9f23b95f48ad634594f6377dd239285b3b73982a7a87ff36f79011c5354b7ed2

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Size

90KB
MD5

9d56365d37172a8ead58c786f168b810
SHA1

d48cece808604d2cc3e9a2450171e0c14b41a8f9
SHA256

9f23b95f48ad634594f6377dd239285b3b73982a7a87ff36f79011c5354b7ed2
SHA512

548ba546512bbc4b4925f5905ed372324f10f292d2697e52c65be5bfc1166ce1f2e8c715f95552d17593ab560c67888d8e52f905311f02d238ab69605d883eca
SSDEEP

768:5vw9816thKQLroX4/wQkNrfrunMxVFA3bA:lEG/0oXlbunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}\stubpath = "C:\\Windows\\{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe"	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4C2884B-FC91-44ec-B55C-A5635787DE65}	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E82915F-6742-4305-AD4C-917DA2B0E966}\stubpath = "C:\\Windows\\{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe"	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9776EBF-53B1-4be1-B26C-933D50313451}	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510C719E-413C-4925-8784-26B6C94CE446}\stubpath = "C:\\Windows\\{510C719E-413C-4925-8784-26B6C94CE446}.exe"	{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}\stubpath = "C:\\Windows\\{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe"	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9776EBF-53B1-4be1-B26C-933D50313451}\stubpath = "C:\\Windows\\{A9776EBF-53B1-4be1-B26C-933D50313451}.exe"	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E27056-E4F9-4ac8-B315-14DCB82A6972}	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C6FAEAB-1325-47e4-B169-591B5958370A}\stubpath = "C:\\Windows\\{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe"	{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33389462-505E-41c8-BE8F-BACE9B532CB9}	{510C719E-413C-4925-8784-26B6C94CE446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33389462-505E-41c8-BE8F-BACE9B532CB9}\stubpath = "C:\\Windows\\{33389462-505E-41c8-BE8F-BACE9B532CB9}.exe"	{510C719E-413C-4925-8784-26B6C94CE446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E82915F-6742-4305-AD4C-917DA2B0E966}	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}\stubpath = "C:\\Windows\\{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe"	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0E27056-E4F9-4ac8-B315-14DCB82A6972}\stubpath = "C:\\Windows\\{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe"	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}\stubpath = "C:\\Windows\\{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe"	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4C2884B-FC91-44ec-B55C-A5635787DE65}\stubpath = "C:\\Windows\\{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe"	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C6FAEAB-1325-47e4-B169-591B5958370A}	{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{510C719E-413C-4925-8784-26B6C94CE446}	{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe

Executes dropped EXE 11 IoCs

pid	Process
768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe
2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe
2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe
2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe
2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe
1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe
2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe
1516	{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe
2024	{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe
784	{510C719E-413C-4925-8784-26B6C94CE446}.exe
572	{33389462-505E-41c8-BE8F-BACE9B532CB9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{33389462-505E-41c8-BE8F-BACE9B532CB9}.exe	{510C719E-413C-4925-8784-26B6C94CE446}.exe
File created	C:\Windows\{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
File created	C:\Windows\{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe
File created	C:\Windows\{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe
File created	C:\Windows\{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe
File created	C:\Windows\{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe
File created	C:\Windows\{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe	{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe
File created	C:\Windows\{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe
File created	C:\Windows\{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe
File created	C:\Windows\{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe
File created	C:\Windows\{510C719E-413C-4925-8784-26B6C94CE446}.exe	{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe
Token: SeIncBasePriorityPrivilege	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe
Token: SeIncBasePriorityPrivilege	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe
Token: SeIncBasePriorityPrivilege	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe
Token: SeIncBasePriorityPrivilege	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe
Token: SeIncBasePriorityPrivilege	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe
Token: SeIncBasePriorityPrivilege	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe
Token: SeIncBasePriorityPrivilege	1516	{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe
Token: SeIncBasePriorityPrivilege	2024	{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe
Token: SeIncBasePriorityPrivilege	784	{510C719E-413C-4925-8784-26B6C94CE446}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 768	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	28
PID 2312 wrote to memory of 768	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	28
PID 2312 wrote to memory of 768	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	28
PID 2312 wrote to memory of 768	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	28
PID 2312 wrote to memory of 1712	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	29
PID 2312 wrote to memory of 1712	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	29
PID 2312 wrote to memory of 1712	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	29
PID 2312 wrote to memory of 1712	2312	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	29
PID 768 wrote to memory of 2664	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	30
PID 768 wrote to memory of 2664	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	30
PID 768 wrote to memory of 2664	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	30
PID 768 wrote to memory of 2664	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	30
PID 768 wrote to memory of 2588	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	31
PID 768 wrote to memory of 2588	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	31
PID 768 wrote to memory of 2588	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	31
PID 768 wrote to memory of 2588	768	{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe	31
PID 2664 wrote to memory of 2688	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	32
PID 2664 wrote to memory of 2688	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	32
PID 2664 wrote to memory of 2688	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	32
PID 2664 wrote to memory of 2688	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	32
PID 2664 wrote to memory of 2528	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	33
PID 2664 wrote to memory of 2528	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	33
PID 2664 wrote to memory of 2528	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	33
PID 2664 wrote to memory of 2528	2664	{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe	33
PID 2688 wrote to memory of 2288	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	36
PID 2688 wrote to memory of 2288	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	36
PID 2688 wrote to memory of 2288	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	36
PID 2688 wrote to memory of 2288	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	36
PID 2688 wrote to memory of 340	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	37
PID 2688 wrote to memory of 340	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	37
PID 2688 wrote to memory of 340	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	37
PID 2688 wrote to memory of 340	2688	{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe	37
PID 2288 wrote to memory of 2776	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	38
PID 2288 wrote to memory of 2776	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	38
PID 2288 wrote to memory of 2776	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	38
PID 2288 wrote to memory of 2776	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	38
PID 2288 wrote to memory of 2772	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	39
PID 2288 wrote to memory of 2772	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	39
PID 2288 wrote to memory of 2772	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	39
PID 2288 wrote to memory of 2772	2288	{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe	39
PID 2776 wrote to memory of 1956	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	40
PID 2776 wrote to memory of 1956	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	40
PID 2776 wrote to memory of 1956	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	40
PID 2776 wrote to memory of 1956	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	40
PID 2776 wrote to memory of 1980	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	41
PID 2776 wrote to memory of 1980	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	41
PID 2776 wrote to memory of 1980	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	41
PID 2776 wrote to memory of 1980	2776	{A9776EBF-53B1-4be1-B26C-933D50313451}.exe	41
PID 1956 wrote to memory of 2224	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	42
PID 1956 wrote to memory of 2224	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	42
PID 1956 wrote to memory of 2224	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	42
PID 1956 wrote to memory of 2224	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	42
PID 1956 wrote to memory of 1676	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	43
PID 1956 wrote to memory of 1676	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	43
PID 1956 wrote to memory of 1676	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	43
PID 1956 wrote to memory of 1676	1956	{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe	43
PID 2224 wrote to memory of 1516	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	44
PID 2224 wrote to memory of 1516	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	44
PID 2224 wrote to memory of 1516	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	44
PID 2224 wrote to memory of 1516	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	44
PID 2224 wrote to memory of 1436	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	45
PID 2224 wrote to memory of 1436	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	45
PID 2224 wrote to memory of 1436	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	45
PID 2224 wrote to memory of 1436	2224	{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe	45

C:\Users\Admin\AppData\Local\Temp\9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe
  C:\Windows\{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe
    C:\Windows\{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe
      C:\Windows\{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe
        
        C:\Windows\{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\{A9776EBF-53B1-4be1-B26C-933D50313451}.exe
        
        C:\Windows\{A9776EBF-53B1-4be1-B26C-933D50313451}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe
        
        C:\Windows\{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe
        
        C:\Windows\{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe
        
        C:\Windows\{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe
        
        C:\Windows\{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{510C719E-413C-4925-8784-26B6C94CE446}.exe
        
        C:\Windows\{510C719E-413C-4925-8784-26B6C94CE446}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\{33389462-505E-41c8-BE8F-BACE9B532CB9}.exe
        
        C:\Windows\{33389462-505E-41c8-BE8F-BACE9B532CB9}.exe
        12⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{510C7~1.EXE > nul
        12⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C6FA~1.EXE > nul
        11⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4C28~1.EXE > nul
        10⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74DD0~1.EXE > nul
        9⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0E27~1.EXE > nul
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9776~1.EXE > nul
        7⤵
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B575~1.EXE > nul
        6⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E829~1.EXE > nul
        5⤵
        
        PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E00F4~1.EXE > nul
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B81B6~1.EXE > nul
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9D5636~1.EXE > nul
  2⤵
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{33389462-505E-41c8-BE8F-BACE9B532CB9}.exe

Filesize
90KB

MD5
88c2c418afbaaf6a48350a49b9d9df44

SHA1
054a87fee126621e9e78f2a677f71b8cdeef3ccb

SHA256
111facf3f3bda97e005f5be2526bff3d9a14bcfdee48dd20f94c7b5026b351d0

SHA512
75bb189f5582aaa71892ef5d0fbf40845eaf16a12e6395b3ee4d929d9d54e49be17da5821af9dddee03fbd7682ffdfbacad5436067863e6ed62381590c45f29b

Download Submit
C:\Windows\{3B57540B-C31D-4c1f-A376-D08A7C6E02F1}.exe

Filesize
90KB

MD5
733f0243383667bcf9ac8d16357b35c3

SHA1
c3ed83a6ab3e2a0538259aaf257c506e17a34613

SHA256
d116a1a4408fe2b23bca54e53ed486dd7a69ba724315fbf17dddf21f3f37a678

SHA512
efb8d69eef02dd45dc49e1b7f62c6842d4125dd3d9ff2403e09dd36b560c8ebf4ddd6dfd0517cb8be12741247dc5466c454800496c6328d4525b8c2cf9957fe7

Download Submit
C:\Windows\{3C6FAEAB-1325-47e4-B169-591B5958370A}.exe

Filesize
90KB

MD5
0da369ae53c7698e8ea23d79c69617ab

SHA1
d0d0f9b9f914b58e7ec6590e3d089630891a68d8

SHA256
62e8accb293900596ee5f46eb7c1863484d8fb3f774cb25507cc7d56061c33cb

SHA512
97b363e6cc7d7bbd469327b0782f15dd724cdc49d04782bb21b3c12906d28cb7898fc60359a890687c598eba50b30940ec0233894729dd60121cc4b63490c08a

Download Submit
C:\Windows\{3E82915F-6742-4305-AD4C-917DA2B0E966}.exe

Filesize
90KB

MD5
00eec8d404597914c9d454f441afcc40

SHA1
87ca3756fbf1cd38d755ccb6523d073be6736bf5

SHA256
d9bb58a054a6ffdd57c206bd5f021a4ea1ba77fd9b316cb2e91789bbee7efcf2

SHA512
7acc984d6e6bc1cec206b854a57dcd8537edeb0cf44a8798ecc86afb5e71b6be3af32dcc69f02ea993bcecd7f20de586ba7e8c9f6c5b3d2a2ad991424c46ee24

Download Submit
C:\Windows\{510C719E-413C-4925-8784-26B6C94CE446}.exe

Filesize
90KB

MD5
bd07f725154fdc5371789a94a3667e26

SHA1
cd09ac9d61ddaeb1c25ab4d8c36dc35936a491eb

SHA256
f9a2f72b652c1a605d1aeb2d3f55c07ae785fce0f09753ba9c42c309d9b4e8ff

SHA512
76cf3a7989ef1a2a25874ef69ff3487fd08678d43d2ca2f8b009ce01f97deaa42a292f2ff8d78226dc99077157cd8fc7244c7f2636841183a5343a906d533fcf

Download Submit
C:\Windows\{74DD04C1-4A1A-4910-A03D-4BF95C86A5BE}.exe

Filesize
90KB

MD5
dd7212a47d7f39abb9bbe7ba95fa8e2d

SHA1
ca91f68df896d0e95b3c0e0771192a8f590627c8

SHA256
fcf13106200e56572188ee2a93ace0182fa57a746bf493033d70a8f5ef8c3802

SHA512
b642b06f0a010c557c3d2059597808c38cf1170b11686f6c3a5d662b50695d0cd9045f33a2a70b6d142ff333c02b28d0a9768beb46f3c18a513038877d02c979

Download Submit
C:\Windows\{A9776EBF-53B1-4be1-B26C-933D50313451}.exe

Filesize
90KB

MD5
7c176f8d60d02a0d57599161de54af7e

SHA1
d670d5287f164f26d0a7ad552934843b6b9cc6b4

SHA256
9b9992d624bb6ceade91f632f036796192794fdc3cad98d4c5259da2e893f7f5

SHA512
446312cf423a5e3925c1d7bcc87c6162be4fff59f4d3fd4b7f3aecbc40eebc8799a952f46f2882733e34c12c94e5f99dd89fd14e1e7ec5d2b5a747d89a356284

Download Submit
C:\Windows\{B81B6EFE-79B3-4b3d-B1ED-8AB3DB11A761}.exe

Filesize
90KB

MD5
70f074cad3395dd3140781f7df4b0c7f

SHA1
9289b92a64679aa3b4da259649715beddcb222d5

SHA256
715a273ba10ddab6ed793da4662da0468c2827ea28726165fa7429d523f39538

SHA512
be9a18dfdbf0857ebdb5d5ef8f2835e92788c461bcb899bef82cd6e04e4562796889c799db955de80137b2afa736bfaa6cccc93b939b152f747ad567f161243c

Download Submit
C:\Windows\{D4C2884B-FC91-44ec-B55C-A5635787DE65}.exe

Filesize
90KB

MD5
575a4078d94f1ce0c9169e083111162c

SHA1
55b480af32f71c6c68a69d0be16951c043e40e5e

SHA256
afb9f058f88008162a6c82f8db1db55098f475932a9d80a6f2d64ffbcf34c699

SHA512
a83108faf6b0deac4808fb77d5cfea2c731ea23bf7c21b2b7bb2fd490a48809714304701c70d5b28a22a07ccdf82dda1b0918899497a6e294584074a0168f556

Download Submit
C:\Windows\{E00F4A44-31B0-4f6a-A84A-7DE9FF6DECE6}.exe

Filesize
90KB

MD5
006729520035b9ba5bc5c64190806501

SHA1
5718b2523849636e87fe5d157b684801c5404004

SHA256
6de75c418ec2057fcbbfd808c72360702aee06fc0e485428973dfcddab6fbfbb

SHA512
90193e824a0458c2ea0ebecbf89b659ca2c07f04d7ae634c5489ab4d562aa9196dcb80dc48e8f1d5b99e0a3e2a712faf2e80ac7e0bec5602dfb83999b6553aed

Download Submit
C:\Windows\{F0E27056-E4F9-4ac8-B315-14DCB82A6972}.exe

Filesize
90KB

MD5
4ff23b55e6c7889d2ee7fead6843e7b0

SHA1
89e3099a1fa1e232b1472e4b13850a9ce5b63a83

SHA256
9d8dd099639883e15f6567282a2b0acb7e049d90587443a880534e4391f4c6cb

SHA512
b54ab60d422b1c80bd04cd0c5bb2ebe9dfc7ac1eed829916a9ec561270508bf9ef986f4cd5353ed495c67096dc84ca917482d03aabd14aa875e42d48df928e8b

Download Submit
memory/572-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/768-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/768-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/784-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/784-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1516-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1956-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2024-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2024-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2224-69-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2224-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2224-66-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2288-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2288-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2312-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2312-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2312-2-0x0000000001C20000-0x0000000001C31000-memory.dmp

Filesize
68KB

Download
memory/2664-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2776-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2776-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads