69a54cbf289a6ae5b968fbe10a487419fc09543edf80afe95f05a601f18c897d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Size

98KB
MD5

0b95975f27f2ea9ac103f806a2815920
SHA1

9360c00f54c052b5fa5f773f1a6c5bead9f6e1cf
SHA256

69a54cbf289a6ae5b968fbe10a487419fc09543edf80afe95f05a601f18c897d
SHA512

75b102e121b99d1469c70d5012d662006a45d3564c7d8f710d01669292d86960c6d5f16a91f892916ddef242bdf77ad5e857bc025494284a2c9fda3714df7780
SSDEEP

768:5vw9816thKQLroz4/wQkNrfrunMxVFA3b7glws:lEG/0ozlbunMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{293531C2-E64C-4542-8600-67B21E2180D4}	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}	{293531C2-E64C-4542-8600-67B21E2180D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}\stubpath = "C:\\Windows\\{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe"	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9660616-62AF-4296-AE47-039BD0F23B28}\stubpath = "C:\\Windows\\{B9660616-62AF-4296-AE47-039BD0F23B28}.exe"	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E43ED021-81F9-42be-80A8-CEB22AB677B0}\stubpath = "C:\\Windows\\{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe"	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A54020D-B06E-409d-AF59-3ED44E8363D7}	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}\stubpath = "C:\\Windows\\{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe"	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D20ED15-350D-41de-9CEB-11820E3C1102}	{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}\stubpath = "C:\\Windows\\{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe"	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}\stubpath = "C:\\Windows\\{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe"	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{810E7926-2F51-44e7-92D5-AE1822B08A44}\stubpath = "C:\\Windows\\{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe"	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}\stubpath = "C:\\Windows\\{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe"	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{293531C2-E64C-4542-8600-67B21E2180D4}\stubpath = "C:\\Windows\\{293531C2-E64C-4542-8600-67B21E2180D4}.exe"	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9660616-62AF-4296-AE47-039BD0F23B28}	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D20ED15-350D-41de-9CEB-11820E3C1102}\stubpath = "C:\\Windows\\{8D20ED15-350D-41de-9CEB-11820E3C1102}.exe"	{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E43ED021-81F9-42be-80A8-CEB22AB677B0}	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A54020D-B06E-409d-AF59-3ED44E8363D7}\stubpath = "C:\\Windows\\{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe"	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}\stubpath = "C:\\Windows\\{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe"	{293531C2-E64C-4542-8600-67B21E2180D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{810E7926-2F51-44e7-92D5-AE1822B08A44}	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe
4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe
4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe
5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe
3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe
2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe
1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe
3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe
2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe
1072	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe
1284	{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe
2036	{8D20ED15-350D-41de-9CEB-11820E3C1102}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe
File created	C:\Windows\{293531C2-E64C-4542-8600-67B21E2180D4}.exe	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe
File created	C:\Windows\{8D20ED15-350D-41de-9CEB-11820E3C1102}.exe	{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe
File created	C:\Windows\{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe	{293531C2-E64C-4542-8600-67B21E2180D4}.exe
File created	C:\Windows\{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe
File created	C:\Windows\{B9660616-62AF-4296-AE47-039BD0F23B28}.exe	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe
File created	C:\Windows\{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
File created	C:\Windows\{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe
File created	C:\Windows\{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe
File created	C:\Windows\{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe
File created	C:\Windows\{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe
File created	C:\Windows\{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3460	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe
Token: SeIncBasePriorityPrivilege	4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe
Token: SeIncBasePriorityPrivilege	4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe
Token: SeIncBasePriorityPrivilege	5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe
Token: SeIncBasePriorityPrivilege	3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe
Token: SeIncBasePriorityPrivilege	2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe
Token: SeIncBasePriorityPrivilege	1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe
Token: SeIncBasePriorityPrivilege	3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe
Token: SeIncBasePriorityPrivilege	2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe
Token: SeIncBasePriorityPrivilege	1072	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe
Token: SeIncBasePriorityPrivilege	1284	{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4964	3460	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	94
PID 3460 wrote to memory of 4964	3460	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	94
PID 3460 wrote to memory of 4964	3460	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	94
PID 3460 wrote to memory of 2996	3460	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	95
PID 3460 wrote to memory of 2996	3460	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	95
PID 3460 wrote to memory of 2996	3460	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	95
PID 4964 wrote to memory of 4028	4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe	96
PID 4964 wrote to memory of 4028	4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe	96
PID 4964 wrote to memory of 4028	4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe	96
PID 4964 wrote to memory of 4932	4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe	97
PID 4964 wrote to memory of 4932	4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe	97
PID 4964 wrote to memory of 4932	4964	{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe	97
PID 4028 wrote to memory of 4216	4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe	100
PID 4028 wrote to memory of 4216	4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe	100
PID 4028 wrote to memory of 4216	4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe	100
PID 4028 wrote to memory of 4496	4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe	101
PID 4028 wrote to memory of 4496	4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe	101
PID 4028 wrote to memory of 4496	4028	{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe	101
PID 4216 wrote to memory of 5056	4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe	102
PID 4216 wrote to memory of 5056	4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe	102
PID 4216 wrote to memory of 5056	4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe	102
PID 4216 wrote to memory of 2644	4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe	103
PID 4216 wrote to memory of 2644	4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe	103
PID 4216 wrote to memory of 2644	4216	{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe	103
PID 5056 wrote to memory of 3940	5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe	105
PID 5056 wrote to memory of 3940	5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe	105
PID 5056 wrote to memory of 3940	5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe	105
PID 5056 wrote to memory of 3236	5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe	106
PID 5056 wrote to memory of 3236	5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe	106
PID 5056 wrote to memory of 3236	5056	{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe	106
PID 3940 wrote to memory of 2468	3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe	107
PID 3940 wrote to memory of 2468	3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe	107
PID 3940 wrote to memory of 2468	3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe	107
PID 3940 wrote to memory of 2592	3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe	108
PID 3940 wrote to memory of 2592	3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe	108
PID 3940 wrote to memory of 2592	3940	{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe	108
PID 2468 wrote to memory of 1404	2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe	109
PID 2468 wrote to memory of 1404	2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe	109
PID 2468 wrote to memory of 1404	2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe	109
PID 2468 wrote to memory of 3472	2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe	110
PID 2468 wrote to memory of 3472	2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe	110
PID 2468 wrote to memory of 3472	2468	{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe	110
PID 1404 wrote to memory of 3720	1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe	116
PID 1404 wrote to memory of 3720	1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe	116
PID 1404 wrote to memory of 3720	1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe	116
PID 1404 wrote to memory of 1468	1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe	117
PID 1404 wrote to memory of 1468	1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe	117
PID 1404 wrote to memory of 1468	1404	{293531C2-E64C-4542-8600-67B21E2180D4}.exe	117
PID 3720 wrote to memory of 2656	3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe	118
PID 3720 wrote to memory of 2656	3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe	118
PID 3720 wrote to memory of 2656	3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe	118
PID 3720 wrote to memory of 4180	3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe	119
PID 3720 wrote to memory of 4180	3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe	119
PID 3720 wrote to memory of 4180	3720	{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe	119
PID 2656 wrote to memory of 1072	2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe	120
PID 2656 wrote to memory of 1072	2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe	120
PID 2656 wrote to memory of 1072	2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe	120
PID 2656 wrote to memory of 3224	2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe	121
PID 2656 wrote to memory of 3224	2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe	121
PID 2656 wrote to memory of 3224	2656	{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe	121
PID 1072 wrote to memory of 1284	1072	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe	125
PID 1072 wrote to memory of 1284	1072	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe	125
PID 1072 wrote to memory of 1284	1072	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe	125
PID 1072 wrote to memory of 4460	1072	{B9660616-62AF-4296-AE47-039BD0F23B28}.exe	126

C:\Users\Admin\AppData\Local\Temp\0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe
  C:\Windows\{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe
    C:\Windows\{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe
      C:\Windows\{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe
        
        C:\Windows\{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
      - C:\Windows\{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe
        
        C:\Windows\{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe
        
        C:\Windows\{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{293531C2-E64C-4542-8600-67B21E2180D4}.exe
        
        C:\Windows\{293531C2-E64C-4542-8600-67B21E2180D4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe
        
        C:\Windows\{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe
        
        C:\Windows\{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{B9660616-62AF-4296-AE47-039BD0F23B28}.exe
        
        C:\Windows\{B9660616-62AF-4296-AE47-039BD0F23B28}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe
        
        C:\Windows\{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{8D20ED15-350D-41de-9CEB-11820E3C1102}.exe
        
        C:\Windows\{8D20ED15-350D-41de-9CEB-11820E3C1102}.exe
        13⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C0EF~1.EXE > nul
        13⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9660~1.EXE > nul
        12⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D93F~1.EXE > nul
        11⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F4E0~1.EXE > nul
        10⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29353~1.EXE > nul
        9⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8BFB~1.EXE > nul
        8⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A540~1.EXE > nul
        7⤵
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E43ED~1.EXE > nul
        6⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD69~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{810E7~1.EXE > nul
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30FA2~1.EXE > nul
    3⤵
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0B9597~1.EXE > nul
  2⤵
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A54020D-B06E-409d-AF59-3ED44E8363D7}.exe

Filesize
98KB

MD5
7562b2bc6de2399f7de08b39e5c8b5d3

SHA1
b664385a6210147952359c632c8b2422dda0e634

SHA256
98a391560b310959844cba54c08292926fb682181ab33a35fbce58fadc310b3d

SHA512
5164941789510a4e35e45b9dbba1cd72a46d3fcae1b4be860a3081f11e3e369b31460c33320e0a2eb17637d3108a03af6176aa5f582d1eee3328120204236d23

Download Submit
C:\Windows\{293531C2-E64C-4542-8600-67B21E2180D4}.exe

Filesize
98KB

MD5
d8410eb9fa7e314f48894222ce5b1156

SHA1
046dcd4fbca2f7f7b9737b3913145a0ed6fd35c6

SHA256
e83d3e8e587796a9a23ad6223db8a8dabc437963f2adfe84f59d81855e05c4cf

SHA512
a368ec26f10dffb805267d7fcae376b8c22c9da8cb3e8d8c0acb06dd65f7d2c1752418178cf903f224fa3f07f47357acf534f8f6e8e60cf0087f28276f3acb82

Download Submit
C:\Windows\{30FA2153-6AD9-423d-BD1A-6CF2F620D41D}.exe

Filesize
98KB

MD5
0761c5bba7635a4804e4317a01c62677

SHA1
c6da101575305d472c2d8448ce3b87f502180be2

SHA256
4e283f08b7393cc36be5de887e3af9d0d07e4cc241345025a10b9f979ad76daf

SHA512
3aa2d376fdfc72267fe936f448f8faf9a0a329370bd66ed0dcba5e5f51da2b5d39a2ec32c662a88af2da9a48897c43cd62fcd35393026f7ec58a7d32dab55114

Download Submit
C:\Windows\{6D93F4B3-C6C7-4461-970D-C96E6CC84E2B}.exe

Filesize
98KB

MD5
36b19065e96af96bf592dd29613e0d7c

SHA1
3752b2d5ad920b30c94645bedbeeefad34e8402a

SHA256
bf5824ade1b4c6db551da09f0c05dd1379922d6953b9f0f99fbf2d571719d90a

SHA512
5479406684ec50975366193ca72b1ea109c4e54a953e4db3abf90ca17b9989a8aecc0e1c9f2b5646ab06701e0f5f014066719264484efa16b25ebc52bde063ad

Download Submit
C:\Windows\{7CD69914-CFE1-43b9-A3A9-576C8387C0B4}.exe

Filesize
98KB

MD5
3de5fc2d98fb8beb1e4820671093bb3d

SHA1
7fdffb6b566df5f9ef677a6792f2d0635f340942

SHA256
337c2c1e9b540a3023f7c72f4eb70e89ee889b05b48cc3d605fd06b7de32377c

SHA512
208a8e1cdd07767724e3c52b9c95e31ef4340c9eb27c9349c042c9d65302da2dcd3dfe9f0b06c49d25093247971791bb4e228b80ffbc33c6e61e075b1138c087

Download Submit
C:\Windows\{7F4E014A-F37D-4555-AD2E-D2566CB97EEF}.exe

Filesize
98KB

MD5
25b45258952d3752cd7c265cbe9fba25

SHA1
c85558e9864b3643248878ac5886161b5f0ba8cd

SHA256
cf446af043365aa4ba9a457bdd03ea613fd85790ce43b8c0681e6b2c706d0d80

SHA512
d982302e619bee8e067eea0b8941902cef2c426c31094012743aef0c64b39b55882f9baf5c4760cd074cebabfabaf03704ee87f03db40dc1e55c8e83c72b9f71

Download Submit
C:\Windows\{810E7926-2F51-44e7-92D5-AE1822B08A44}.exe

Filesize
98KB

MD5
2decfb005141e8a60cfcf117d5b32f24

SHA1
0447d50f3509fc10d231268e1958c9e8b30471f9

SHA256
dee0f459d656ca804562ad44677e6676e583d20b7a62f06620e59ed16f58b087

SHA512
d9b32ec2ffe6e439b73e94e2afe6e0a8a4ee48da992dd5a00de93973f3f494146c391af1c846809e8934050c317829b9274ba6e40cf20814760274640607e840

Download Submit
C:\Windows\{8D20ED15-350D-41de-9CEB-11820E3C1102}.exe

Filesize
98KB

MD5
a3a737dcdef20e90b6ae59923bfe8c00

SHA1
593ac1fc8680b29a438e7b1c5680571f6187618b

SHA256
0241bb6e95c9362051b9d43d71e1ba83f568826f08cf1311abcb7d487d7d082f

SHA512
4fc3996b528b720bb1817dd054e46a52a62b169c6f2c2fe45482943ad35e2ccf426504e8c54a87abe6a83d4c26782e667e64c9a4d2b202131890edeb260ec52a

Download Submit
C:\Windows\{9C0EF3AE-92D2-43b6-A67D-E23ECB59CAB4}.exe

Filesize
98KB

MD5
5d25b7008876c08424c16e4717be493d

SHA1
cfbda4a0022bbc64dd7f2328fa40f6bf1947229e

SHA256
b2e8948576493c58ce9dd1e68a01d6df8911c35517b1ff0901d49ba5dd13c523

SHA512
1005ee45640b1f17db4a17c4782ead4fee5a88f90e4e40dd7518cb37471ded12dc0fc2d6d6fdcf3c4c139b33094a8941566ac3e84aeeec7ad2fc70af673951cf

Download Submit
C:\Windows\{B9660616-62AF-4296-AE47-039BD0F23B28}.exe

Filesize
98KB

MD5
540a8ca4f022b9618db7413a0273425e

SHA1
6df901b1e0df4cd045b9633ee56418d4a36ce12c

SHA256
edc719fe144621fe21ca951e135761ff8aac2e4bcb27cc902181de1fde4163c3

SHA512
64aa1528cd00f276164f17042aa5e8442bfd7a4cef805c85581a5874e683e85dafc9eb4508280bd504bb0361a3cdea250a9ef373d749c44b1723d99fc6997b49

Download Submit
C:\Windows\{D8BFBD77-C1E6-4e9a-9FB3-C7CFD3DE3493}.exe

Filesize
98KB

MD5
36b6a3991a7dcf132ad6567d0a610d73

SHA1
e42c00723917701d31312c82934f533b2164e97c

SHA256
a8ed3e01cceb09e8430dc3e11b7b7dfc7189e4e4971c1a341e09be9a1d815ea6

SHA512
a74813435226200bb92efdc0e18e2857270b1b8da7e0be8e164c9aeca32ec374dd2df3a0e2e13abec91b117cbec8540b105c034a2402e53b623b1468a71f5737

Download Submit
C:\Windows\{E43ED021-81F9-42be-80A8-CEB22AB677B0}.exe

Filesize
98KB

MD5
9f709e9b3607bf48ab4d64b54a6acaa6

SHA1
d5ffcc377af74cfd12ef88a078b59320bb9e444c

SHA256
6905048abe4670267d02af13bee459614f18814d10b3cff5502cfe15ea7338fa

SHA512
fc836fd60227552e735495721a0c0a7aa5f725ac189f1f1d760ab132f05d566cd0976b9e3f6407ae292e1ac0895b1d190e3ba6bbb960c955fdcba969f6460eff

Download Submit
memory/1072-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1284-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1284-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1404-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1404-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2036-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2468-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2656-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2656-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3460-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3460-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3720-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3720-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3940-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3940-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4028-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4028-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4216-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4216-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4964-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4964-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5056-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5056-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads