0b61ca48353a5b41e2901806beb0d6b6b7848fdd2d88b5b1947e43bacd1af577

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 05:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe
Size

64KB
MD5

7117ac28a889cc3dae39c0aacff5d5e0
SHA1

f1ab2a10a35f0f05c8b2bfa58afdd89343876083
SHA256

0b61ca48353a5b41e2901806beb0d6b6b7848fdd2d88b5b1947e43bacd1af577
SHA512

089198632764d97e7b324d61d18d2cee7a191763218f25f3b3b76bb2d264be15cf86a80b676166a023ff12d370295921df13d1a13c18db728b42ff1d698f3672
SSDEEP

768:Ovw981iqhKQLroCI4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdk:6EGs0oCIlwWMZQcpmgDagIyS1loL7Wrk

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F2D605B-2425-4c66-B77D-992401C33A35}	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8548DAEE-532C-4efc-A5C7-7596CD92E463}	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3AC2469-86A1-4609-895C-F99987DA599F}\stubpath = "C:\\Windows\\{F3AC2469-86A1-4609-895C-F99987DA599F}.exe"	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}\stubpath = "C:\\Windows\\{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}.exe"	{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25157BF4-BC83-42b2-836C-6870F862A5A8}	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25157BF4-BC83-42b2-836C-6870F862A5A8}\stubpath = "C:\\Windows\\{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe"	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}\stubpath = "C:\\Windows\\{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe"	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3AC2469-86A1-4609-895C-F99987DA599F}	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}\stubpath = "C:\\Windows\\{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe"	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38BF693B-78D2-42c1-8311-E39EE907DF0B}	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38BF693B-78D2-42c1-8311-E39EE907DF0B}\stubpath = "C:\\Windows\\{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe"	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F2D605B-2425-4c66-B77D-992401C33A35}\stubpath = "C:\\Windows\\{5F2D605B-2425-4c66-B77D-992401C33A35}.exe"	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}\stubpath = "C:\\Windows\\{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe"	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE3E090-7631-4246-905D-582D8D3005F0}\stubpath = "C:\\Windows\\{2BE3E090-7631-4246-905D-582D8D3005F0}.exe"	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25A06E4A-BE1C-4338-B05C-A06498383DB2}	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25A06E4A-BE1C-4338-B05C-A06498383DB2}\stubpath = "C:\\Windows\\{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe"	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}	{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D916E4-BA6D-4ea4-8032-D0661F134832}	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D916E4-BA6D-4ea4-8032-D0661F134832}\stubpath = "C:\\Windows\\{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe"	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8548DAEE-532C-4efc-A5C7-7596CD92E463}\stubpath = "C:\\Windows\\{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe"	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE3E090-7631-4246-905D-582D8D3005F0}	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe

Executes dropped EXE 12 IoCs

pid	Process
1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe
3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe
3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe
4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe
4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe
780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe
3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe
1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe
1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe
1896	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe
4420	{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe
5036	{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe
File created	C:\Windows\{5F2D605B-2425-4c66-B77D-992401C33A35}.exe	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe
File created	C:\Windows\{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe
File created	C:\Windows\{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe
File created	C:\Windows\{F3AC2469-86A1-4609-895C-F99987DA599F}.exe	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe
File created	C:\Windows\{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe
File created	C:\Windows\{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe
File created	C:\Windows\{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe
File created	C:\Windows\{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}.exe	{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe
File created	C:\Windows\{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe
File created	C:\Windows\{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe
File created	C:\Windows\{2BE3E090-7631-4246-905D-582D8D3005F0}.exe	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3380	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe
Token: SeIncBasePriorityPrivilege	3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe
Token: SeIncBasePriorityPrivilege	3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe
Token: SeIncBasePriorityPrivilege	4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe
Token: SeIncBasePriorityPrivilege	4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe
Token: SeIncBasePriorityPrivilege	780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe
Token: SeIncBasePriorityPrivilege	3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe
Token: SeIncBasePriorityPrivilege	1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe
Token: SeIncBasePriorityPrivilege	1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe
Token: SeIncBasePriorityPrivilege	1896	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe
Token: SeIncBasePriorityPrivilege	4420	{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 1712	3380	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe	94
PID 3380 wrote to memory of 1712	3380	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe	94
PID 3380 wrote to memory of 1712	3380	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe	94
PID 3380 wrote to memory of 3476	3380	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe	95
PID 3380 wrote to memory of 3476	3380	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe	95
PID 3380 wrote to memory of 3476	3380	7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe	95
PID 1712 wrote to memory of 3056	1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe	96
PID 1712 wrote to memory of 3056	1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe	96
PID 1712 wrote to memory of 3056	1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe	96
PID 1712 wrote to memory of 1056	1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe	97
PID 1712 wrote to memory of 1056	1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe	97
PID 1712 wrote to memory of 1056	1712	{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe	97
PID 3056 wrote to memory of 3304	3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe	100
PID 3056 wrote to memory of 3304	3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe	100
PID 3056 wrote to memory of 3304	3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe	100
PID 3056 wrote to memory of 4472	3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe	101
PID 3056 wrote to memory of 4472	3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe	101
PID 3056 wrote to memory of 4472	3056	{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe	101
PID 3304 wrote to memory of 4152	3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe	102
PID 3304 wrote to memory of 4152	3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe	102
PID 3304 wrote to memory of 4152	3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe	102
PID 3304 wrote to memory of 1296	3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe	103
PID 3304 wrote to memory of 1296	3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe	103
PID 3304 wrote to memory of 1296	3304	{5F2D605B-2425-4c66-B77D-992401C33A35}.exe	103
PID 4152 wrote to memory of 4396	4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe	104
PID 4152 wrote to memory of 4396	4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe	104
PID 4152 wrote to memory of 4396	4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe	104
PID 4152 wrote to memory of 4528	4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe	105
PID 4152 wrote to memory of 4528	4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe	105
PID 4152 wrote to memory of 4528	4152	{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe	105
PID 4396 wrote to memory of 780	4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe	107
PID 4396 wrote to memory of 780	4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe	107
PID 4396 wrote to memory of 780	4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe	107
PID 4396 wrote to memory of 376	4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe	108
PID 4396 wrote to memory of 376	4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe	108
PID 4396 wrote to memory of 376	4396	{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe	108
PID 780 wrote to memory of 3000	780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe	109
PID 780 wrote to memory of 3000	780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe	109
PID 780 wrote to memory of 3000	780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe	109
PID 780 wrote to memory of 3184	780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe	110
PID 780 wrote to memory of 3184	780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe	110
PID 780 wrote to memory of 3184	780	{2BE3E090-7631-4246-905D-582D8D3005F0}.exe	110
PID 3000 wrote to memory of 1616	3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe	113
PID 3000 wrote to memory of 1616	3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe	113
PID 3000 wrote to memory of 1616	3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe	113
PID 3000 wrote to memory of 4276	3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe	114
PID 3000 wrote to memory of 4276	3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe	114
PID 3000 wrote to memory of 4276	3000	{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe	114
PID 1616 wrote to memory of 1576	1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe	119
PID 1616 wrote to memory of 1576	1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe	119
PID 1616 wrote to memory of 1576	1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe	119
PID 1616 wrote to memory of 2408	1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe	120
PID 1616 wrote to memory of 2408	1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe	120
PID 1616 wrote to memory of 2408	1616	{F3AC2469-86A1-4609-895C-F99987DA599F}.exe	120
PID 1576 wrote to memory of 1896	1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe	121
PID 1576 wrote to memory of 1896	1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe	121
PID 1576 wrote to memory of 1896	1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe	121
PID 1576 wrote to memory of 3320	1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe	122
PID 1576 wrote to memory of 3320	1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe	122
PID 1576 wrote to memory of 3320	1576	{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe	122
PID 1896 wrote to memory of 4420	1896	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe	125
PID 1896 wrote to memory of 4420	1896	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe	125
PID 1896 wrote to memory of 4420	1896	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe	125
PID 1896 wrote to memory of 3532	1896	{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe	126

C:\Users\Admin\AppData\Local\Temp\7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7117ac28a889cc3dae39c0aacff5d5e0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe
  C:\Windows\{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe
    C:\Windows\{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\{5F2D605B-2425-4c66-B77D-992401C33A35}.exe
      C:\Windows\{5F2D605B-2425-4c66-B77D-992401C33A35}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe
        
        C:\Windows\{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe
        
        C:\Windows\{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{2BE3E090-7631-4246-905D-582D8D3005F0}.exe
        
        C:\Windows\{2BE3E090-7631-4246-905D-582D8D3005F0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe
        
        C:\Windows\{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{F3AC2469-86A1-4609-895C-F99987DA599F}.exe
        
        C:\Windows\{F3AC2469-86A1-4609-895C-F99987DA599F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe
        
        C:\Windows\{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe
        
        C:\Windows\{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe
        
        C:\Windows\{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}.exe
        
        C:\Windows\{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}.exe
        13⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38BF6~1.EXE > nul
        13⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25157~1.EXE > nul
        12⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{534C5~1.EXE > nul
        11⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3AC2~1.EXE > nul
        10⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25A06~1.EXE > nul
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE3E~1.EXE > nul
        8⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2397B~1.EXE > nul
        7⤵
        
        PID:376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8548D~1.EXE > nul
        6⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F2D6~1.EXE > nul
        5⤵
        
        PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4D91~1.EXE > nul
      4⤵
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A7E3~1.EXE > nul
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7117AC~1.EXE > nul
  2⤵
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2397BBF5-CB5C-47d8-9E93-3870A3F13CB1}.exe

Filesize
64KB

MD5
66539987e4ceb3f91819445749f250f3

SHA1
aadd16df054ae17df36d6bac8fcc9b791f884bac

SHA256
12be2210b096d7d6284febffaa858109796c6ee305400e1f27719aed8ad9df85

SHA512
a6e7dc4c825e12f9740fd935e0f1197be68f87ed0ef6c6b4a04be76f006880a0fdc837ac0c04213875c4ba6f2aa521881372518e475eb7e0e3efd0c28a4ca6c3

Download Submit
C:\Windows\{25157BF4-BC83-42b2-836C-6870F862A5A8}.exe

Filesize
64KB

MD5
d7c770156084178b3a9e961376fd03ef

SHA1
3c9a9725d339b0ab8372d5b0bfed52b7c41b59b5

SHA256
ee33766062fa1ed17a5fdf547745d265f14a7751e39505437d67f7c1d86a4800

SHA512
db29eaee8889bc519822ea372b4f375bdb801d96b9c70dd59d666d57de82213305baada4d66a0caf8e35f11608e2b6750eb537e9bf1ff5221eb491f3bfd7b0a8

Download Submit
C:\Windows\{25A06E4A-BE1C-4338-B05C-A06498383DB2}.exe

Filesize
64KB

MD5
71fa7e29f4fa3c9a6da913f5cf19cc17

SHA1
aaf0032f9baec825cd3e0d827b760fb1620d3fad

SHA256
adb8f5482b5f134f844d0804d3647c1551f717343cd152308dd3eb5818771322

SHA512
45700f8a4ca2505941726f2fe7c60c3170d49d0c44271359bec3989a9289625a343b1c2e83837d095a989fb5b04212980273f84252a3e3dea8d100783116e00f

Download Submit
C:\Windows\{2BE3E090-7631-4246-905D-582D8D3005F0}.exe

Filesize
64KB

MD5
caef3d1866f15fc6d66e99163024ecb4

SHA1
9372d65ccc8d29dc461e18403695823a036dee5f

SHA256
1aae57f24d38bf2b6d8f79ae761f5470704dd2fb028216a55b58f2cb515af151

SHA512
10df5e9993513407a1256cdb76503d8fe5a9dc2c33a95f923cbdedb98e7363d79238c462bb2de06e216d2a63ff047a8d46cbcc8606c70897289f28bd1cbe733b

Download Submit
C:\Windows\{38BF693B-78D2-42c1-8311-E39EE907DF0B}.exe

Filesize
64KB

MD5
67239ab9e02f15bc3ffd2e68134502e0

SHA1
30ac2b706e57a0b963521ffa406a0341e76b5b7d

SHA256
4aa13742b5e80fa3c992787044e7b5d22626d6de43ecf938e365c6c03f9b4e4a

SHA512
fd5c01e6cccdd0f0e68e879632ad919a99cf299bc0fc8aa4d8ce9375bbc35ea4bd167d2bc1bc8285e6b04826ce78aebc4c706dda9daeed8352d73d448e983692

Download Submit
C:\Windows\{3A7E3518-4858-4fb1-B5EA-1A58008B12FD}.exe

Filesize
64KB

MD5
ccb26e530a9c45068f7338ffd92c8788

SHA1
c588737eeae972af23e3df29756ba1dbc825d0d6

SHA256
91e0ac5ccafe8932d4f1129c9acf79bfe16e62eb46cd411e82e99628776168c9

SHA512
aa43958ab253f419b975abf04038f2e54747f7c305b16839cd5d3f36c79052108caae27b4cefaa02255dd2eb5980d96e0519b9ede04b55490aff40af603ae0af

Download Submit
C:\Windows\{534C511E-B1A1-42b3-9BDE-EDC1EC4643B2}.exe

Filesize
64KB

MD5
2965344f27b32011fac1594307cf30da

SHA1
aee1a05feca5e073bb675138d3aa0ecc7800c174

SHA256
dcdc67907307c435488bb33a261bcd7c77472195c83db4aeac913f71f6c9e051

SHA512
e57fb23e52181fd7c4f7293bcfb4c259273b9bb4014d7d5b353945f879306d68fccfd8923de6c1ff118ad4e4a3adf74a2853d5c32c35e5f0542044732a676899

Download Submit
C:\Windows\{5F2D605B-2425-4c66-B77D-992401C33A35}.exe

Filesize
64KB

MD5
d9deda5425767071701e938a58aeaeaa

SHA1
ab1a15bc74614c0b5a0a0422669948eb661cf99c

SHA256
1137dacb22dfa1d2bbaa8e7d7cffb93d0ffd64bb78154f90ee11ffdc25912d25

SHA512
6ee8fbc3fe1b5c46fb1a89c04dfee0813bb83c26d116ec4a969c4a2900a3d3fbec31bc8e3d667aee171da9ee4304f0f5b40a0e59d1e4eb923a28b445185375cc

Download Submit
C:\Windows\{8548DAEE-532C-4efc-A5C7-7596CD92E463}.exe

Filesize
64KB

MD5
e4f7e96f483532b2d79618b19ac2b4b5

SHA1
ac460f9b164e5a0661ba5a272f8d466bbd465d34

SHA256
1b218de5674828e77fc1d503070169973c885df4e71c84eb2290bdea8b333557

SHA512
e889b240caeea907448a8f31d2e534fec44a32aa251d71e4e8e68ff617747c8cec469aa96d594b366a1e97c8a1a574d4bc002051a4a106a08b847346a69244eb

Download Submit
C:\Windows\{C4D916E4-BA6D-4ea4-8032-D0661F134832}.exe

Filesize
64KB

MD5
d32632700983c52b48a6e741bf57cf9b

SHA1
bd7014744cfa878bc963d1eadd724676d9582b0a

SHA256
15418895431e7fdfef99721d3231da349ae39ef0d3e3debe6e0c8ffa0dfbb558

SHA512
9e565c9900b30e9588cde21568bfa1c3d14df91b1edbcea2deaaf71ad19cb839a2edaa56c65bbbaeb249c5b0eccf69c4f04cade780e0052ba2ee60fda9131a5c

Download Submit
C:\Windows\{C9B9AEEB-3E3A-4958-A2F9-8C522B6E02DC}.exe

Filesize
64KB

MD5
c90962219b0a0da95ea27f51b15fe6be

SHA1
7ee39eb6b446204c19514a99438ad93750c0657d

SHA256
18d8bd00ee84ff85a459fc50e2a0974e0f17c57039f026502da9c064d576ac16

SHA512
299cf9ceafb5573ff03056f099ac43a3fec4e0d925050e461abfb0e89b389eb84b524aa2d40d5f4bf6a000dc20c6c7b06403d213395caa3c464dfa1bd5f1abe3

Download Submit
C:\Windows\{F3AC2469-86A1-4609-895C-F99987DA599F}.exe

Filesize
64KB

MD5
ab445184ae50430c2cd9603f02dbc8d5

SHA1
230d57697ffb504e514ae71a0d64c71bff4b29ae

SHA256
6660d57bd607b355a9f7b10c95fb4695cc79168bfce6fd2ae671002c55e7ab3e

SHA512
43f704f0708c6436086cfa1c01489c268dcaefb1c8a64a16af9eb15af66b003aa8887847fa6ddb90cd5b96d36a8bea177e5814a3289dfeac228110a9290ba77c

Download Submit
memory/780-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/780-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1576-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1576-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1616-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1616-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1712-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1712-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1896-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1896-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3056-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3056-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3304-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3304-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3380-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3380-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4152-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4152-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4396-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4396-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4420-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4420-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5036-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads