87f8a22974e975c8ed000ac8a319c0730603886baf7b8d3c2479c980d5591985

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe
Size

90KB
MD5

5d8668e1c6d378a209621e26eb11c340
SHA1

40bfa88ac799e2195e1bbbb6528470ff2d703f0f
SHA256

87f8a22974e975c8ed000ac8a319c0730603886baf7b8d3c2479c980d5591985
SHA512

dd30ed91b7fc6e6951f21bab824a75e73697c484095acddbbb2e3d7d1e69f3d46122d86f690da32dc081658d74147895684acd7a821baa654c06ed4a49524a71
SSDEEP

768:Qvw9816vhKQLroh4/wQRNrfrunMxVFA3b7glws:YEGh0ohl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}\stubpath = "C:\\Windows\\{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe"	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BB37917-14B2-420e-A924-8C965E4648F1}	{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BB37917-14B2-420e-A924-8C965E4648F1}\stubpath = "C:\\Windows\\{3BB37917-14B2-420e-A924-8C965E4648F1}.exe"	{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01B16D85-7E62-469b-B024-2AE132B8A873}\stubpath = "C:\\Windows\\{01B16D85-7E62-469b-B024-2AE132B8A873}.exe"	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94568DE3-DC87-4524-98FF-C926B1B8F681}\stubpath = "C:\\Windows\\{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe"	{547BCCD4-7102-4717-BC15-F08017211FED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E59471B-13DA-4e5d-8E5A-4FE281239711}	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1561014-B477-4f37-A460-D97C8C9EAAF2}\stubpath = "C:\\Windows\\{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe"	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94568DE3-DC87-4524-98FF-C926B1B8F681}	{547BCCD4-7102-4717-BC15-F08017211FED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B48FAB1-4831-4d57-9FE1-3A2178F77158}	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B48FAB1-4831-4d57-9FE1-3A2178F77158}\stubpath = "C:\\Windows\\{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe"	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}\stubpath = "C:\\Windows\\{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe"	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{547BCCD4-7102-4717-BC15-F08017211FED}\stubpath = "C:\\Windows\\{547BCCD4-7102-4717-BC15-F08017211FED}.exe"	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{547BCCD4-7102-4717-BC15-F08017211FED}	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}\stubpath = "C:\\Windows\\{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe"	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E59471B-13DA-4e5d-8E5A-4FE281239711}\stubpath = "C:\\Windows\\{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe"	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}\stubpath = "C:\\Windows\\{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe"	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}\stubpath = "C:\\Windows\\{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe"	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1561014-B477-4f37-A460-D97C8C9EAAF2}	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01B16D85-7E62-469b-B024-2AE132B8A873}	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe

Executes dropped EXE 12 IoCs

pid	Process
560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe
1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe
564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe
4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe
2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe
4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe
5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe
3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe
560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe
2180	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe
3832	{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe
4620	{3BB37917-14B2-420e-A924-8C965E4648F1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe
File created	C:\Windows\{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe
File created	C:\Windows\{01B16D85-7E62-469b-B024-2AE132B8A873}.exe	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe
File created	C:\Windows\{547BCCD4-7102-4717-BC15-F08017211FED}.exe	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe
File created	C:\Windows\{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe
File created	C:\Windows\{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe
File created	C:\Windows\{3BB37917-14B2-420e-A924-8C965E4648F1}.exe	{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe
File created	C:\Windows\{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe
File created	C:\Windows\{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe
File created	C:\Windows\{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe
File created	C:\Windows\{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe
File created	C:\Windows\{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe	{547BCCD4-7102-4717-BC15-F08017211FED}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4332	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe
Token: SeIncBasePriorityPrivilege	1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe
Token: SeIncBasePriorityPrivilege	564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe
Token: SeIncBasePriorityPrivilege	4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe
Token: SeIncBasePriorityPrivilege	2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe
Token: SeIncBasePriorityPrivilege	4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe
Token: SeIncBasePriorityPrivilege	5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe
Token: SeIncBasePriorityPrivilege	3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe
Token: SeIncBasePriorityPrivilege	560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe
Token: SeIncBasePriorityPrivilege	2180	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe
Token: SeIncBasePriorityPrivilege	3832	{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 560	4332	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe	95
PID 4332 wrote to memory of 560	4332	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe	95
PID 4332 wrote to memory of 560	4332	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe	95
PID 4332 wrote to memory of 3800	4332	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe	96
PID 4332 wrote to memory of 3800	4332	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe	96
PID 4332 wrote to memory of 3800	4332	5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe	96
PID 560 wrote to memory of 1648	560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe	97
PID 560 wrote to memory of 1648	560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe	97
PID 560 wrote to memory of 1648	560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe	97
PID 560 wrote to memory of 4636	560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe	98
PID 560 wrote to memory of 4636	560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe	98
PID 560 wrote to memory of 4636	560	{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe	98
PID 1648 wrote to memory of 564	1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe	102
PID 1648 wrote to memory of 564	1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe	102
PID 1648 wrote to memory of 564	1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe	102
PID 1648 wrote to memory of 1028	1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe	103
PID 1648 wrote to memory of 1028	1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe	103
PID 1648 wrote to memory of 1028	1648	{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe	103
PID 564 wrote to memory of 4452	564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe	104
PID 564 wrote to memory of 4452	564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe	104
PID 564 wrote to memory of 4452	564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe	104
PID 564 wrote to memory of 2364	564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe	105
PID 564 wrote to memory of 2364	564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe	105
PID 564 wrote to memory of 2364	564	{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe	105
PID 4452 wrote to memory of 2296	4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe	106
PID 4452 wrote to memory of 2296	4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe	106
PID 4452 wrote to memory of 2296	4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe	106
PID 4452 wrote to memory of 232	4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe	107
PID 4452 wrote to memory of 232	4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe	107
PID 4452 wrote to memory of 232	4452	{01B16D85-7E62-469b-B024-2AE132B8A873}.exe	107
PID 2296 wrote to memory of 4172	2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe	109
PID 2296 wrote to memory of 4172	2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe	109
PID 2296 wrote to memory of 4172	2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe	109
PID 2296 wrote to memory of 1680	2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe	110
PID 2296 wrote to memory of 1680	2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe	110
PID 2296 wrote to memory of 1680	2296	{547BCCD4-7102-4717-BC15-F08017211FED}.exe	110
PID 4172 wrote to memory of 5032	4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe	111
PID 4172 wrote to memory of 5032	4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe	111
PID 4172 wrote to memory of 5032	4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe	111
PID 4172 wrote to memory of 4148	4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe	112
PID 4172 wrote to memory of 4148	4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe	112
PID 4172 wrote to memory of 4148	4172	{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe	112
PID 5032 wrote to memory of 3584	5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe	115
PID 5032 wrote to memory of 3584	5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe	115
PID 5032 wrote to memory of 3584	5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe	115
PID 5032 wrote to memory of 4296	5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe	116
PID 5032 wrote to memory of 4296	5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe	116
PID 5032 wrote to memory of 4296	5032	{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe	116
PID 3584 wrote to memory of 560	3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe	117
PID 3584 wrote to memory of 560	3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe	117
PID 3584 wrote to memory of 560	3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe	117
PID 3584 wrote to memory of 4264	3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe	118
PID 3584 wrote to memory of 4264	3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe	118
PID 3584 wrote to memory of 4264	3584	{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe	118
PID 560 wrote to memory of 2180	560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe	119
PID 560 wrote to memory of 2180	560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe	119
PID 560 wrote to memory of 2180	560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe	119
PID 560 wrote to memory of 1568	560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe	120
PID 560 wrote to memory of 1568	560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe	120
PID 560 wrote to memory of 1568	560	{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe	120
PID 2180 wrote to memory of 3832	2180	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe	121
PID 2180 wrote to memory of 3832	2180	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe	121
PID 2180 wrote to memory of 3832	2180	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe	121
PID 2180 wrote to memory of 2476	2180	{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe	122

C:\Users\Admin\AppData\Local\Temp\5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d8668e1c6d378a209621e26eb11c340_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe
  C:\Windows\{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe
    C:\Windows\{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe
      C:\Windows\{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\{01B16D85-7E62-469b-B024-2AE132B8A873}.exe
        
        C:\Windows\{01B16D85-7E62-469b-B024-2AE132B8A873}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\{547BCCD4-7102-4717-BC15-F08017211FED}.exe
        
        C:\Windows\{547BCCD4-7102-4717-BC15-F08017211FED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe
        
        C:\Windows\{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe
        
        C:\Windows\{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe
        
        C:\Windows\{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe
        
        C:\Windows\{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe
        
        C:\Windows\{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe
        
        C:\Windows\{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\{3BB37917-14B2-420e-A924-8C965E4648F1}.exe
        
        C:\Windows\{3BB37917-14B2-420e-A924-8C965E4648F1}.exe
        13⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3917F~1.EXE > nul
        13⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5663B~1.EXE > nul
        12⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B48F~1.EXE > nul
        11⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E594~1.EXE > nul
        10⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F7E3~1.EXE > nul
        9⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94568~1.EXE > nul
        8⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{547BC~1.EXE > nul
        7⤵
        
        PID:1680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01B16~1.EXE > nul
        6⤵
        
        PID:232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D6CB~1.EXE > nul
        5⤵
        
        PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F1561~1.EXE > nul
      4⤵
      PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD29A~1.EXE > nul
    3⤵
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5D8668~1.EXE > nul
  2⤵
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01B16D85-7E62-469b-B024-2AE132B8A873}.exe

Filesize
90KB

MD5
ad4d0a60c41195051b1c449b6a0b7430

SHA1
0a4fe4208bf906690aae0885598857d213c15553

SHA256
bdfbbb48566eba0665a31539379e71a61e8ef44c646576eb012b570025a47653

SHA512
c2f1e71c465dee13ccf7b12f6f4808151525a0543de7f0fd2079b8ceab02e9a5b0856fa85d807c9d1b5e0765988fbcc3858eca29a515d76cad9c563460e8f850

Download Submit
C:\Windows\{0B48FAB1-4831-4d57-9FE1-3A2178F77158}.exe

Filesize
90KB

MD5
16f7fbb99d6a92d14e75910608e3ca97

SHA1
96a3f2c1938874eca2a0604afb02bb558fd07277

SHA256
1a9e6c4e1a21cd4e59e6b3ad1ea1b10479e53cb0fa7ab49706be5218f71d255b

SHA512
5c54d987150cddf9f86d28e8754be3dab238e445cb705928b486829f07acd3b7655e692298428d57de897accb3ca470fc612a5c1a7f9fe34987cf0c42330c312

Download Submit
C:\Windows\{1D6CB2AF-746D-4cd6-BFAC-2C0E2578DD78}.exe

Filesize
90KB

MD5
ddc5fd8bfb8255dd5ecf797ac4b67c0a

SHA1
efb25720227599bea9b6f7a88c0cab3e37e69499

SHA256
15c71fc24dd6ddb05e201b5fb6573296bdbeff3e1c31bb3c0c14b798b7964648

SHA512
703f71834d54ff0456a86acc752357b081b393cfaed52790d9d670259b0370bced2668a32d4b5225ea9720b7274036acfc0b2153681b2cc687b408cd572b73dc

Download Submit
C:\Windows\{2E59471B-13DA-4e5d-8E5A-4FE281239711}.exe

Filesize
90KB

MD5
9602f806b2f01e0c33839b59ae045c3e

SHA1
78a07dca52611e6282ffef7f5d2105f4a1ea8318

SHA256
09b56894047de4f882884666147f99b41de807c0615d97fc34a1da57b923b1ef

SHA512
7dd7c8a7fc0e2150c2eb90ec5ed9b771d32c2504a9a82bf2f9b8afd2c5a73ce925d05fd0c2fff6899223f33628ec97acee20511142a157753902d658d0eea98f

Download Submit
C:\Windows\{3917FABB-C4DF-4d13-865E-BFC267AFE3D7}.exe

Filesize
90KB

MD5
8727bcb1d8ba488263c32b3d2168183c

SHA1
424c1c56fc50be18ce73b30dda8ba81e73bb4e98

SHA256
d90d98debeb28d2840db05f8215a7daa29964d0d2cd51e5c34a2da71555b0d99

SHA512
3b5ad632f0d358071a1d3d35a18786beb75f1d81f412a7e474a21a97e92ca2e1541d05a6bdb45f80311a12701f0d1f36b685ea4183b9cce599bfe778d259556d

Download Submit
C:\Windows\{3BB37917-14B2-420e-A924-8C965E4648F1}.exe

Filesize
90KB

MD5
f3a3dd9d5169fa242eb22cb87432cb9d

SHA1
f6b0c6dd8f36c2780ba5c3a75765ee96f56ba27e

SHA256
a8167f41ff553aa0361d0cd646fcfba57b2433eb51c21f768ee7478f48382732

SHA512
d48785d2e77ad14596f30bbb6307a02c3c29b17b370fc0e8de57444a1d189e3748730c61cc700a4c3db15b2646033df5003e8e4091ae84e04ca0287ebbb80444

Download Submit
C:\Windows\{4F7E3CBB-D6B0-4394-AE94-C544F2604A6B}.exe

Filesize
90KB

MD5
5db8fc1338621d2a895305973105dff3

SHA1
8b76a7ff02dcb7ac17258ccfe3eaadcfa67456ec

SHA256
92ce1b5fd45c0a94ca5ecc56e63a2a27dd9cc0aeabc0e0b486243290ded1a707

SHA512
c73b39352909f3f258c629431be1e4f8d8f6b6a95128415ca7a385d7d3191a6c766247c3c335289f43b34c514ca2e4778457546ed09e4f2dc6924703506a05b4

Download Submit
C:\Windows\{547BCCD4-7102-4717-BC15-F08017211FED}.exe

Filesize
90KB

MD5
6ca58bb5e7a54d33895c7ea1a8ba731f

SHA1
762d732872b2c1aa5625e05ad76571b96f4bd80e

SHA256
76421a1574959918a403ff5cbadd8491f1ecbc0217235f3c13f99b6a0baf712a

SHA512
117be0dcb6536641f85b640ecdb79c9a35253b2d2a83c9679d4bc936773d0b37394a2dc545cef7f16a751360064891bee6e439b96710f075f2efb3dd26152f49

Download Submit
C:\Windows\{5663B3DF-DF49-4f57-99AF-4B1AEA02C738}.exe

Filesize
90KB

MD5
93a18c8a4151cd6353952a0cd371e201

SHA1
3aa4a45c717421011168788460b20f638cef735c

SHA256
686a541552c3209de1046d64728144f29bba1df4fc831c2074fa4722bddb15b6

SHA512
f563b85bdf3e9588b0dda6b2541a07028449190b05d3cc6e445c14ca3d0eb13fe70bb34f2d57ebdc947e08cb674a4bd874c788844bdbe12a3bc1967e5fbbe00b

Download Submit
C:\Windows\{94568DE3-DC87-4524-98FF-C926B1B8F681}.exe

Filesize
90KB

MD5
a47c68d6b22c37fb003c2245bddf763f

SHA1
29675eab9d3e77103e4c6118ceb0e872961237ad

SHA256
0aa83ab65e2584c5f0d2e9658064c82fc384d368affcd83ce734a589f4c02d66

SHA512
c272360f586693be5abe8616823bc1c895ea766f366f89746512d70b64dce2ead698d1667cd7e051c535c825b5bee8c4eb9be3391122ef4c4122b49079a2ee93

Download Submit
C:\Windows\{CD29A280-F8FD-48ba-BE94-6D254D0F32CD}.exe

Filesize
90KB

MD5
d16a477ff67bb53b1f910466c63db518

SHA1
67f377417438869feb54cab5315f1ceb6c715419

SHA256
1ae57f79c933962d60d990a696d10774a4c36d35680b9184a42b817e06e5c788

SHA512
f4b4aa81ff5fdbc80ea393f94ca609e426d1ea6935398c7175d980487e49fced12dd8aebf20db2828c51e348de5243affc988a8d12cc031e464b02eb404f8caa

Download Submit
C:\Windows\{F1561014-B477-4f37-A460-D97C8C9EAAF2}.exe

Filesize
90KB

MD5
d41579dace85c1d5d37c242f894dcac0

SHA1
4494896885bbc39dfacab6eec8574f3600c29e25

SHA256
2827048f37f60791211ce7641103098917391c98312d0c9fedb62a3bd53a1fac

SHA512
593685c5ccfcb36b243b890203fe11189985b5b5c08bb7a69309fded6244a1be50059d9f9779fde272400e479b14e55e104f53f44b70bdee1f1029c864c11f45

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads