8b669763c98de54b1f5de0d3a472080557d70e88196da563d22cd46b268c6553

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
Size

98KB
MD5

9e24b2a767bd2be6a51b77d18416dd60
SHA1

c381e536da419772da5ee692e198027e2eab33f8
SHA256

8b669763c98de54b1f5de0d3a472080557d70e88196da563d22cd46b268c6553
SHA512

120068f301a0988a3720907fbd8dff7f22c595424ebf9aac6f0ee4a56b0a07db602c941f31912106d3381fbaa29916701eca8e2f5f7a1d05b7e5f6f66d14f6ae
SSDEEP

768:5vw981sthKQLroH4/wQDNrfrunMxVFA3b7glws:lEGN0oHlounMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}\stubpath = "C:\\Windows\\{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe"	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}\stubpath = "C:\\Windows\\{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}.exe"	{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C074C413-61FD-4200-9921-379D6AD4D259}\stubpath = "C:\\Windows\\{C074C413-61FD-4200-9921-379D6AD4D259}.exe"	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C074C413-61FD-4200-9921-379D6AD4D259}	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37473FCD-2897-4db0-A15A-D21F50EA578A}	{C074C413-61FD-4200-9921-379D6AD4D259}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}\stubpath = "C:\\Windows\\{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe"	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}	{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E7C472-1B0A-4836-B195-76F8133CCBA8}	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E7C472-1B0A-4836-B195-76F8133CCBA8}\stubpath = "C:\\Windows\\{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe"	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C5305C-5F1D-42ff-A164-26006D6A70BE}\stubpath = "C:\\Windows\\{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe"	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}\stubpath = "C:\\Windows\\{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe"	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}\stubpath = "C:\\Windows\\{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe"	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}\stubpath = "C:\\Windows\\{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe"	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E5D0E3-3E71-4346-920B-29754A3B911E}	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6396DA5B-D0BA-4170-8464-77D067C0F110}\stubpath = "C:\\Windows\\{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe"	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C5305C-5F1D-42ff-A164-26006D6A70BE}	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37473FCD-2897-4db0-A15A-D21F50EA578A}\stubpath = "C:\\Windows\\{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe"	{C074C413-61FD-4200-9921-379D6AD4D259}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E5D0E3-3E71-4346-920B-29754A3B911E}\stubpath = "C:\\Windows\\{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe"	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6396DA5B-D0BA-4170-8464-77D067C0F110}	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe

Executes dropped EXE 12 IoCs

pid	Process
1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe
228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe
4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe
2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe
4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe
5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe
1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe
3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe
1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe
4416	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe
1256	{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe
3124	{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe
File created	C:\Windows\{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe
File created	C:\Windows\{C074C413-61FD-4200-9921-379D6AD4D259}.exe	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe
File created	C:\Windows\{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe	{C074C413-61FD-4200-9921-379D6AD4D259}.exe
File created	C:\Windows\{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe
File created	C:\Windows\{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe
File created	C:\Windows\{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe
File created	C:\Windows\{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
File created	C:\Windows\{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}.exe	{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe
File created	C:\Windows\{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe
File created	C:\Windows\{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe
File created	C:\Windows\{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5044	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe
Token: SeIncBasePriorityPrivilege	228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe
Token: SeIncBasePriorityPrivilege	4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe
Token: SeIncBasePriorityPrivilege	2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe
Token: SeIncBasePriorityPrivilege	4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe
Token: SeIncBasePriorityPrivilege	5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe
Token: SeIncBasePriorityPrivilege	1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe
Token: SeIncBasePriorityPrivilege	3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe
Token: SeIncBasePriorityPrivilege	1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe
Token: SeIncBasePriorityPrivilege	4416	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe
Token: SeIncBasePriorityPrivilege	1256	{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1396	5044	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	97
PID 5044 wrote to memory of 1396	5044	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	97
PID 5044 wrote to memory of 1396	5044	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	97
PID 5044 wrote to memory of 4824	5044	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	98
PID 5044 wrote to memory of 4824	5044	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	98
PID 5044 wrote to memory of 4824	5044	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	98
PID 1396 wrote to memory of 228	1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe	99
PID 1396 wrote to memory of 228	1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe	99
PID 1396 wrote to memory of 228	1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe	99
PID 1396 wrote to memory of 3116	1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe	100
PID 1396 wrote to memory of 3116	1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe	100
PID 1396 wrote to memory of 3116	1396	{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe	100
PID 228 wrote to memory of 4372	228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe	103
PID 228 wrote to memory of 4372	228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe	103
PID 228 wrote to memory of 4372	228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe	103
PID 228 wrote to memory of 3096	228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe	104
PID 228 wrote to memory of 3096	228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe	104
PID 228 wrote to memory of 3096	228	{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe	104
PID 4372 wrote to memory of 2176	4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe	105
PID 4372 wrote to memory of 2176	4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe	105
PID 4372 wrote to memory of 2176	4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe	105
PID 4372 wrote to memory of 1548	4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe	106
PID 4372 wrote to memory of 1548	4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe	106
PID 4372 wrote to memory of 1548	4372	{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe	106
PID 2176 wrote to memory of 4240	2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe	108
PID 2176 wrote to memory of 4240	2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe	108
PID 2176 wrote to memory of 4240	2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe	108
PID 2176 wrote to memory of 3636	2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe	109
PID 2176 wrote to memory of 3636	2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe	109
PID 2176 wrote to memory of 3636	2176	{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe	109
PID 4240 wrote to memory of 5008	4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe	110
PID 4240 wrote to memory of 5008	4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe	110
PID 4240 wrote to memory of 5008	4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe	110
PID 4240 wrote to memory of 4328	4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe	111
PID 4240 wrote to memory of 4328	4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe	111
PID 4240 wrote to memory of 4328	4240	{C074C413-61FD-4200-9921-379D6AD4D259}.exe	111
PID 5008 wrote to memory of 1628	5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe	112
PID 5008 wrote to memory of 1628	5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe	112
PID 5008 wrote to memory of 1628	5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe	112
PID 5008 wrote to memory of 4344	5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe	113
PID 5008 wrote to memory of 4344	5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe	113
PID 5008 wrote to memory of 4344	5008	{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe	113
PID 1628 wrote to memory of 3328	1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe	120
PID 1628 wrote to memory of 3328	1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe	120
PID 1628 wrote to memory of 3328	1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe	120
PID 1628 wrote to memory of 2444	1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe	121
PID 1628 wrote to memory of 2444	1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe	121
PID 1628 wrote to memory of 2444	1628	{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe	121
PID 3328 wrote to memory of 1008	3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe	122
PID 3328 wrote to memory of 1008	3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe	122
PID 3328 wrote to memory of 1008	3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe	122
PID 3328 wrote to memory of 3616	3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe	123
PID 3328 wrote to memory of 3616	3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe	123
PID 3328 wrote to memory of 3616	3328	{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe	123
PID 1008 wrote to memory of 4416	1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe	124
PID 1008 wrote to memory of 4416	1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe	124
PID 1008 wrote to memory of 4416	1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe	124
PID 1008 wrote to memory of 772	1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe	125
PID 1008 wrote to memory of 772	1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe	125
PID 1008 wrote to memory of 772	1008	{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe	125
PID 4416 wrote to memory of 1256	4416	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe	128
PID 4416 wrote to memory of 1256	4416	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe	128
PID 4416 wrote to memory of 1256	4416	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe	128
PID 4416 wrote to memory of 3924	4416	{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe	129

C:\Users\Admin\AppData\Local\Temp\9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe
  C:\Windows\{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe
    C:\Windows\{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe
      C:\Windows\{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Windows\{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe
        
        C:\Windows\{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\{C074C413-61FD-4200-9921-379D6AD4D259}.exe
        
        C:\Windows\{C074C413-61FD-4200-9921-379D6AD4D259}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe
        
        C:\Windows\{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe
        
        C:\Windows\{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe
        
        C:\Windows\{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe
        
        C:\Windows\{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe
        
        C:\Windows\{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe
        
        C:\Windows\{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}.exe
        
        C:\Windows\{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}.exe
        13⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D6B6~1.EXE > nul
        13⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADBE0~1.EXE > nul
        12⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97E5D~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B68B~1.EXE > nul
        10⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96ACF~1.EXE > nul
        9⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37473~1.EXE > nul
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C074C~1.EXE > nul
        7⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE51~1.EXE > nul
        6⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80C53~1.EXE > nul
        5⤵
        
        PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{69E7C~1.EXE > nul
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6396D~1.EXE > nul
    3⤵
    PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E24B2~1.EXE > nul
  2⤵
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B68BDCF-A354-48e8-AA4A-A122AA0819E3}.exe

Filesize
98KB

MD5
8fb6d4e9d75157fb3e67b31596bc489f

SHA1
225bcb87015aa58581115df87c8e2d378ea10740

SHA256
beea6c2636fc8448e493bb74be032e05e129410904aa062f4817c9f5df47dc86

SHA512
c2c0638d1f2bcb97e55ff98c7dd74d162594a88f3d2ea7a90ff53af2cab59fc1642b00eeba2a20d7ef0b44aa85a8a9c2d74e152cb88c9433ce2271c3496a57fb

Download Submit
C:\Windows\{37473FCD-2897-4db0-A15A-D21F50EA578A}.exe

Filesize
98KB

MD5
aa7c2e70ebf7adde985d657f3491ae46

SHA1
c43e888551817128d585d518f1740f2dfdbd729d

SHA256
7b2051815e1eb4ae38250f8912a796bbc8cf05335712b8dc5e9e8fc767832d38

SHA512
2763e04b1bb48ffbb5b45d695cd70f00e5119f5fd3fb350248480ac5758559f1ffef2b4fc4f178e64e6471cc9d6ce787f23aba0ad9096b9796bcc25d5d19b78d

Download Submit
C:\Windows\{46976E8A-0FCF-4ee8-8E41-B9D5B1B68EF7}.exe

Filesize
98KB

MD5
b4ee41aad15531d91f2f61ac3d56b712

SHA1
5b26d06ab3ef2a6990be7a2edbde6fe618433eb4

SHA256
f70f1ba97bd2d72e7e7c25b762027e8cbebd73e8dc6739db65d38bdf28affd58

SHA512
496d3e02346a6e64dba69f42618f625fb134ba194c4ea443101d4fc730e5d8ed388f35608f3edeeec8fb0078f75286c5c6366d9cc2b712188b32c9080863fe71

Download Submit
C:\Windows\{4D6B68C7-2177-47bd-BBE5-79CAF4D4937C}.exe

Filesize
98KB

MD5
894f18e1168d5b7ae29da9db46c36cd4

SHA1
ab3dba518c93b2f325902540b1660d1887254cdf

SHA256
b9510f280eb1409c18829fca52601eb6403a3f6b9803415fedf77443ff94bfc9

SHA512
a022b43270a9c8284ff85e4cb0d2703b9d965370209e300dd5ac663aa85cf226170120e5d02d4c734df9ca9e840136360cd358162bba3533d30e13c105cf984d

Download Submit
C:\Windows\{6396DA5B-D0BA-4170-8464-77D067C0F110}.exe

Filesize
98KB

MD5
0edc3c010a2f4650162cbedb412dc397

SHA1
3a102584f1a0c52d7f963a3cc642983de0ff99fa

SHA256
d5884bb1c3a17a1d9262a08a04cbb447a535878047db1a4e9763c2371cb74056

SHA512
23780de05f8bddb1a36899b9076162476d950288a045e838ef5b641229c43563f99612ba7c770af0e6cd3715494ede001570f49d590fdc879834506af1e18b0d

Download Submit
C:\Windows\{69E7C472-1B0A-4836-B195-76F8133CCBA8}.exe

Filesize
98KB

MD5
0e4998b002b4090e505c0528247ac142

SHA1
f49bbee53e6818a3a4f673eb2800d35b5d387adc

SHA256
44a6c72166f2266f84466a03dfa9a8e8e8dba22954c398b783448216fd257937

SHA512
4210f373de068916230b7f7389be8908e4ced0ebdd8a99232da3be2a1880f06905f5b651932e59aad0a41cbc41833c49516afa534314316a40c62c3269093d31

Download Submit
C:\Windows\{80C5305C-5F1D-42ff-A164-26006D6A70BE}.exe

Filesize
98KB

MD5
5f047e4c2a96fa2a09986a9bf5db2b6a

SHA1
cbdca0c4189bda19722b8d39ad4e9a3e2a33f5ec

SHA256
951f8d6db2aad0e52f3950bf06ff5caa55208674db12221939e4e24aba1636de

SHA512
77dcc79200414fa62b465b4d54a4752ffa292a0504d3d52e1b1a9a6c836e96dde6af6525d0973a9f4529e97c98b7080244584deb1d7a338698c9e6d46dac9663

Download Submit
C:\Windows\{8CE511F9-79D7-4a0e-9E5B-E40BC9814C9C}.exe

Filesize
98KB

MD5
06959a90d0242b9c3ad6adeb3f102aa9

SHA1
ffa9c02fdb96ed989ba85593c5ec8593bc4fd227

SHA256
7a8949a64eaaef0804f8212e5e0f34824c5f9db5b992ab20f39a2b28a14b0c02

SHA512
652e5b9d477bcc8b2865f18ddc484775ab74e9bcc1be886a9efcb4747008ca6ed0d9b23ac0923b4237ef0c8d5e30879b3f2b9bdcb36273ff2eaa57ac6ebf7389

Download Submit
C:\Windows\{96ACF7BB-ACBA-45c1-B635-80BE51D8EF4A}.exe

Filesize
98KB

MD5
cb4b3d5000592beb0b5b73b604167e33

SHA1
8c56790f9a7f831ce1037fa5db48d70b41b49cd7

SHA256
0d91afcb91533fc16788f608514fcb7a9db3073f7c0f2bce8eae9faefddd55cb

SHA512
e24cc1e0b8bb281e45e646530fecbfbfd303443a94d3f89c369b470623dc3ed52ee2a89e2be0bc2b49b39fe0d4aaa56de68a316ceabf8a9c76a4c0f85c282ad7

Download Submit
C:\Windows\{97E5D0E3-3E71-4346-920B-29754A3B911E}.exe

Filesize
98KB

MD5
84abfd4223a28bb8f13a56cd26419db1

SHA1
3eca99eba740e4e7c289174ddf09f98b1e93c76a

SHA256
5a943040af4f0d0cde11b7bd2395bfb645195da370dd152b0ad80a6b30b0baa1

SHA512
060e346004b4dea08c0c3e8d824ae2ef9892736c568757755042c264a57ba6a34499e73cb1a30f78083872d86e50f376ffc61adc633d2c162c7f948f48ee9de2

Download Submit
C:\Windows\{ADBE0A7C-6125-4ecf-9887-57E0D7BFB1EA}.exe

Filesize
98KB

MD5
b3e509a94e0fd6d9f4f409f9c316f826

SHA1
22823e92a68c3ead2f72ccd6207642cce7ce054c

SHA256
003255c40b6d25f3314cd4c965aab6898a728176ba50a2c77ba01f7279c6ccfc

SHA512
92bf79f6377f7ce1c5a5593a9cdec42711958fe3a69f9dbd689adc6f2d038019f63510994a8bb5282411a64921848a66dc8d548487c2c6cb66a2cdd2fa2c2309

Download Submit
C:\Windows\{C074C413-61FD-4200-9921-379D6AD4D259}.exe

Filesize
98KB

MD5
9b891e2c0fe8ecd55d4cb6a25060e853

SHA1
53f829f0812cbe3767ff76578b74d96945346305

SHA256
137a3196a6716ea8079546fe915c09d0910fa203855887db66ed61fbfe0cbc79

SHA512
c5579f2dc8d7fd5f680ee4ee5091327882318b292b1d9d91de8708f56fb6b460923610125ecdf6b7669209f3c58b77d2f2196c996d52b5f8dc852a896868fc76

Download Submit
memory/228-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/228-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1008-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1008-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1256-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1256-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1396-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1396-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1628-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2176-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2176-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3328-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3328-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4240-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4240-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4372-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4372-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4416-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4416-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5008-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5008-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5044-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5044-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads