abf139494d21ed67996d0ddf1d0b2e1fc2e5e8c0ec973d941e2a50dc2120198c

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Size

90KB
MD5

6168d949d195617e81781856b621b650
SHA1

54bc0ea51de5e4f3534e1504a203351e0879f450
SHA256

abf139494d21ed67996d0ddf1d0b2e1fc2e5e8c0ec973d941e2a50dc2120198c
SHA512

5de03cc1e3ae24546800778aa02b55666b744bec55c1f026c29519dca37bacad3b1177ac0cf733fc971200abcdf40bc7cb70025255919f9ccba91290b67048f2
SSDEEP

768:50w981IshKQLro34/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzv:CEGI0o3lVunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89AFD39-0D9B-4599-8DF1-68BD186419C2}\stubpath = "C:\\Windows\\{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe"	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}\stubpath = "C:\\Windows\\{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe"	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA5A636-A6E1-428c-82F9-4E8C149886B1}\stubpath = "C:\\Windows\\{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe"	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9629FEAB-5C9E-4e53-BD1B-03724A708766}	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9629FEAB-5C9E-4e53-BD1B-03724A708766}\stubpath = "C:\\Windows\\{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe"	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997C2B7B-0293-4b90-AB65-4AA501DA4C03}\stubpath = "C:\\Windows\\{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe"	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}\stubpath = "C:\\Windows\\{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe"	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89AFD39-0D9B-4599-8DF1-68BD186419C2}	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88978158-3223-423a-949C-F35CE3577D56}\stubpath = "C:\\Windows\\{88978158-3223-423a-949C-F35CE3577D56}.exe"	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}\stubpath = "C:\\Windows\\{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe"	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}	{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90DA87D-7D51-42c8-81F5-1C45174863A8}\stubpath = "C:\\Windows\\{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe"	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997C2B7B-0293-4b90-AB65-4AA501DA4C03}	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA5A636-A6E1-428c-82F9-4E8C149886B1}	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88978158-3223-423a-949C-F35CE3577D56}	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90DA87D-7D51-42c8-81F5-1C45174863A8}	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}\stubpath = "C:\\Windows\\{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}.exe"	{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAD4F24C-624A-4dd3-BC34-33489431CBDD}	{88978158-3223-423a-949C-F35CE3577D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAD4F24C-624A-4dd3-BC34-33489431CBDD}\stubpath = "C:\\Windows\\{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe"	{88978158-3223-423a-949C-F35CE3577D56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0C50E0-B676-4376-8671-F88C1989A0FA}	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0C50E0-B676-4376-8671-F88C1989A0FA}\stubpath = "C:\\Windows\\{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe"	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe

Executes dropped EXE 12 IoCs

pid	Process
1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe
3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe
3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe
1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe
4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe
2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe
1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe
4068	{88978158-3223-423a-949C-F35CE3577D56}.exe
4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe
4052	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe
4004	{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe
2028	{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
File created	C:\Windows\{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe
File created	C:\Windows\{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe
File created	C:\Windows\{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe
File created	C:\Windows\{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe	{88978158-3223-423a-949C-F35CE3577D56}.exe
File created	C:\Windows\{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe
File created	C:\Windows\{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe
File created	C:\Windows\{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe
File created	C:\Windows\{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe
File created	C:\Windows\{88978158-3223-423a-949C-F35CE3577D56}.exe	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe
File created	C:\Windows\{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe
File created	C:\Windows\{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}.exe	{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2836	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe
Token: SeIncBasePriorityPrivilege	3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe
Token: SeIncBasePriorityPrivilege	3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe
Token: SeIncBasePriorityPrivilege	1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe
Token: SeIncBasePriorityPrivilege	4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe
Token: SeIncBasePriorityPrivilege	2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe
Token: SeIncBasePriorityPrivilege	1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe
Token: SeIncBasePriorityPrivilege	4068	{88978158-3223-423a-949C-F35CE3577D56}.exe
Token: SeIncBasePriorityPrivilege	4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe
Token: SeIncBasePriorityPrivilege	4052	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe
Token: SeIncBasePriorityPrivilege	4004	{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 1644	2836	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	87
PID 2836 wrote to memory of 1644	2836	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	87
PID 2836 wrote to memory of 1644	2836	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	87
PID 2836 wrote to memory of 3236	2836	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	88
PID 2836 wrote to memory of 3236	2836	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	88
PID 2836 wrote to memory of 3236	2836	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	88
PID 1644 wrote to memory of 3676	1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe	89
PID 1644 wrote to memory of 3676	1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe	89
PID 1644 wrote to memory of 3676	1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe	89
PID 1644 wrote to memory of 1384	1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe	90
PID 1644 wrote to memory of 1384	1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe	90
PID 1644 wrote to memory of 1384	1644	{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe	90
PID 3676 wrote to memory of 3856	3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe	93
PID 3676 wrote to memory of 3856	3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe	93
PID 3676 wrote to memory of 3856	3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe	93
PID 3676 wrote to memory of 444	3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe	94
PID 3676 wrote to memory of 444	3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe	94
PID 3676 wrote to memory of 444	3676	{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe	94
PID 3856 wrote to memory of 1320	3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe	96
PID 3856 wrote to memory of 1320	3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe	96
PID 3856 wrote to memory of 1320	3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe	96
PID 3856 wrote to memory of 380	3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe	97
PID 3856 wrote to memory of 380	3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe	97
PID 3856 wrote to memory of 380	3856	{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe	97
PID 1320 wrote to memory of 4348	1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe	98
PID 1320 wrote to memory of 4348	1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe	98
PID 1320 wrote to memory of 4348	1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe	98
PID 1320 wrote to memory of 4904	1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe	99
PID 1320 wrote to memory of 4904	1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe	99
PID 1320 wrote to memory of 4904	1320	{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe	99
PID 4348 wrote to memory of 2524	4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe	100
PID 4348 wrote to memory of 2524	4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe	100
PID 4348 wrote to memory of 2524	4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe	100
PID 4348 wrote to memory of 3820	4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe	101
PID 4348 wrote to memory of 3820	4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe	101
PID 4348 wrote to memory of 3820	4348	{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe	101
PID 2524 wrote to memory of 1360	2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe	102
PID 2524 wrote to memory of 1360	2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe	102
PID 2524 wrote to memory of 1360	2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe	102
PID 2524 wrote to memory of 4824	2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe	103
PID 2524 wrote to memory of 4824	2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe	103
PID 2524 wrote to memory of 4824	2524	{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe	103
PID 1360 wrote to memory of 4068	1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe	104
PID 1360 wrote to memory of 4068	1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe	104
PID 1360 wrote to memory of 4068	1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe	104
PID 1360 wrote to memory of 3652	1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe	105
PID 1360 wrote to memory of 3652	1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe	105
PID 1360 wrote to memory of 3652	1360	{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe	105
PID 4068 wrote to memory of 4428	4068	{88978158-3223-423a-949C-F35CE3577D56}.exe	106
PID 4068 wrote to memory of 4428	4068	{88978158-3223-423a-949C-F35CE3577D56}.exe	106
PID 4068 wrote to memory of 4428	4068	{88978158-3223-423a-949C-F35CE3577D56}.exe	106
PID 4068 wrote to memory of 4412	4068	{88978158-3223-423a-949C-F35CE3577D56}.exe	107
PID 4068 wrote to memory of 4412	4068	{88978158-3223-423a-949C-F35CE3577D56}.exe	107
PID 4068 wrote to memory of 4412	4068	{88978158-3223-423a-949C-F35CE3577D56}.exe	107
PID 4428 wrote to memory of 4052	4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe	108
PID 4428 wrote to memory of 4052	4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe	108
PID 4428 wrote to memory of 4052	4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe	108
PID 4428 wrote to memory of 2520	4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe	109
PID 4428 wrote to memory of 2520	4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe	109
PID 4428 wrote to memory of 2520	4428	{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe	109
PID 4052 wrote to memory of 4004	4052	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe	110
PID 4052 wrote to memory of 4004	4052	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe	110
PID 4052 wrote to memory of 4004	4052	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe	110
PID 4052 wrote to memory of 4656	4052	{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe	111

C:\Users\Admin\AppData\Local\Temp\6168d949d195617e81781856b621b650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6168d949d195617e81781856b621b650_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe
  C:\Windows\{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe
    C:\Windows\{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe
      C:\Windows\{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Windows\{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe
        
        C:\Windows\{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe
        
        C:\Windows\{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe
        
        C:\Windows\{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe
        
        C:\Windows\{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{88978158-3223-423a-949C-F35CE3577D56}.exe
        
        C:\Windows\{88978158-3223-423a-949C-F35CE3577D56}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe
        
        C:\Windows\{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe
        
        C:\Windows\{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe
        
        C:\Windows\{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Windows\{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}.exe
        
        C:\Windows\{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E90DA~1.EXE > nul
        13⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F62E8~1.EXE > nul
        12⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAD4F~1.EXE > nul
        11⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88978~1.EXE > nul
        10⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9629F~1.EXE > nul
        9⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEA5A~1.EXE > nul
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5430C~1.EXE > nul
        7⤵
        
        PID:3820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B89AF~1.EXE > nul
        6⤵
        
        PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEC23~1.EXE > nul
        5⤵
        
        PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{997C2~1.EXE > nul
      4⤵
      PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A0C5~1.EXE > nul
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6168D9~1.EXE > nul
  2⤵
  PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5430C1E1-AFDD-4861-9E86-A5250D4F6D01}.exe

Filesize
90KB

MD5
c3f1d899c2228996fcb8f68c6e5f8d03

SHA1
a7e5472041bf844dffea789a02bc9ad4f2d4b6db

SHA256
325648c6cbc39c509dc1d1c5a3bed991f0e616ec08616191a6cad6285f90ee3d

SHA512
904ffa8c661b96ed248777ed9f6b728c7c50e9e96170a499eb75cc0649f55e7cedd63231ed2278c6aef7e6131e5cb411b62c497800ff2ca3bb8301a9c6e0b768

Download Submit
C:\Windows\{7A0C50E0-B676-4376-8671-F88C1989A0FA}.exe

Filesize
90KB

MD5
75def3d1bd30981e0f8eaeb502720f4c

SHA1
cd54ee0843181bd86fbce5f5d0752240e9c6c8ab

SHA256
3d2fba3a87041de2d8dcc22a4c1dd98eba0803fa89a2529279cf73cba4841465

SHA512
2fac5ed9d65a7a94713604c7e93f3f13b7e063a7f2de537a3f81cf6c7ce4e4dc77bba4e217d2669a8629ae044e3e6d4096904f65dfd494f5b45b0d6e311452ec

Download Submit
C:\Windows\{88978158-3223-423a-949C-F35CE3577D56}.exe

Filesize
90KB

MD5
d7d711dfb69e844d97abe968b2676213

SHA1
1dfb949c2cf3aa7e1cd17d59e81140d5524dca2d

SHA256
f3a69851cd3efcc29c800cc76140a86249da8cd09907565d464dfa3b9ec6242c

SHA512
e0b3af50745d8ab75f5a180aeaee33cda87207c49a5728d8233f284825d15a545819d323bd3c6c884f8b1c364929075b5c8fedd780c08677125efab334e62577

Download Submit
C:\Windows\{9629FEAB-5C9E-4e53-BD1B-03724A708766}.exe

Filesize
90KB

MD5
d21d736e572a2da1460e06b99737171e

SHA1
f399d147f4b8c8e34b25799f572a6a46d91e7c7d

SHA256
540ccdc282ee84975cd661c675a0a8d5ea976f94a7d56a0db96f83aafd204adf

SHA512
6e017aab63a2eb180a7097c708f4fa38e40890cbbafdc22dcc043ce2dcf581f2dc98cc3a657f8a83e44d43b3cb854ffe608e00f8555f4d8f6ef4ef77aeb5b2dc

Download Submit
C:\Windows\{997C2B7B-0293-4b90-AB65-4AA501DA4C03}.exe

Filesize
90KB

MD5
bd27cfe31da57960638555c8121ece79

SHA1
0f54331a8eb25f8ebdb3d10070e2e90d110e306a

SHA256
07749f07ad37c2770d22d5dada44d721833aefe7f354999860d947dbf25d7399

SHA512
973280f0c8b30278120cd5bd184cb09a08e4366d395b3ad5c428bdacf3a86023fd467a992c4ed209e4ce37baa9b2598ec5970735c3aca8749ceabae7a2829d87

Download Submit
C:\Windows\{AEA5A636-A6E1-428c-82F9-4E8C149886B1}.exe

Filesize
90KB

MD5
431a1e548a60339ec4ba394607c2d8d9

SHA1
ac7b8c7255bf6b0b5c5a65ca715f934c827517eb

SHA256
f64507e6020e7b5ef36efb015b364d1316379789335d9e8ae6ea40043c34a3f1

SHA512
fb2662601675e319a3846d16d36816d590c1ea49a5efec3d4edaae1cba40207f5e28e27eb68b76871cd9ffc5914783f542ee5f2e03cf078ab7846edacc9cb090

Download Submit
C:\Windows\{B89AFD39-0D9B-4599-8DF1-68BD186419C2}.exe

Filesize
90KB

MD5
fd5f93d7007ab633693deaa124f0ea3d

SHA1
1411301d8792d5e5785b317b0bd5312385a7ba87

SHA256
78a65bc85b99e2a4b48c5b9f34e9baa77ae56f12bba2bffc797bc629891169ed

SHA512
5142a4fdb17460ac1aa6f63d83da21eb8a37e102d440f00cd5020b41f694387cc19c7dfe0b86b631ca9c8e041376d1b19416a40045a24fc0de4196b47538c72c

Download Submit
C:\Windows\{CEC2323B-7148-4fe7-90D4-BB554E72AE3C}.exe

Filesize
90KB

MD5
e9504051743af9db12d681a975283754

SHA1
fb6e8dcd66ed2a61f6ba439e0fb8a246aaa3ff47

SHA256
26abf64c2551a2b7f9449a72bc665a472fd108f08aba74ef0ced8f21ea2cd76f

SHA512
364ef764d6139440da39c033d8f8e274639f0c4e3e0bd1eb63e4908044da1f728f434023af6090d66c2b7000913df85dcd1e34f7815e35f98cdd5d8b96eae063

Download Submit
C:\Windows\{D3BE53A2-AC4E-440b-9776-C79F89CDD79B}.exe

Filesize
90KB

MD5
4474e2228030435c893e2147e78ad9ae

SHA1
c7e369ee1039448afef4c64356f9ec2f7ce73b49

SHA256
67221cdfbabe2c747736a2a37d73aa6dd46fc6cc51ec3d30ffe4be5a44e3b49f

SHA512
9e2abb86907c132e61c0c371bccd0997409dc1d3778aa23c2795e50ca7ea6a0fb13ce27dbdf173a2033d332f0e7c40097e5a63968793772417aedc9f8815188a

Download Submit
C:\Windows\{E90DA87D-7D51-42c8-81F5-1C45174863A8}.exe

Filesize
90KB

MD5
34558884166c592db7ff04632c253852

SHA1
1f5daa532ff40daedd7cd817ec9dc96520c309ad

SHA256
e2a921d8fdb6f0c809b7ca4c963e78b4f18f9bd955c57d49d30b382c788d1cf7

SHA512
ac8ce335d8593575c35df56fe010a74a0006f7b25361b9efa77fcf2e2c5f81b0c7fb26fb5d28a979d5cfdcb2bc3b8db452549b3d0cc99535bc3a157b4fb18f73

Download Submit
C:\Windows\{EAD4F24C-624A-4dd3-BC34-33489431CBDD}.exe

Filesize
90KB

MD5
0ac189ea016b8dbb0d5aa87240235ba1

SHA1
caf5866e3504fcc532ef7034cf1c579475e76891

SHA256
89588b51e283806dffbf70dbde8b385e95a6bba06e6bea9b78a00ff8239a0d32

SHA512
d542160561fb22b15308cdf228441ba1d17443e61a8d1ee52f0ce3203b4e41fe4d6ef6293fc67b2d699122499eaf52323a2c27dc79adc972d4e87b0a0c582558

Download Submit
C:\Windows\{F62E8717-1E2C-47da-A45E-A0C6763CE6B5}.exe

Filesize
90KB

MD5
00567dbff846a5634c18f7cd1ca61693

SHA1
36a4f6d17ee385d0120d164ea43c7ec5b066717f

SHA256
fe16b634ffd3b9b0015f74d415938dc30784cec0c9d3d95ff29ab799a45b56ae

SHA512
b3b49bef2e5a61b8ff2c31cb3b6881da25363541194a227ded5d9b5368f4a0c80483d7832278391472502e53942fb3beb49d0ba3a2f1d5aebd70f2121bad44da

Download Submit
memory/1320-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1320-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1360-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1360-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1644-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1644-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2524-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2524-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3676-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3676-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3856-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3856-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4004-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4052-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4052-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4068-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4068-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4348-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4348-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4428-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads