2d0d1e28cb5365c0aef237c5356cd18b900898b999cbe0894712b6d2a8bf0eb4

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Size

90KB
MD5

d5832c0f7c7dbabb3e08e67ae81b37a0
SHA1

6eb8a9726b0182ae799b9b6338e9753789129634
SHA256

2d0d1e28cb5365c0aef237c5356cd18b900898b999cbe0894712b6d2a8bf0eb4
SHA512

2f36af1d7e0d9f7a8aa89446e229c688c05b64f01bd8a532cfa4c8eeb179794dd0166f29dc786baea4f682cbb3f91e9eecc902b17b02d673bd4ae29d99eec334
SSDEEP

768:50w981IshKQLro24/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0o2lVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7D194F-026D-4968-BB06-9EC2D698AEA2}\stubpath = "C:\\Windows\\{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe"	{420041F9-6D83-434e-AC07-C86B7203A293}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF4D5125-CD74-4096-9418-93D1DF1B44DA}\stubpath = "C:\\Windows\\{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe"	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45F683AA-A027-44ba-9DDC-E53AE7FE7434}\stubpath = "C:\\Windows\\{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe"	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}\stubpath = "C:\\Windows\\{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe"	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40E73600-ED76-41a2-A6DF-ED94674F2782}	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1E2012-2173-4949-A58D-EB7641902BEC}	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1E2012-2173-4949-A58D-EB7641902BEC}\stubpath = "C:\\Windows\\{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe"	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{420041F9-6D83-434e-AC07-C86B7203A293}\stubpath = "C:\\Windows\\{420041F9-6D83-434e-AC07-C86B7203A293}.exe"	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7D194F-026D-4968-BB06-9EC2D698AEA2}	{420041F9-6D83-434e-AC07-C86B7203A293}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D64CFEB-DCCD-4a8e-94C0-024477B71002}\stubpath = "C:\\Windows\\{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe"	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}\stubpath = "C:\\Windows\\{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe"	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F3717FC-F071-4353-9737-FB94C53D4CBA}	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3315893-2738-4012-B9F4-5FC0E1007A16}	{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F3717FC-F071-4353-9737-FB94C53D4CBA}\stubpath = "C:\\Windows\\{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe"	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3315893-2738-4012-B9F4-5FC0E1007A16}\stubpath = "C:\\Windows\\{D3315893-2738-4012-B9F4-5FC0E1007A16}.exe"	{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D64CFEB-DCCD-4a8e-94C0-024477B71002}	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40E73600-ED76-41a2-A6DF-ED94674F2782}\stubpath = "C:\\Windows\\{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe"	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF4D5125-CD74-4096-9418-93D1DF1B44DA}	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68295FD-3A5B-402d-9AED-6B117DEC9803}\stubpath = "C:\\Windows\\{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe"	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45F683AA-A027-44ba-9DDC-E53AE7FE7434}	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{420041F9-6D83-434e-AC07-C86B7203A293}	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68295FD-3A5B-402d-9AED-6B117DEC9803}	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe
4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe
1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe
2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe
3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe
1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe
4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe
3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe
4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe
4132	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe
1996	{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe
2244	{D3315893-2738-4012-B9F4-5FC0E1007A16}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe
File created	C:\Windows\{D3315893-2738-4012-B9F4-5FC0E1007A16}.exe	{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe
File created	C:\Windows\{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe	{420041F9-6D83-434e-AC07-C86B7203A293}.exe
File created	C:\Windows\{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe
File created	C:\Windows\{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe
File created	C:\Windows\{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe
File created	C:\Windows\{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe
File created	C:\Windows\{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe
File created	C:\Windows\{420041F9-6D83-434e-AC07-C86B7203A293}.exe	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
File created	C:\Windows\{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe
File created	C:\Windows\{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe
File created	C:\Windows\{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3588	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe
Token: SeIncBasePriorityPrivilege	4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe
Token: SeIncBasePriorityPrivilege	1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe
Token: SeIncBasePriorityPrivilege	2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe
Token: SeIncBasePriorityPrivilege	3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe
Token: SeIncBasePriorityPrivilege	1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe
Token: SeIncBasePriorityPrivilege	4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe
Token: SeIncBasePriorityPrivilege	3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe
Token: SeIncBasePriorityPrivilege	4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe
Token: SeIncBasePriorityPrivilege	4132	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe
Token: SeIncBasePriorityPrivilege	1996	{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3616	3588	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	87
PID 3588 wrote to memory of 3616	3588	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	87
PID 3588 wrote to memory of 3616	3588	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	87
PID 3588 wrote to memory of 3224	3588	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	88
PID 3588 wrote to memory of 3224	3588	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	88
PID 3588 wrote to memory of 3224	3588	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	88
PID 3616 wrote to memory of 4892	3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe	89
PID 3616 wrote to memory of 4892	3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe	89
PID 3616 wrote to memory of 4892	3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe	89
PID 3616 wrote to memory of 2488	3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe	90
PID 3616 wrote to memory of 2488	3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe	90
PID 3616 wrote to memory of 2488	3616	{420041F9-6D83-434e-AC07-C86B7203A293}.exe	90
PID 4892 wrote to memory of 1616	4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe	94
PID 4892 wrote to memory of 1616	4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe	94
PID 4892 wrote to memory of 1616	4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe	94
PID 4892 wrote to memory of 2316	4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe	95
PID 4892 wrote to memory of 2316	4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe	95
PID 4892 wrote to memory of 2316	4892	{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe	95
PID 1616 wrote to memory of 2356	1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe	96
PID 1616 wrote to memory of 2356	1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe	96
PID 1616 wrote to memory of 2356	1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe	96
PID 1616 wrote to memory of 3536	1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe	97
PID 1616 wrote to memory of 3536	1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe	97
PID 1616 wrote to memory of 3536	1616	{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe	97
PID 2356 wrote to memory of 3084	2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe	98
PID 2356 wrote to memory of 3084	2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe	98
PID 2356 wrote to memory of 3084	2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe	98
PID 2356 wrote to memory of 4584	2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe	99
PID 2356 wrote to memory of 4584	2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe	99
PID 2356 wrote to memory of 4584	2356	{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe	99
PID 3084 wrote to memory of 1900	3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe	101
PID 3084 wrote to memory of 1900	3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe	101
PID 3084 wrote to memory of 1900	3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe	101
PID 3084 wrote to memory of 4716	3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe	102
PID 3084 wrote to memory of 4716	3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe	102
PID 3084 wrote to memory of 4716	3084	{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe	102
PID 1900 wrote to memory of 4252	1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe	103
PID 1900 wrote to memory of 4252	1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe	103
PID 1900 wrote to memory of 4252	1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe	103
PID 1900 wrote to memory of 1672	1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe	104
PID 1900 wrote to memory of 1672	1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe	104
PID 1900 wrote to memory of 1672	1900	{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe	104
PID 4252 wrote to memory of 3908	4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe	105
PID 4252 wrote to memory of 3908	4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe	105
PID 4252 wrote to memory of 3908	4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe	105
PID 4252 wrote to memory of 544	4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe	106
PID 4252 wrote to memory of 544	4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe	106
PID 4252 wrote to memory of 544	4252	{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe	106
PID 3908 wrote to memory of 4656	3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe	112
PID 3908 wrote to memory of 4656	3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe	112
PID 3908 wrote to memory of 4656	3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe	112
PID 3908 wrote to memory of 3616	3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe	113
PID 3908 wrote to memory of 3616	3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe	113
PID 3908 wrote to memory of 3616	3908	{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe	113
PID 4656 wrote to memory of 4132	4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe	114
PID 4656 wrote to memory of 4132	4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe	114
PID 4656 wrote to memory of 4132	4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe	114
PID 4656 wrote to memory of 1644	4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe	115
PID 4656 wrote to memory of 1644	4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe	115
PID 4656 wrote to memory of 1644	4656	{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe	115
PID 4132 wrote to memory of 1996	4132	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe	116
PID 4132 wrote to memory of 1996	4132	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe	116
PID 4132 wrote to memory of 1996	4132	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe	116
PID 4132 wrote to memory of 932	4132	{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe	117

C:\Users\Admin\AppData\Local\Temp\d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\{420041F9-6D83-434e-AC07-C86B7203A293}.exe
  C:\Windows\{420041F9-6D83-434e-AC07-C86B7203A293}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe
    C:\Windows\{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe
      C:\Windows\{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe
        
        C:\Windows\{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe
        
        C:\Windows\{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe
        
        C:\Windows\{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe
        
        C:\Windows\{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe
        
        C:\Windows\{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe
        
        C:\Windows\{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe
        
        C:\Windows\{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe
        
        C:\Windows\{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{D3315893-2738-4012-B9F4-5FC0E1007A16}.exe
        
        C:\Windows\{D3315893-2738-4012-B9F4-5FC0E1007A16}.exe
        13⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45F68~1.EXE > nul
        13⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F371~1.EXE > nul
        12⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C63B~1.EXE > nul
        11⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF4D5~1.EXE > nul
        10⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6829~1.EXE > nul
        9⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA1E2~1.EXE > nul
        8⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40E73~1.EXE > nul
        7⤵
        
        PID:4716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B8D9~1.EXE > nul
        6⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D64C~1.EXE > nul
        5⤵
        
        PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D7D1~1.EXE > nul
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{42004~1.EXE > nul
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D5832C~1.EXE > nul
  2⤵
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C63B74D-E64E-45c1-BB9E-0A4EDFECCB7D}.exe

Filesize
90KB

MD5
c420bd21f103307770dc35df6f1bc1df

SHA1
5b90c996ce95849dbcf09bbcbd227e824b1a79d5

SHA256
ac767eee2715f2fe37bad6cb09e1ba4891fdd9b1381fa1be889ad28378c3f8fe

SHA512
a7634eab9682dcaf3f5492a5aa9ce26bef860d89f76d314a3c2afa05ccc504eda32e3977cff2d7074615c7eb5c106ed1d0a2dfd3e6f8924606138dc78cfe1795

Download Submit
C:\Windows\{3D64CFEB-DCCD-4a8e-94C0-024477B71002}.exe

Filesize
90KB

MD5
9cb29637e2912563fa4716e0ecc73b4a

SHA1
a91d9c8e4a89b420edc75a214272bdb1dde5b8ff

SHA256
ab1942af4362688eebc223fbfeac0fa8a55fe75bf2aee8e43bb747da0cb64ec4

SHA512
fd40d3334834fa8ef49b01479c9d62d305d0f49eeecec5a675dd689122eec2eaf7f0360d4cf99d9c2677f81c3b8ce76e095aac448922cc617e28eb0a7c6a2a44

Download Submit
C:\Windows\{3F3717FC-F071-4353-9737-FB94C53D4CBA}.exe

Filesize
90KB

MD5
d3c0d6069e735b393937576433092684

SHA1
a1b9d041a93eccede44053ef60f0a0107d67804a

SHA256
1a05e2e221191ebddddd4b8199eeb645aa9f11001a3a1b48ebd07b599774ef0a

SHA512
2440de8618d5875716bd6d351e4fa4494294338057bc7b32775ddbcdcf165cb50be99b075655c4938c599fdd2baca561afb7330bf73633579ebfbfeae7b215f4

Download Submit
C:\Windows\{40E73600-ED76-41a2-A6DF-ED94674F2782}.exe

Filesize
90KB

MD5
de9449621df4e6ba503a1d85c20d3b71

SHA1
c5829a9fc67c2158f84d6aa584deeebdc5471a66

SHA256
974cab99617f1fe02dc57d549270a9ea427e7166efd5467eedbfb6248d4781eb

SHA512
425fdd30101a4830b5c7bada75a21f652c886a92de3d9d60ccb499389d2fc2607158c8ebe6bd97fd86d9b51bc02e1a6bf2c40c60d2683c14c7afb1bc4c128768

Download Submit
C:\Windows\{420041F9-6D83-434e-AC07-C86B7203A293}.exe

Filesize
90KB

MD5
af762f69acbe88c29bddf67105c49f0b

SHA1
a1af4478861875e81d5f52287f31b7eed3368c21

SHA256
118a281cdaf4f8bc446184acf1478a5d5aed3b15027a12d76c2fa98ae7e932e0

SHA512
1c956fb1d10f987d92f623f98c0210c7e80ccd47d13fc1a4e1c5eade0d4b555de6a81e24e8cbc149ce89d667aeb5ebe9d278f37faf9dbde297e687ee9a8a8b96

Download Submit
C:\Windows\{45F683AA-A027-44ba-9DDC-E53AE7FE7434}.exe

Filesize
90KB

MD5
b6f9180d146a629d67d0bdb69384dda6

SHA1
ba90c177945ba1151d71001c3bb18fc26cb5ae29

SHA256
35504a680930b70461cac620f5af8c168f818f935c81a9d0faec87840cad5055

SHA512
1ce3cf829b99215576a9edfc5e156561c29b898a0d2d994f88337dfa0542d97a1fbeeef81ad6db2fa15c23682cca9e5ee4bff9b19bfd5d443891b11bfdebeac9

Download Submit
C:\Windows\{4B8D956A-0DC2-45ba-9047-D2A6F11C2DFB}.exe

Filesize
90KB

MD5
7f50ad9e1d1fe486592b7e7a00d3c7b9

SHA1
3c124b7a40e367eae0ab1d8e6df72833b11c1b6c

SHA256
e360c4865f2794aaa9dc1ca01da287a565cde97427862169ee89ac67cc1f4047

SHA512
5a834d51c1765c78089fd5aeaf112d2d113d24a17f8a0ddb01321d5c37e4e52042cc9e107526e169cd5f3ebe8477aec485f5f96ab73f87a13e067fafb883e37b

Download Submit
C:\Windows\{8D7D194F-026D-4968-BB06-9EC2D698AEA2}.exe

Filesize
90KB

MD5
dbbdb1f6fa1e214a9a643e39874103f5

SHA1
9d4c4cb312ace8032da99f60b0a35265c6dc0fc6

SHA256
56034c3239be30a4e2008c8c00eec704b1c025acc3b6d14b10103c72ed4dc456

SHA512
450e6d63ba41c758ec4f62432eb14636c2dba515640762e8cc792bf14d215f053b016705ae56d8c5db0b19f735f63a8302dcea5ce52729487b9756bb37253129

Download Submit
C:\Windows\{CF4D5125-CD74-4096-9418-93D1DF1B44DA}.exe

Filesize
90KB

MD5
9bf83c98118fd378c4e7197ed763cb81

SHA1
df12098ecf6c10f1bc9670d6e1c2ef97b18bbe9c

SHA256
e3a79afc149ac7b195a6adaf0cb97b2a8cc1c8e9356d340e1cd4dbad92ce5b2b

SHA512
86b283b234384a8325400564d2b198303d27b3a1009c328d739b8abd64d00f9479f13ca5f3d243f09c4ab8599ad411b8f8b4bfb379e0c6a54f882d3d3265363a

Download Submit
C:\Windows\{D3315893-2738-4012-B9F4-5FC0E1007A16}.exe

Filesize
90KB

MD5
ef4d00ba8657b467752843b04de11829

SHA1
b9a4b9537d5b448a533ae112d944db90e75d42b3

SHA256
95e1b70b5554bae1e532e207c89ed2129f2200f49d6b988bc728b89f37235c2c

SHA512
950be71ed017c4569b8a6da35d4ad896d15a6969c4168bb840a5e93abeb2e500b50fbfe3e0eb93af18b14c5c255565fa593891e18f5cfe5ba2bbfe654a28c03b

Download Submit
C:\Windows\{DA1E2012-2173-4949-A58D-EB7641902BEC}.exe

Filesize
90KB

MD5
9dd76fd2b8ba799da66f64b3c3cc752d

SHA1
d802281796c27fafb4b207f919049367efee2810

SHA256
c7c85631de67af7590ecfe097c2d91641311b34ce87fa75367bbb8263302030e

SHA512
c263e86c2548c8d21fd578505e104eaf6ba15fd9975d0beb1130a796d6b0bcd8d07b847a573f5db91cad8da4844f251715a1526aa8944d1d1acc524dabd52d6f

Download Submit
C:\Windows\{F68295FD-3A5B-402d-9AED-6B117DEC9803}.exe

Filesize
90KB

MD5
6a705fefbc150f26ce7132ea9c9a2ca9

SHA1
ab7b67a664a021f2dd59db6e62875a680b31702e

SHA256
102445d969af0a9f27a7bd0702e9e48a08a321c745f31a4a99255d835e8878b8

SHA512
e37d835eeca85bff5a1b360f1e108082f8a2a519cb18739066796573e93ec520da33ceb9d6bb6f773a433e2da5fe44ba7432b4368059634427e92b3da05c97d7

Download Submit
memory/1616-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1900-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1900-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2244-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2356-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2356-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3084-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3588-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3588-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3616-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3616-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3908-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3908-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4132-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4252-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4656-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4656-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4892-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4892-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads