768	4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe	102
PID 4636 wrote to memory of 768	4636	{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe	102
PID 2872 wrote to memory of 4040	2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe	105
PID 2872 wrote to memory of 4040	2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe	105
PID 2872 wrote to memory of 4040	2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe	105
PID 2872 wrote to memory of 3408	2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe	106
PID 2872 wrote to memory of 3408	2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe	106
PID 2872 wrote to memory of 3408	2872	{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe	106
PID 4040 wrote to memory of 8	4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe	107
PID 4040 wrote to memory of 8	4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe	107
PID 4040 wrote to memory of 8	4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe	107
PID 4040 wrote to memory of 1448	4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe	108
PID 4040 wrote to memory of 1448	4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe	108
PID 4040 wrote to memory of 1448	4040	{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe	108
PID 8 wrote to memory of 1584	8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe	109
PID 8 wrote to memory of 1584	8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe	109
PID 8 wrote to memory of 1584	8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe	109
PID 8 wrote to memory of 1748	8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe	110
PID 8 wrote to memory of 1748	8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe	110
PID 8 wrote to memory of 1748	8	{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe	110
PID 1584 wrote to memory of 1672	1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe	112
PID 1584 wrote to memory of 1672	1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe	112
PID 1584 wrote to memory of 1672	1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe	112
PID 1584 wrote to memory of 872	1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe	113
PID 1584 wrote to memory of 872	1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe	113
PID 1584 wrote to memory of 872	1584	{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe	113
PID 1672 wrote to memory of 4756	1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe	114
PID 1672 wrote to memory of 4756	1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe	114
PID 1672 wrote to memory of 4756	1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe	114
PID 1672 wrote to memory of 1056	1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe	115
PID 1672 wrote to memory of 1056	1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe	115
PID 1672 wrote to memory of 1056	1672	{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe	115
PID 4756 wrote to memory of 2564	4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe	118
PID 4756 wrote to memory of 2564	4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe	118
PID 4756 wrote to memory of 2564	4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe	118
PID 4756 wrote to memory of 1544	4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe	119
PID 4756 wrote to memory of 1544	4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe	119
PID 4756 wrote to memory of 1544	4756	{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe	119
PID 2564 wrote to memory of 4260	2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe	124
PID 2564 wrote to memory of 4260	2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe	124
PID 2564 wrote to memory of 4260	2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe	124
PID 2564 wrote to memory of 4676	2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe	125
PID 2564 wrote to memory of 4676	2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe	125
PID 2564 wrote to memory of 4676	2564	{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe	125
PID 4260 wrote to memory of 316	4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe	126
PID 4260 wrote to memory of 316	4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe	126
PID 4260 wrote to memory of 316	4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe	126
PID 4260 wrote to memory of 3824	4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe	127
PID 4260 wrote to memory of 3824	4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe	127
PID 4260 wrote to memory of 3824	4260	{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe	127
PID 316 wrote to memory of 2908	316	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe	130
PID 316 wrote to memory of 2908	316	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe	130
PID 316 wrote to memory of 2908	316	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe	130
PID 316 wrote to memory of 4924	316	{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe	131

C:\Users\Admin\AppData\Local\Temp\18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18c7475396a2db3cc5bd8f47c1626670_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe
  C:\Windows\{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe
    C:\Windows\{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe
      C:\Windows\{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Windows\{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe
        
        C:\Windows\{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe
        
        C:\Windows\{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe
        
        C:\Windows\{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe
        
        C:\Windows\{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe
        
        C:\Windows\{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe
        
        C:\Windows\{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe
        
        C:\Windows\{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe
        
        C:\Windows\{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}.exe
        
        C:\Windows\{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1211E~1.EXE > nul
        13⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1334B~1.EXE > nul
        12⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E525~1.EXE > nul
        11⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84D14~1.EXE > nul
        10⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28C72~1.EXE > nul
        9⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6763F~1.EXE > nul
        8⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37E07~1.EXE > nul
        7⤵
        
        PID:872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F487A~1.EXE > nul
        6⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA98~1.EXE > nul
        5⤵
        
        PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E5A1~1.EXE > nul
      4⤵
      PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{61851~1.EXE > nul
    3⤵
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\18C747~1.EXE > nul
  2⤵
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E525959-CA01-47bf-9779-095E0C8D9C3E}.exe

Filesize
64KB

MD5
12c338217600b158e0f8e3faf7b3350f

SHA1
478207dd13eee4cf2beb82b644a22350d491572b

SHA256
b5a88ef5aa7d23596e24c6c8df2f20483069da43d59865ba67878847b8dab9dd

SHA512
221bb2dd15c8c2e66c8e880aaf396ffd779bec831b46a737e39f4c912c83ffaf86c44f7ce8fe1d931e5e2b78813f583545b17b635b698586b6146c5140d1792f

Download Submit
C:\Windows\{1211E25B-ECC5-42bf-B62C-6C9CCAF5D8F2}.exe

Filesize
64KB

MD5
eec48dd14c974fb9a33589c567049213

SHA1
48d24e017b729e5a1b5b7c6988635f8bdefba9cf

SHA256
2d31f355a633e7d82520cf6e613b21d308ee72626dfb42191c97602182c8b246

SHA512
c9c4de18f01ebccb5f6fea18fcaa54d32130262784758c7da964c5836a38da20f1f0a0175f4f30fbd5fdfedc1f49f42632ba43309a6a9b914fa059d9462fb978

Download Submit
C:\Windows\{1334BFA0-B833-4ef5-A180-FD7C8F00A32B}.exe

Filesize
64KB

MD5
6f28b141b68d794ecb19c44ad12f0223

SHA1
085df5e03297887c9ab509ca0bb48a48b7b0b6cf

SHA256
7e29cf88e7a1771ed28772c95a6a588d2544adac09f9363de7f16843c02f9afa

SHA512
727aa4483973da7d50aec7713bd9ea08d9be066ff270c80621b1a318d31c62f63453a92b7c9ac49463482b8a100f2e629adf13ea27195055f01b37aad668cee1

Download Submit
C:\Windows\{1DA98C6D-B472-4a01-9709-CD734CF440FD}.exe

Filesize
64KB

MD5
91c3427a5d936f76880004e10aa9206c

SHA1
140902212fb6e3b6684a08b0e037d421230fbb9d

SHA256
a280527e63c08466a5da812c85e73c80c762969e19e39e19e9aecd05bc91741a

SHA512
a2c20d5e8df6a08694906d57e0fe41dbfb2d9c89b74d76d05a2b01dd49892baf0724c99f977aafc8bff088b3095307f6d5823784559dcbabe667836d10266585

Download Submit
C:\Windows\{28C72A64-B1FD-4930-BBF4-674828BAB8EF}.exe

Filesize
64KB

MD5
463e9af51ccd506152e877ad840b6b2c

SHA1
1703abc82cfa02e8cf753fc27ad5c42321fd64ce

SHA256
e558dd569222dd38821b23652e58a548476e6ff01e914316e85b00e81e18d42a

SHA512
82da3a1aa56e635a1e1aaef9dc3830f6c0cb7e2b89e474092db824c8134162baf9f5fe88cd0cd582a8af368e8d8f8bdd6ffe3b371c009404772b3c2297d2092b

Download Submit
C:\Windows\{37E07335-ED10-464c-AAA1-7ED5858C5B7E}.exe

Filesize
64KB

MD5
bec8c11a8200ada19d3f5e8c6330db96

SHA1
0bfaef4538489e647d38fdd4c3209268e5a74f43

SHA256
e0001588ca72300e3353466b21843f2c7e8d2a80d0a33ba9240415b4fcf0d841

SHA512
fda4a1f6e70e17888160e95aff8f10f972ee0ea6749c9dd8f9426e994b22720e6b65aafa2179d53ae0f6e0ad904718e3281ab8c4ff5e4585b9e96baa2a61271a

Download Submit
C:\Windows\{4E5A1F1F-7C8D-4ef8-BA40-3F9F54B7DDE7}.exe

Filesize
64KB

MD5
af2fecea945c74ce16231fafc6d4973a

SHA1
1fe0a56bc803a86acf8d13f9a37319e706c7254b

SHA256
b480fabf4a06a35d76bbb26e736bcb8a96e7104a792954b257e101b8865682b0

SHA512
b3716c74d5388319c63706e6d17a4e1c13a35112e303aeb6cb9eaea2fb876dbf913d31cc3a22a3a4a901ae0f8dcaa6e38214c81e6d25dbcdc24812f603db80b6

Download Submit
C:\Windows\{61851A57-C6AB-4275-A652-B5F9AE84F32C}.exe

Filesize
64KB

MD5
f84ad786dea802df040fed2e0fd6a2b6

SHA1
f232a85661fbca48c1ffe5e8b5c3af55dd4c7b6a

SHA256
8362cc7d57f60d3424f1d26548113a481760a0983afc3183dcb2505bfe5ee14d

SHA512
f19aef51ceb6759b076b66f97213114456a07d9ed81436d51570bd135467b9a67b728caaf2d456ab550d76d7a9d174945a7addd653587c1475b1dc9f08bf38d8

Download Submit
C:\Windows\{6763FE62-0A7E-4ac3-84ED-CDFD2AC52B3A}.exe

Filesize
64KB

MD5
e36bad6d64d16ecd19186b3e98f791a6

SHA1
7d8492daca1057f10f660b18e99f3148785a5acb

SHA256
1cbba94d699479bf91c34c1ae921c99662875124fa10f8fc193856197e152359

SHA512
a02c5d92308d16365399a9b3a12de651f1ac8944a7513540334e28e5786f91bcd199a3e25dce0983c4b75e3566a4558f5a725d549ee74782e8eda036389565a0

Download Submit
C:\Windows\{7FBD4E67-3C1C-402a-A8CB-329E3A9BE2AA}.exe

Filesize
64KB

MD5
221471e6ece7bcb399c7bba9c5c2eb81

SHA1
e915d471724d56a03d906ad9502cd7c397534679

SHA256
6fb22491866bb9b020aeda3c24de29416954d97e3a1b42cb378962af2c3e6bca

SHA512
b2014e01192dc9c2237320361003c97005f93303907a25fc764a5718465da190a0880795157fab36d0418a427b9857b08e7219a1c0172cfc50a64af283d06217

Download Submit
C:\Windows\{84D143C2-3BC2-4008-8D4C-BB9543A6C557}.exe

Filesize
64KB

MD5
cc703dd1895c2091c72360c77af451f8

SHA1
43437f6f90f1d73e72bcd7955f3168eb60a5a20c

SHA256
a39eb6d2bdd76522e069520b6fd26caafc41f5eb6229ca3f563c74d562e7ec9e

SHA512
cf6d406e947b7f53899386548cf0570194c7689cb5af7a01c8e82cc1dbed2441d497d2f8d453a32cff91d1d5aabd84078619d0ecd16ff074811730f398ec579e

Download Submit
C:\Windows\{F487A832-01CB-4bf0-9186-28C9AB1E526E}.exe

Filesize
64KB

MD5
756ca7c0d52baeaf8d8cac8ff55825d9

SHA1
f54cae52b3ae41f15f079193aab6fbc0c43deb60

SHA256
fd332267c833f7ac2b9e8c23b1e5a66aaa0b07f5cdd3c038604df480b2256959

SHA512
7c533dfa9b1d2b87a1cb250b4e7a13c1a95892ad4bd2bb53a561b481505f025d8270ab93d06039d58fd0338a27eb5d029444b1475b2207df95a3e37143713d20

Download Submit
memory/8-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/316-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/316-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1584-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1584-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1672-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1672-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2564-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2564-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2872-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2872-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2908-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2908-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3708-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3708-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4040-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4260-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4260-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4636-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4636-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4756-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads