696d62e69796c91a909ef32361aaf873ec09ec0a794e38239d05ca2f98343a27

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Size

92KB
MD5

4ee3d706f41d3798e33494b3a97d9be0
SHA1

e893bb6fc4994e59280631bc7bbcdc19707ad4d4
SHA256

696d62e69796c91a909ef32361aaf873ec09ec0a794e38239d05ca2f98343a27
SHA512

9a849d39ec61bc53db72598aaf88e8b61455ac381872e2c7695d44ce4f9d0e80938ab36ecc2343330e708839d19afdca436d7e4af22cbc327f42c716f542156e
SSDEEP

192:ubizawOs81elJHsc45sTcRZOgtShcWaOT2QLrCqwbY04/CFxyNhoy5tP:ubHwOs8AHsc4KMfwhKQLrod4/CFsrdP

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}\stubpath = "C:\\Windows\\{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe"	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E3BB50-A882-4fb9-8D5F-331157C8882F}	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ADADF88-44CC-4766-90DA-84653CA5F17F}	{8632C09B-412A-4b78-A744-9FBE1006D939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66AF24EB-500E-4b34-9B1F-203F70D57C5D}\stubpath = "C:\\Windows\\{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe"	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0837DCFA-C48B-4989-8C0E-344872D08FCC}	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}\stubpath = "C:\\Windows\\{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe"	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}\stubpath = "C:\\Windows\\{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe"	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8632C09B-412A-4b78-A744-9FBE1006D939}\stubpath = "C:\\Windows\\{8632C09B-412A-4b78-A744-9FBE1006D939}.exe"	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}\stubpath = "C:\\Windows\\{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe"	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66AF24EB-500E-4b34-9B1F-203F70D57C5D}	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}\stubpath = "C:\\Windows\\{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe"	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0837DCFA-C48B-4989-8C0E-344872D08FCC}\stubpath = "C:\\Windows\\{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe"	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ADADF88-44CC-4766-90DA-84653CA5F17F}\stubpath = "C:\\Windows\\{6ADADF88-44CC-4766-90DA-84653CA5F17F}.exe"	{8632C09B-412A-4b78-A744-9FBE1006D939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}\stubpath = "C:\\Windows\\{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe"	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E3BB50-A882-4fb9-8D5F-331157C8882F}\stubpath = "C:\\Windows\\{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe"	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}\stubpath = "C:\\Windows\\{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe"	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8632C09B-412A-4b78-A744-9FBE1006D939}	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe
2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe
3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe
4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe
1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe
4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe
4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe
1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe
1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe
4900	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe
2056	{8632C09B-412A-4b78-A744-9FBE1006D939}.exe
1180	{6ADADF88-44CC-4766-90DA-84653CA5F17F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe
File created	C:\Windows\{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe
File created	C:\Windows\{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe
File created	C:\Windows\{6ADADF88-44CC-4766-90DA-84653CA5F17F}.exe	{8632C09B-412A-4b78-A744-9FBE1006D939}.exe
File created	C:\Windows\{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
File created	C:\Windows\{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe
File created	C:\Windows\{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe
File created	C:\Windows\{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe
File created	C:\Windows\{8632C09B-412A-4b78-A744-9FBE1006D939}.exe	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe
File created	C:\Windows\{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe
File created	C:\Windows\{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe
File created	C:\Windows\{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1384	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe
Token: SeIncBasePriorityPrivilege	2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe
Token: SeIncBasePriorityPrivilege	3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe
Token: SeIncBasePriorityPrivilege	4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe
Token: SeIncBasePriorityPrivilege	1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe
Token: SeIncBasePriorityPrivilege	4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe
Token: SeIncBasePriorityPrivilege	4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe
Token: SeIncBasePriorityPrivilege	1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe
Token: SeIncBasePriorityPrivilege	1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe
Token: SeIncBasePriorityPrivilege	4900	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe
Token: SeIncBasePriorityPrivilege	2056	{8632C09B-412A-4b78-A744-9FBE1006D939}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1988	1384	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	87
PID 1384 wrote to memory of 1988	1384	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	87
PID 1384 wrote to memory of 1988	1384	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	87
PID 1384 wrote to memory of 1032	1384	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	88
PID 1384 wrote to memory of 1032	1384	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	88
PID 1384 wrote to memory of 1032	1384	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	88
PID 1988 wrote to memory of 2712	1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe	89
PID 1988 wrote to memory of 2712	1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe	89
PID 1988 wrote to memory of 2712	1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe	89
PID 1988 wrote to memory of 1548	1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe	90
PID 1988 wrote to memory of 1548	1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe	90
PID 1988 wrote to memory of 1548	1988	{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe	90
PID 2712 wrote to memory of 3232	2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe	93
PID 2712 wrote to memory of 3232	2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe	93
PID 2712 wrote to memory of 3232	2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe	93
PID 2712 wrote to memory of 1380	2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe	94
PID 2712 wrote to memory of 1380	2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe	94
PID 2712 wrote to memory of 1380	2712	{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe	94
PID 3232 wrote to memory of 4076	3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe	96
PID 3232 wrote to memory of 4076	3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe	96
PID 3232 wrote to memory of 4076	3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe	96
PID 3232 wrote to memory of 4400	3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe	97
PID 3232 wrote to memory of 4400	3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe	97
PID 3232 wrote to memory of 4400	3232	{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe	97
PID 4076 wrote to memory of 1612	4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe	98
PID 4076 wrote to memory of 1612	4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe	98
PID 4076 wrote to memory of 1612	4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe	98
PID 4076 wrote to memory of 4504	4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe	99
PID 4076 wrote to memory of 4504	4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe	99
PID 4076 wrote to memory of 4504	4076	{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe	99
PID 1612 wrote to memory of 4880	1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe	100
PID 1612 wrote to memory of 4880	1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe	100
PID 1612 wrote to memory of 4880	1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe	100
PID 1612 wrote to memory of 4896	1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe	101
PID 1612 wrote to memory of 4896	1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe	101
PID 1612 wrote to memory of 4896	1612	{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe	101
PID 4880 wrote to memory of 4760	4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe	102
PID 4880 wrote to memory of 4760	4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe	102
PID 4880 wrote to memory of 4760	4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe	102
PID 4880 wrote to memory of 492	4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe	103
PID 4880 wrote to memory of 492	4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe	103
PID 4880 wrote to memory of 492	4880	{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe	103
PID 4760 wrote to memory of 1236	4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe	104
PID 4760 wrote to memory of 1236	4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe	104
PID 4760 wrote to memory of 1236	4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe	104
PID 4760 wrote to memory of 1496	4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe	105
PID 4760 wrote to memory of 1496	4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe	105
PID 4760 wrote to memory of 1496	4760	{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe	105
PID 1236 wrote to memory of 1164	1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe	106
PID 1236 wrote to memory of 1164	1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe	106
PID 1236 wrote to memory of 1164	1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe	106
PID 1236 wrote to memory of 4540	1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe	107
PID 1236 wrote to memory of 4540	1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe	107
PID 1236 wrote to memory of 4540	1236	{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe	107
PID 1164 wrote to memory of 4900	1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe	108
PID 1164 wrote to memory of 4900	1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe	108
PID 1164 wrote to memory of 4900	1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe	108
PID 1164 wrote to memory of 3932	1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe	109
PID 1164 wrote to memory of 3932	1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe	109
PID 1164 wrote to memory of 3932	1164	{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe	109
PID 4900 wrote to memory of 2056	4900	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe	110
PID 4900 wrote to memory of 2056	4900	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe	110
PID 4900 wrote to memory of 2056	4900	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe	110
PID 4900 wrote to memory of 2360	4900	{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe	111

C:\Users\Admin\AppData\Local\Temp\4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe
  C:\Windows\{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe
    C:\Windows\{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe
      C:\Windows\{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Windows\{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe
        
        C:\Windows\{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Windows\{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe
        
        C:\Windows\{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe
        
        C:\Windows\{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe
        
        C:\Windows\{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe
        
        C:\Windows\{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe
        
        C:\Windows\{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe
        
        C:\Windows\{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{8632C09B-412A-4b78-A744-9FBE1006D939}.exe
        
        C:\Windows\{8632C09B-412A-4b78-A744-9FBE1006D939}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{6ADADF88-44CC-4766-90DA-84653CA5F17F}.exe
        
        C:\Windows\{6ADADF88-44CC-4766-90DA-84653CA5F17F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8632C~1.EXE > nul
        13⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8CB5~1.EXE > nul
        12⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5348~1.EXE > nul
        11⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E3B~1.EXE > nul
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAE29~1.EXE > nul
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0837D~1.EXE > nul
        8⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BABFF~1.EXE > nul
        7⤵
        
        PID:4896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E2BC~1.EXE > nul
        6⤵
        
        PID:4504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66AF2~1.EXE > nul
        5⤵
        
        PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FAEC0~1.EXE > nul
      4⤵
      PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73B5C~1.EXE > nul
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4EE3D7~1.EXE > nul
  2⤵
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0837DCFA-C48B-4989-8C0E-344872D08FCC}.exe

Filesize
92KB

MD5
a3e0538d54a86af120652bc3ef579fc9

SHA1
35dc18c5090f68fe17d1fd4a2395348abf9ea63f

SHA256
89a3d7f5a8b9861e87e0b9fdb3b6d3b56335883a44175c7e1366181ffcd02b23

SHA512
ba78e02c9a6d5ea4f553009744cfc734ae49a76839f037a0dd6222a9108d7db06a8396890da66815d4599a9715506bef5e3556e793162b7411d1f06f93c3284f

Download Submit
C:\Windows\{66AF24EB-500E-4b34-9B1F-203F70D57C5D}.exe

Filesize
92KB

MD5
8d719dbbdc4f463af0c44563e0ad502b

SHA1
3250d14b98d11bce3d35c91f983109b4684d7dd0

SHA256
53b8c26bb0c473c354b0683bca7efcb97234c633c26b99afec29de8aaf479042

SHA512
31f143b4a85d0445ba2e29a0be1313dfd371e0197e46206c0209272cff820ae281ff37ec8d753eea0240168ccf57ae1fb4e84afa0534e8c5011558f967facc8e

Download Submit
C:\Windows\{6ADADF88-44CC-4766-90DA-84653CA5F17F}.exe

Filesize
92KB

MD5
f16285e91b6cc89e5bfa236d0391b649

SHA1
036804e15e385d39c774188647e0b3da4a3b293b

SHA256
4f87446e2482a7155b786075bbcc8d8f3be12987111a5b7ef3adf3ef52ce7583

SHA512
4750ba33268f1465af1e28ae7c5bea9e4933cc26497b171ff9a8cfe19750730a150795fb17bc2c4df7f4cd528c05197aac3246f314fda7dad97c657a590306c2

Download Submit
C:\Windows\{6E2BCB30-C62F-4396-9483-EAA8E05B91D7}.exe

Filesize
92KB

MD5
e4f178a5aaa8572081324ae583d1d7ed

SHA1
3ae4732c04d70bb5ac46adc497781ddf58735d48

SHA256
163f8d5ade592553a3fe0e6036f1e9bd50c6ced9c706bd3797e9b55edfdb14c9

SHA512
c99bc61adc3607b2653285f91c6fbffbd1f947425fdc26f403d3516f3084a839251d33e61b420c04d4d2d2bed88b26d87fb5caaa8d06fc4ccbaf7f197d50f27c

Download Submit
C:\Windows\{73B5C96A-E493-4e6d-AA4C-27A7EF552E77}.exe

Filesize
92KB

MD5
95596d6cd61353097136d1dde9412ad2

SHA1
1b760589f5bf8d997ab089d343c7f1501295c914

SHA256
21580149cfe54c9aa2a7202d4d4b6efc190f734f98efd82c81f7a9d81b741ee6

SHA512
047cc52c72f95ca8ddfe00d7105d6e762b977300868408e8781a4c4da1b0df806cfff8e47528a87817e407c27683c1957a3107a0161264a5b168a3bbf8a552c8

Download Submit
C:\Windows\{8632C09B-412A-4b78-A744-9FBE1006D939}.exe

Filesize
92KB

MD5
9345abaab835de7a43aa68cba0261f77

SHA1
fd4468fbe7419ca882dbe1ea039ad316d54802f1

SHA256
544363500228f6955aa9bf9d1f55a7e49b0b25fdabbc4cf6dff1605920ee656d

SHA512
4f68bbb78c58a85794663716e29c4f5124ab58460c361f94bfc505fb6ecbb3335b22479dcf2fcdf0f3f0f6e4a1c73a440f3ee037e878f554b908af1b565f4adf

Download Submit
C:\Windows\{BABFF320-E269-47fe-9AA0-80EF1D3B6AF5}.exe

Filesize
92KB

MD5
cb057dfde7c05de74ffbc837c6ecc780

SHA1
338be0404444073059873b84354a610dcaff634f

SHA256
d8a71e7e840e6abde3f5774eedf0b10c1da8de452f49c613539c758c791af1d1

SHA512
65e025310a5afd30ddb9fbce1f418ccedcbbe94921fdc2c19a572b8ca2c1492b45b01d2ba27ba1d0911a687b04a08ddb8e073d6328910a3354132e04c483fd9a

Download Submit
C:\Windows\{C8CB5ADD-E446-4aea-92C9-23C01F9886BE}.exe

Filesize
92KB

MD5
e90e3828be953bb648b4253cc75dced9

SHA1
eff96933741dc5f03260ce0e3ced65c0ac147089

SHA256
91b03b6cd970a2fef2a228a68d2037d7a946656ada8f0cfeaca7dcf5f7a62599

SHA512
ed15a29a6902280d8929d32d9fd8b21f879d31769c3e60856c176f06a3a3adccf110f4c24d6bae432a8e7c8496a6d007fab8bd071e2cf642d0d702c6c3cb97a2

Download Submit
C:\Windows\{E534870E-23A0-4fa6-BF32-2AE6E0C346E8}.exe

Filesize
92KB

MD5
acb484c7070b9d03b3abd747b6ed5967

SHA1
1c36329b65980f18a019dc42d10e9dd2876aca92

SHA256
5bfb6dd8dce51f3b66b0e20a57882ae68bd35b6b3b7d54804b3f8ee385f724e8

SHA512
e54ede1da2b1273e3c37e45c3e0e49e0f82d14795044ccabef66c180044fd8c7589333dcc15578021abc5c79b89f05dc9234b4a46c71bcf63f158bacde797d38

Download Submit
C:\Windows\{E7E3BB50-A882-4fb9-8D5F-331157C8882F}.exe

Filesize
92KB

MD5
158aac4c89876c344de11499f8d16731

SHA1
0d3c8e34028221dd11c09ece4b1b8a0a021dbb7f

SHA256
e2c60740322e8c6202563a79d702d4e429ed3c50e0633e126aa721709f98b484

SHA512
1894dba03932da866a10d6a7a4dd7955a3819b895a16caf4d25cc462297000226ba34a34c9cdfe022a894e4edc4a736d6e7ae99898615f07f68df8c60bbaff94

Download Submit
C:\Windows\{FAE29FFE-539C-4acd-B1EF-C59A91DE8B34}.exe

Filesize
92KB

MD5
74294d97273759c9c48a03a482895c1c

SHA1
d1193bb65b7a6a94c1542e5393bb267bb0162dcf

SHA256
c342ea781b97d1bd427ce9defb85b5f9a51bbefb3e7a880b55ae1eb753a6ed0b

SHA512
ad49daae27f6f3826d875105732a921e4260fd012a609faf55156bf180f13b26b87657ccdff1c1f3ced8b5eceb4106bc56d8ed24a5274aa0fa5e1207701b36bf

Download Submit
C:\Windows\{FAEC08C3-02C0-4fa6-A639-425B5AD2B8E9}.exe

Filesize
92KB

MD5
0581b4651275ef84e45e88ca51a31422

SHA1
864d9465420b54ae2c6a386594e42ffc6db0e3eb

SHA256
6421dad902086f175538856cf8cefb943f9a1c41748dd4acf9425f093c7b1a61

SHA512
efcf601731c25138873ca3e2e186c749e83e0e4c00332c95c85cee7a374282c660b4244a54a94f577bdd12bbc50546f3e5c56b44513e41984d83aaac008ddf20

Download Submit
memory/1164-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1164-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1180-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1236-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1236-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1612-28-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1612-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1988-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1988-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2056-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3232-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3232-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4076-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4760-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4760-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4880-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4880-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4900-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4900-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads