83c8ed621fdb4634a042aab4002b18c6bf7ddbe57fb07edf923a2e3a5b7c2f1a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe
Size

64KB
MD5

b47adbbba7eda6e9b8eb04c12f6d86c0
SHA1

34792f7e9b9db434a75c60d1e1d8e46bac0bb5fd
SHA256

83c8ed621fdb4634a042aab4002b18c6bf7ddbe57fb07edf923a2e3a5b7c2f1a
SHA512

fc3c0bcdfbca2837fec634264aa56789915adfa570a86e7db711c1db59ad3095a3b939fd2041190fbd0454170cccef43a33332cdbfcde79b1b85e7f656e2bcfb
SSDEEP

768:Ovw9816vIKQLroC34/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdS:6EGq0oC3lwWMZQcpmgDagIyS1loL7WrS

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E628972-F092-4d18-9E48-2DD5E874DB0F}\stubpath = "C:\\Windows\\{2E628972-F092-4d18-9E48-2DD5E874DB0F}.exe"	{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3C946E-1B8F-4c07-9737-1C214AEB977D}	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F294006B-99F6-45f3-A302-85632AABE852}\stubpath = "C:\\Windows\\{F294006B-99F6-45f3-A302-85632AABE852}.exe"	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5D3187D-DFB0-47ce-8782-650FABB3C958}	{F294006B-99F6-45f3-A302-85632AABE852}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}\stubpath = "C:\\Windows\\{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe"	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09885EA8-6E1C-4644-B07D-3AB7DF599047}\stubpath = "C:\\Windows\\{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe"	{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D58DE5B4-A2F0-4504-A000-A23937953FBC}	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D58DE5B4-A2F0-4504-A000-A23937953FBC}\stubpath = "C:\\Windows\\{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe"	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{115909A8-BDA4-45ed-8D36-D21B064795BE}	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5E742E8-570B-4167-A292-6DAB79CDF7CB}\stubpath = "C:\\Windows\\{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe"	{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5E742E8-570B-4167-A292-6DAB79CDF7CB}	{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09885EA8-6E1C-4644-B07D-3AB7DF599047}	{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3C946E-1B8F-4c07-9737-1C214AEB977D}\stubpath = "C:\\Windows\\{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe"	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F294006B-99F6-45f3-A302-85632AABE852}	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5D3187D-DFB0-47ce-8782-650FABB3C958}\stubpath = "C:\\Windows\\{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe"	{F294006B-99F6-45f3-A302-85632AABE852}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50A9D935-38A7-43b3-9369-615D25193834}\stubpath = "C:\\Windows\\{50A9D935-38A7-43b3-9369-615D25193834}.exe"	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82991E33-4DF4-42f9-BEC0-45725EBDE794}\stubpath = "C:\\Windows\\{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe"	{50A9D935-38A7-43b3-9369-615D25193834}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50A9D935-38A7-43b3-9369-615D25193834}	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82991E33-4DF4-42f9-BEC0-45725EBDE794}	{50A9D935-38A7-43b3-9369-615D25193834}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{115909A8-BDA4-45ed-8D36-D21B064795BE}\stubpath = "C:\\Windows\\{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe"	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E628972-F092-4d18-9E48-2DD5E874DB0F}	{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe

Executes dropped EXE 11 IoCs

pid	Process
2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe
2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe
2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe
2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe
1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe
2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe
1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe
1604	{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe
324	{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe
1476	{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe
2140	{2E628972-F092-4d18-9E48-2DD5E874DB0F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{50A9D935-38A7-43b3-9369-615D25193834}.exe	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe
File created	C:\Windows\{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	{50A9D935-38A7-43b3-9369-615D25193834}.exe
File created	C:\Windows\{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe
File created	C:\Windows\{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe
File created	C:\Windows\{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe	{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe
File created	C:\Windows\{2E628972-F092-4d18-9E48-2DD5E874DB0F}.exe	{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe
File created	C:\Windows\{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe
File created	C:\Windows\{F294006B-99F6-45f3-A302-85632AABE852}.exe	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe
File created	C:\Windows\{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	{F294006B-99F6-45f3-A302-85632AABE852}.exe
File created	C:\Windows\{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe	{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe
File created	C:\Windows\{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe
Token: SeIncBasePriorityPrivilege	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe
Token: SeIncBasePriorityPrivilege	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe
Token: SeIncBasePriorityPrivilege	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe
Token: SeIncBasePriorityPrivilege	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe
Token: SeIncBasePriorityPrivilege	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe
Token: SeIncBasePriorityPrivilege	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe
Token: SeIncBasePriorityPrivilege	1604	{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe
Token: SeIncBasePriorityPrivilege	324	{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe
Token: SeIncBasePriorityPrivilege	1476	{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2996	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2996	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2996	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2996	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2028	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 2028	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 2028	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 2028	2968	b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe	29
PID 2996 wrote to memory of 2664	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	30
PID 2996 wrote to memory of 2664	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	30
PID 2996 wrote to memory of 2664	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	30
PID 2996 wrote to memory of 2664	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	30
PID 2996 wrote to memory of 2476	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	31
PID 2996 wrote to memory of 2476	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	31
PID 2996 wrote to memory of 2476	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	31
PID 2996 wrote to memory of 2476	2996	{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe	31
PID 2664 wrote to memory of 2840	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	32
PID 2664 wrote to memory of 2840	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	32
PID 2664 wrote to memory of 2840	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	32
PID 2664 wrote to memory of 2840	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	32
PID 2664 wrote to memory of 2780	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	33
PID 2664 wrote to memory of 2780	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	33
PID 2664 wrote to memory of 2780	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	33
PID 2664 wrote to memory of 2780	2664	{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe	33
PID 2840 wrote to memory of 2064	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	36
PID 2840 wrote to memory of 2064	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	36
PID 2840 wrote to memory of 2064	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	36
PID 2840 wrote to memory of 2064	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	36
PID 2840 wrote to memory of 2528	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	37
PID 2840 wrote to memory of 2528	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	37
PID 2840 wrote to memory of 2528	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	37
PID 2840 wrote to memory of 2528	2840	{F294006B-99F6-45f3-A302-85632AABE852}.exe	37
PID 2064 wrote to memory of 1332	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	38
PID 2064 wrote to memory of 1332	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	38
PID 2064 wrote to memory of 1332	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	38
PID 2064 wrote to memory of 1332	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	38
PID 2064 wrote to memory of 2340	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	39
PID 2064 wrote to memory of 2340	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	39
PID 2064 wrote to memory of 2340	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	39
PID 2064 wrote to memory of 2340	2064	{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe	39
PID 1332 wrote to memory of 2828	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	40
PID 1332 wrote to memory of 2828	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	40
PID 1332 wrote to memory of 2828	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	40
PID 1332 wrote to memory of 2828	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	40
PID 1332 wrote to memory of 2864	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	41
PID 1332 wrote to memory of 2864	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	41
PID 1332 wrote to memory of 2864	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	41
PID 1332 wrote to memory of 2864	1332	{50A9D935-38A7-43b3-9369-615D25193834}.exe	41
PID 2828 wrote to memory of 1788	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	42
PID 2828 wrote to memory of 1788	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	42
PID 2828 wrote to memory of 1788	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	42
PID 2828 wrote to memory of 1788	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	42
PID 2828 wrote to memory of 828	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	43
PID 2828 wrote to memory of 828	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	43
PID 2828 wrote to memory of 828	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	43
PID 2828 wrote to memory of 828	2828	{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe	43
PID 1788 wrote to memory of 1604	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	44
PID 1788 wrote to memory of 1604	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	44
PID 1788 wrote to memory of 1604	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	44
PID 1788 wrote to memory of 1604	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	44
PID 1788 wrote to memory of 1644	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	45
PID 1788 wrote to memory of 1644	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	45
PID 1788 wrote to memory of 1644	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	45
PID 1788 wrote to memory of 1644	1788	{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe	45

C:\Users\Admin\AppData\Local\Temp\b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe
  C:\Windows\{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe
    C:\Windows\{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{F294006B-99F6-45f3-A302-85632AABE852}.exe
      C:\Windows\{F294006B-99F6-45f3-A302-85632AABE852}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe
        
        C:\Windows\{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\{50A9D935-38A7-43b3-9369-615D25193834}.exe
        
        C:\Windows\{50A9D935-38A7-43b3-9369-615D25193834}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe
        
        C:\Windows\{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe
        
        C:\Windows\{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe
        
        C:\Windows\{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe
        
        C:\Windows\{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe
        
        C:\Windows\{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{2E628972-F092-4d18-9E48-2DD5E874DB0F}.exe
        
        C:\Windows\{2E628972-F092-4d18-9E48-2DD5E874DB0F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09885~1.EXE > nul
        12⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5E74~1.EXE > nul
        11⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{720DA~1.EXE > nul
        10⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11590~1.EXE > nul
        9⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82991~1.EXE > nul
        8⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50A9D~1.EXE > nul
        7⤵
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5D31~1.EXE > nul
        6⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2940~1.EXE > nul
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3C9~1.EXE > nul
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D58DE~1.EXE > nul
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B47ADB~1.EXE > nul
  2⤵
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09885EA8-6E1C-4644-B07D-3AB7DF599047}.exe

Filesize
64KB

MD5
f913133e8914add4f1216b54dfa5090f

SHA1
43baa3e5553cbae81c35b44a71eff777a8aa9deb

SHA256
27383cbeef003c81e5c62a641e98f62b7bc5022d719d192223d5c60aed918883

SHA512
431f8763d8cfb42021206c42dca8463be2faac86eeed74b1e8bc350cf77e67e93a1ef0b181cfe375e4d87711082da5587d43c20cea4b4dc6ec3d851515ef23a4

Download Submit
C:\Windows\{115909A8-BDA4-45ed-8D36-D21B064795BE}.exe

Filesize
64KB

MD5
0c9355044c35485a469a40421f1a3986

SHA1
10e952f3e302044751295107bbd0e278d3d48896

SHA256
291e6fc66d9c7dce2498cdf5a057aa373418e5fd7e40b376e85e9916e3cc17fa

SHA512
54689367dd85499be4f129e65ca1035e4e6f6f535a68d73d74174717bae728995d2baa727d7054d87efdc4a85ce0a2a5c6b54bc397227efd643403da5473b5d7

Download Submit
C:\Windows\{2E628972-F092-4d18-9E48-2DD5E874DB0F}.exe

Filesize
64KB

MD5
e2c7f85acede9dc3d4a3c522aa70d152

SHA1
60224c9009e004ae713cde0df4e4192bd946c929

SHA256
65c0f4a59a908cb99c718fbaaf8491b2e964452847dc3819f001f12225abe663

SHA512
5e9316382db74f85a1866cddfae1f3ed74bce42911c7f779673135ccd3e631ece57905307b6a6eb60a59cc7449805401cecc2b4028fe498e87365ef872c92e56

Download Submit
C:\Windows\{4E3C946E-1B8F-4c07-9737-1C214AEB977D}.exe

Filesize
64KB

MD5
f37f04732a7a749cb1bee4605c64572f

SHA1
3be221a1565b5cc54cf2acd8572edbb5b8a33f9d

SHA256
95cc77d7d1436c48703f482a03a0e30ea026c56ae23bded43e6b4d6b5a034ec7

SHA512
4a1e89fa42db473bbbb29dd208e5f0fa0c014fed83ca6788f5d2983b127e8b17ac6879abe1cdfcfb0ef0e7b1d0d226d1c70e9fd02d376c3771eae0829bfd7a22

Download Submit
C:\Windows\{50A9D935-38A7-43b3-9369-615D25193834}.exe

Filesize
64KB

MD5
33465306b9041a4facf2cb2cdf7b705a

SHA1
262f3c9bbb97eef8faaf0c04c24561c9cb598580

SHA256
975c9b14fac830c00c9f9638a30b0cea55923981412aa8528f857525a8a42b76

SHA512
424644db7b73802c99cdcfdf47afe9b1411300a634c9cd48d1c613a850568a8f26c2d680069e686f8a61f139b00584ce55bed856b2986d71263358b07cbedf06

Download Submit
C:\Windows\{720DABA9-77F5-4d0e-8E3D-2D8BF1D26161}.exe

Filesize
64KB

MD5
5090c364eff28e7f4d51e366e7bb51e4

SHA1
dc0bd9af6c86d38fb6c900f70d1beb2183bcca83

SHA256
7837eaa4ef4c95ae4977d7ea6f9cc2bfb782094fdf7e5996858164dbc9b4fc59

SHA512
b88a17bf12e024c1c6623ca9b9514e34ed57e4b1896783d93cfaa56567f249bb00e690577813a7704e56c48226f7363ad60ee4aeac14fb8893c84fa344dc5779

Download Submit
C:\Windows\{82991E33-4DF4-42f9-BEC0-45725EBDE794}.exe

Filesize
64KB

MD5
36e06f49f2d9c7e77f1b030a26ace695

SHA1
e63ecdf85e21c52aa870198eb3dc44e9b0cf92b7

SHA256
aed5afa7aed88e4ded09d6e12be81614b29b30ead9d009c14c69b79173f9867e

SHA512
cb669a3b22a29127b6b4ca285f039249937d6fc67162fb443ebe54df1c96b0caed801660c4dcf58d5444413848289550fd40234d8da350057b193d277332ccd3

Download Submit
C:\Windows\{D58DE5B4-A2F0-4504-A000-A23937953FBC}.exe

Filesize
64KB

MD5
115438eeca2de04095cfe000b5599502

SHA1
a5abed097666a6dac2e45f8e58a6273b32598983

SHA256
676fe435b077a42b1f7df9742c62542e3abee1a2a80c9171b54c45cee98bf80a

SHA512
67a56d53a116b859bd22ab9ae34e29d64107df8e5b4f2aacc051ad739cedef605becb410756d966f23c6faff3016c1187f38df4b40d266079d3007d508ef168c

Download Submit
C:\Windows\{D5E742E8-570B-4167-A292-6DAB79CDF7CB}.exe

Filesize
64KB

MD5
060ac8c5248b2bdaaabd0ff8b77fd8fc

SHA1
944c4dcd703a526d7024a8784cae0e076f79d76d

SHA256
ddfc7a41cc3b081009dc1b59cb7a1ad9e6255ea44ce873c5d07b8dd20bc3a239

SHA512
a8aa6b5d9470763f26a35c5de3883ee6ff8ca35fbb85297312679129192491df0e03a5de16d0661605a2bce1a1865c4605b0ce29e63843f8a3a75cdb6e6a7f75

Download Submit
C:\Windows\{E5D3187D-DFB0-47ce-8782-650FABB3C958}.exe

Filesize
64KB

MD5
675cbac05406815b1513a282b8552db9

SHA1
7b1ac627708dc0de0389b7af4be654d06c0e3e87

SHA256
b8f2aead144e3af539e11f26ed45304263d04bcd3364ba9f9684d82240d475bd

SHA512
56e8fe6056523eb383fcca8d16c74463c5d7fdcb091487199d89e4bdf28dc357d8fe0f30b1fa9dfe5860e48427252e513a77cd62ff2ccc5d85344d32c1979547

Download Submit
C:\Windows\{F294006B-99F6-45f3-A302-85632AABE852}.exe

Filesize
64KB

MD5
f0a4999e7e3e28025282a6f91a93c39c

SHA1
8d3a0720e1e1dfbbf3b302e9b14d191f4828dd93

SHA256
cb1860a3cff8f734a9b04c0f1548f0dbf33456a5fe4f7fb9947fd8749005f287

SHA512
99360ba935c2ef3f16ab4682e988c6232300f6e7364e29c9a4469be198146fce960ee2912f44e733de5d5e4f4e7aea2e26facc5e2f4dbb435121f549f2326a21

Download Submit
memory/324-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/324-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1332-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1476-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1476-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1604-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1604-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1788-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2064-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2064-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2664-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2664-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2840-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2840-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-7-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2968-8-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2996-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2996-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads