220a3e41da75327c03a554dce99936da7bc6ee906ab79e0372a6b728b18e319c

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Size

64KB
MD5

32629ce1f77416657b7a279dd5d50790
SHA1

e1c7943e2ae5f6502fdd16cab61f606e605befe3
SHA256

220a3e41da75327c03a554dce99936da7bc6ee906ab79e0372a6b728b18e319c
SHA512

ce1d663e5fa1fdb35b2ad975c46d55a1bf10bea717fe2608475ca5fc6199950407a28fbefedaac29a390bfd240eaae682e80ab7e741ebeccf0deec0c54a0a364
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLrof4/CFsrdHWMZw:Ovw981xvhKQLrof4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E8FF0D9-9096-4fa9-94F1-F053FB940770}\stubpath = "C:\\Windows\\{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe"	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78FAB492-967A-4cff-AC0B-9C9862E07CC3}\stubpath = "C:\\Windows\\{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe"	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}\stubpath = "C:\\Windows\\{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe"	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}\stubpath = "C:\\Windows\\{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe"	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1727807B-15E3-4d07-8362-2A5E78D06C83}\stubpath = "C:\\Windows\\{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe"	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DD04EE-68AA-4891-8B26-522A4753AE78}	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE30093-489C-419d-A90C-9B68D77FA68E}\stubpath = "C:\\Windows\\{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe"	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DD04EE-68AA-4891-8B26-522A4753AE78}\stubpath = "C:\\Windows\\{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe"	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579B7B01-51FA-4ef8-B884-810BEFABE165}\stubpath = "C:\\Windows\\{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe"	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1727807B-15E3-4d07-8362-2A5E78D06C83}	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE30093-489C-419d-A90C-9B68D77FA68E}	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}	{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}\stubpath = "C:\\Windows\\{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe"	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579B7B01-51FA-4ef8-B884-810BEFABE165}	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E8FF0D9-9096-4fa9-94F1-F053FB940770}	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78FAB492-967A-4cff-AC0B-9C9862E07CC3}	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}\stubpath = "C:\\Windows\\{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe"	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}\stubpath = "C:\\Windows\\{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}.exe"	{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}\stubpath = "C:\\Windows\\{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe"	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe

Executes dropped EXE 12 IoCs

pid	Process
3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe
1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe
3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe
2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe
4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe
1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe
1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe
4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe
2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe
1664	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe
796	{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe
2172	{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe
File created	C:\Windows\{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe
File created	C:\Windows\{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe
File created	C:\Windows\{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe
File created	C:\Windows\{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe
File created	C:\Windows\{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe
File created	C:\Windows\{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe
File created	C:\Windows\{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
File created	C:\Windows\{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe
File created	C:\Windows\{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe
File created	C:\Windows\{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe
File created	C:\Windows\{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}.exe	{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4152	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe
Token: SeIncBasePriorityPrivilege	1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe
Token: SeIncBasePriorityPrivilege	3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe
Token: SeIncBasePriorityPrivilege	2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe
Token: SeIncBasePriorityPrivilege	4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe
Token: SeIncBasePriorityPrivilege	1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe
Token: SeIncBasePriorityPrivilege	1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe
Token: SeIncBasePriorityPrivilege	4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe
Token: SeIncBasePriorityPrivilege	2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe
Token: SeIncBasePriorityPrivilege	1664	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe
Token: SeIncBasePriorityPrivilege	796	{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3468	4152	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	95
PID 4152 wrote to memory of 3468	4152	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	95
PID 4152 wrote to memory of 3468	4152	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	95
PID 4152 wrote to memory of 4760	4152	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	96
PID 4152 wrote to memory of 4760	4152	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	96
PID 4152 wrote to memory of 4760	4152	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	96
PID 3468 wrote to memory of 1996	3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe	97
PID 3468 wrote to memory of 1996	3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe	97
PID 3468 wrote to memory of 1996	3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe	97
PID 3468 wrote to memory of 4828	3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe	98
PID 3468 wrote to memory of 4828	3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe	98
PID 3468 wrote to memory of 4828	3468	{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe	98
PID 1996 wrote to memory of 3272	1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe	102
PID 1996 wrote to memory of 3272	1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe	102
PID 1996 wrote to memory of 3272	1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe	102
PID 1996 wrote to memory of 5096	1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe	103
PID 1996 wrote to memory of 5096	1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe	103
PID 1996 wrote to memory of 5096	1996	{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe	103
PID 3272 wrote to memory of 2436	3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe	104
PID 3272 wrote to memory of 2436	3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe	104
PID 3272 wrote to memory of 2436	3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe	104
PID 3272 wrote to memory of 2452	3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe	105
PID 3272 wrote to memory of 2452	3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe	105
PID 3272 wrote to memory of 2452	3272	{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe	105
PID 2436 wrote to memory of 4028	2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe	106
PID 2436 wrote to memory of 4028	2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe	106
PID 2436 wrote to memory of 4028	2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe	106
PID 2436 wrote to memory of 2384	2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe	107
PID 2436 wrote to memory of 2384	2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe	107
PID 2436 wrote to memory of 2384	2436	{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe	107
PID 4028 wrote to memory of 1580	4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe	109
PID 4028 wrote to memory of 1580	4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe	109
PID 4028 wrote to memory of 1580	4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe	109
PID 4028 wrote to memory of 2172	4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe	110
PID 4028 wrote to memory of 2172	4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe	110
PID 4028 wrote to memory of 2172	4028	{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe	110
PID 1580 wrote to memory of 1256	1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe	111
PID 1580 wrote to memory of 1256	1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe	111
PID 1580 wrote to memory of 1256	1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe	111
PID 1580 wrote to memory of 4900	1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe	112
PID 1580 wrote to memory of 4900	1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe	112
PID 1580 wrote to memory of 4900	1580	{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe	112
PID 1256 wrote to memory of 4708	1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe	116
PID 1256 wrote to memory of 4708	1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe	116
PID 1256 wrote to memory of 4708	1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe	116
PID 1256 wrote to memory of 3276	1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe	117
PID 1256 wrote to memory of 3276	1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe	117
PID 1256 wrote to memory of 3276	1256	{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe	117
PID 4708 wrote to memory of 2148	4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe	121
PID 4708 wrote to memory of 2148	4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe	121
PID 4708 wrote to memory of 2148	4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe	121
PID 4708 wrote to memory of 2988	4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe	122
PID 4708 wrote to memory of 2988	4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe	122
PID 4708 wrote to memory of 2988	4708	{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe	122
PID 2148 wrote to memory of 1664	2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe	123
PID 2148 wrote to memory of 1664	2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe	123
PID 2148 wrote to memory of 1664	2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe	123
PID 2148 wrote to memory of 2868	2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe	124
PID 2148 wrote to memory of 2868	2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe	124
PID 2148 wrote to memory of 2868	2148	{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe	124
PID 1664 wrote to memory of 796	1664	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe	125
PID 1664 wrote to memory of 796	1664	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe	125
PID 1664 wrote to memory of 796	1664	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe	125
PID 1664 wrote to memory of 2384	1664	{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe	126

C:\Users\Admin\AppData\Local\Temp\32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe
  C:\Windows\{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe
    C:\Windows\{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe
      C:\Windows\{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Windows\{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe
        
        C:\Windows\{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe
        
        C:\Windows\{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe
        
        C:\Windows\{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe
        
        C:\Windows\{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe
        
        C:\Windows\{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe
        
        C:\Windows\{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe
        
        C:\Windows\{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe
        
        C:\Windows\{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}.exe
        
        C:\Windows\{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}.exe
        13⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDE30~1.EXE > nul
        13⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17278~1.EXE > nul
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4AA6~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C93CD~1.EXE > nul
        10⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{579B7~1.EXE > nul
        9⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AC38~1.EXE > nul
        8⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78FAB~1.EXE > nul
        7⤵
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8FF~1.EXE > nul
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97DD0~1.EXE > nul
        5⤵
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D438~1.EXE > nul
      4⤵
      PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4C0B~1.EXE > nul
    3⤵
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\32629C~1.EXE > nul
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1727807B-15E3-4d07-8362-2A5E78D06C83}.exe

Filesize
64KB

MD5
187bfc8df892b6a0f9dce2d3ee6db5ad

SHA1
6e3840bd8f07cb41e8e17d290dad2846a53f3de8

SHA256
c366e84f567a7e56d0b25fda824ebbdc042929fcfe58a1f819df332efb0e374d

SHA512
6d951a6a5d644d199cc279cb67968cb7f7705c3ef5a69a468df03b3d9545b10cb6c6634855303c31db83ecca59173f558555a716364e94fad192f0fab1a44199

Download Submit
C:\Windows\{2AC38A2D-62A3-4076-9FE8-A5996F4D1CBD}.exe

Filesize
64KB

MD5
48195a4d92b810bbb3106931ab4348bd

SHA1
b07ffe7ec7d923e20e9b4888c53939f16429d978

SHA256
409dfe3ef9749afd78d2eef882994338112fd380d81885e55853994acf0e0938

SHA512
769c17da67feaa5e6c7faabff918eabe7157880719b419142b43cc8c07e483d237d5ec17899b97ee57e804bb5482be855935a4b29467aae237df134dff8c688c

Download Submit
C:\Windows\{579B7B01-51FA-4ef8-B884-810BEFABE165}.exe

Filesize
64KB

MD5
7629908804dd785016b14fac5bdc078d

SHA1
cb66d879a4bd6d3940f839f4935982858179590c

SHA256
296b7e4038ca589b48f3b1baa7ab3b9c37b63a3508f3ace1f956e75f1f8c8875

SHA512
3e26fa957a80cbd020cac4008bd67166f036627e990e48a4a33f12dbbe395f0ab66552f8b125379d9aa2522454bd3a2e4b5188fdeca4aaaa295ff608d80d2a33

Download Submit
C:\Windows\{5E8FF0D9-9096-4fa9-94F1-F053FB940770}.exe

Filesize
64KB

MD5
9eca591aa0a0f6ab5ab3d811892bdc40

SHA1
a96ce3e4ab08db44200704862395b2d6ccbb12c8

SHA256
b8ebef051e937e11cc742dab530f4d0476c9a5f793dd38e28502065914df4f8d

SHA512
6897f66c893beaa4cd479ec8fa43c17bb4652d34d1c4a600e0593ca28dda562d07c9f1d3343f5c5ceaa2461850c244d7ab73b0387be21a8932799bdbdd879e1a

Download Submit
C:\Windows\{67899FC4-E076-4888-89E7-E9F4C4BFB2DC}.exe

Filesize
64KB

MD5
c7f422d74d9e74c941d16431b6802775

SHA1
118fc5271001862f078393cd4d8125fe3d241f0b

SHA256
7060b06426a1c65cd17f49617dfd709183f867c233787da6c3fc48b9f6954036

SHA512
58e4350da5da989404c4302bed76937fe8fdf126d8b00ebcc8073093f63e629b6a50a18240a5afbbf26a694c6fb10eefbbe9d498fb57b7948ae08f80415ab442

Download Submit
C:\Windows\{78FAB492-967A-4cff-AC0B-9C9862E07CC3}.exe

Filesize
64KB

MD5
eff4bda00175042a2e558a93860fec3c

SHA1
acf0a06ba461c8b8f6c8dc99cf19c459520305a5

SHA256
c6cdcc83ab3c74b18042e2eed2e0e8e5ccb40fea8525967fe016553f038ab29d

SHA512
e63e64205b6c5af59e8679a6727d61fb96b84015008c5f314677645778d91885f7e00a38b312c3171c3311f3e15b6b3db5be5913c3408917023c0bebdb0ac143

Download Submit
C:\Windows\{8D43886B-73F9-4f6e-9FD2-CAC041B0BEEC}.exe

Filesize
64KB

MD5
22c1863ce31a475fa4c33129a40dd673

SHA1
918060d547d4a4ca12dbcaa09e14adb76501e33f

SHA256
e4fc93d162b8d591a6cf8f26db639ae7f65b1d0be0626c71d2a82b4bf0d49111

SHA512
f3750b86cf7dffe5cd5d6bd25698a41a596480067d991a989337f10211386142b594d48378990f3f9ca7622c7f44667436db80e634284ebf7026fdf7f6d1228a

Download Submit
C:\Windows\{97DD04EE-68AA-4891-8B26-522A4753AE78}.exe

Filesize
64KB

MD5
8282f1638f5dcb6fb1dc207c115ffc82

SHA1
3c83a4bfeb5c812d41b8eb99776336396507973e

SHA256
ce3db1c6b2439778600f701a23493640b70bd3fa5c1cf94af95411c6a5e8b71a

SHA512
2fbd895422eb0e1a55af7e5282a9cc537adb0707c05807235a1176c64d0ad4838580ef6484a552944029765605787cf206a5cb889b9a66388a14ee376cdfdc38

Download Submit
C:\Windows\{A4AA698A-EC91-4fef-B3B6-EB976E7DD358}.exe

Filesize
64KB

MD5
a30bbf5e7ba58d34c3482f354b461d8e

SHA1
77e6b67957eb0f44e4b88909f2f7b6457e311a7c

SHA256
7cbde04b903b546351656fc6ab20c1a6872179cb039c2442f66e20e4ba5a5961

SHA512
74c0670cfae432dd7715a0356833004a240eae128c7119af4bdd7d8c7d436f806cf18aa48edd0d7cf9e639435f8f6410f9f6c63b635cd3de9309afdcfc28305c

Download Submit
C:\Windows\{C93CDA31-83DD-4a5f-9DBA-9E6FF85DF31E}.exe

Filesize
64KB

MD5
8b48c243b242a3a4de12643ae97adb91

SHA1
c4125be42d20fb3caa5a93f5654666581d86699d

SHA256
dc8c2ec834f6d8da266f4b6d36e32af3333d2487a5642de4c171200167ee730e

SHA512
5601ff2013182a10ebe2affeeb911d21ca4cbb47f49919e768fa8f22f0de43dd30dfa7aa291864973a547d9b29f6e1555c250d4512c0fb3dd941e5ebb3c6cfd3

Download Submit
C:\Windows\{D4C0B4B0-63D7-4ed4-9163-DAF2425B2DBD}.exe

Filesize
64KB

MD5
bf99f086af57c039bb975a4c193ed9ce

SHA1
46dbd02fb4a43a7580efb3d51aa02b975b48ee18

SHA256
865806f95ad5f4934c84e550aef98901ed69ebde450d5ac68e552c1d900408d5

SHA512
80b560e20d529f61330910edbf0f40348fdb12b523b473555fa5100ab37eda4c3deb95e6505d4553be2ca001b2dd2a21023e36cca00ad0df7cb382fda3df78e3

Download Submit
C:\Windows\{FDE30093-489C-419d-A90C-9B68D77FA68E}.exe

Filesize
64KB

MD5
ee30363dcf0c984144d70eca5d456fb0

SHA1
e36b3e5582b97bd861b2bce58397badc13c7106b

SHA256
6d46812ac71fec2e6ffa38c25050765bdc422078053c6155080955318b73e467

SHA512
e275666233879415973b59362f3dadfee709a0effeb15e63afbaaad644853960ad42cc9c4789c6b0a1d023e6700604c532871d2babb5b03109f40ddf717b7a87

Download Submit
memory/796-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/796-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1256-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1580-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1580-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1996-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2148-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2148-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2172-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2436-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2436-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3272-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3272-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3468-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3468-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4028-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4028-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4152-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4152-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4708-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4708-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads