9f23b95f48ad634594f6377dd239285b3b73982a7a87ff36f79011c5354b7ed2

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Size

90KB
MD5

9d56365d37172a8ead58c786f168b810
SHA1

d48cece808604d2cc3e9a2450171e0c14b41a8f9
SHA256

9f23b95f48ad634594f6377dd239285b3b73982a7a87ff36f79011c5354b7ed2
SHA512

548ba546512bbc4b4925f5905ed372324f10f292d2697e52c65be5bfc1166ce1f2e8c715f95552d17593ab560c67888d8e52f905311f02d238ab69605d883eca
SSDEEP

768:5vw9816thKQLroX4/wQkNrfrunMxVFA3bA:lEG/0oXlbunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E022324A-5BBD-464c-9681-F1A8AEE05080}	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13528206-0732-46f3-98D8-85FA60D3698B}	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D522EB08-E2E9-45f1-9356-514D39F6F4E2}	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}\stubpath = "C:\\Windows\\{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe"	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C2570E-DF15-443d-8400-6E6BBF57D81E}\stubpath = "C:\\Windows\\{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe"	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A25EB2C-0A09-4669-979E-44FB43E5C028}\stubpath = "C:\\Windows\\{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe"	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0423DD96-8C2B-4c73-B919-FE594982976E}\stubpath = "C:\\Windows\\{0423DD96-8C2B-4c73-B919-FE594982976E}.exe"	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C831AB-9482-4a13-B89A-3998D1E1516F}\stubpath = "C:\\Windows\\{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe"	{13528206-0732-46f3-98D8-85FA60D3698B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C2570E-DF15-443d-8400-6E6BBF57D81E}	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}\stubpath = "C:\\Windows\\{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe"	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0423DD96-8C2B-4c73-B919-FE594982976E}	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E022324A-5BBD-464c-9681-F1A8AEE05080}\stubpath = "C:\\Windows\\{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe"	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}\stubpath = "C:\\Windows\\{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe"	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB24ACD0-9E05-442d-9E20-2A68AC365D77}	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB24ACD0-9E05-442d-9E20-2A68AC365D77}\stubpath = "C:\\Windows\\{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe"	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13528206-0732-46f3-98D8-85FA60D3698B}\stubpath = "C:\\Windows\\{13528206-0732-46f3-98D8-85FA60D3698B}.exe"	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C831AB-9482-4a13-B89A-3998D1E1516F}	{13528206-0732-46f3-98D8-85FA60D3698B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D522EB08-E2E9-45f1-9356-514D39F6F4E2}\stubpath = "C:\\Windows\\{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe"	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A25EB2C-0A09-4669-979E-44FB43E5C028}	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC486B04-B909-4134-88E8-A7021F67F34D}	{0423DD96-8C2B-4c73-B919-FE594982976E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC486B04-B909-4134-88E8-A7021F67F34D}\stubpath = "C:\\Windows\\{EC486B04-B909-4134-88E8-A7021F67F34D}.exe"	{0423DD96-8C2B-4c73-B919-FE594982976E}.exe

Executes dropped EXE 12 IoCs

pid	Process
3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe
1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe
4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe
3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe
2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe
1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe
2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe
1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe
1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe
4160	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe
4196	{0423DD96-8C2B-4c73-B919-FE594982976E}.exe
2568	{EC486B04-B909-4134-88E8-A7021F67F34D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{13528206-0732-46f3-98D8-85FA60D3698B}.exe	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe
File created	C:\Windows\{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe	{13528206-0732-46f3-98D8-85FA60D3698B}.exe
File created	C:\Windows\{0423DD96-8C2B-4c73-B919-FE594982976E}.exe	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe
File created	C:\Windows\{EC486B04-B909-4134-88E8-A7021F67F34D}.exe	{0423DD96-8C2B-4c73-B919-FE594982976E}.exe
File created	C:\Windows\{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
File created	C:\Windows\{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe
File created	C:\Windows\{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe
File created	C:\Windows\{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe
File created	C:\Windows\{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe
File created	C:\Windows\{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe
File created	C:\Windows\{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe
File created	C:\Windows\{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4560	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe
Token: SeIncBasePriorityPrivilege	1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe
Token: SeIncBasePriorityPrivilege	4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe
Token: SeIncBasePriorityPrivilege	3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe
Token: SeIncBasePriorityPrivilege	2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe
Token: SeIncBasePriorityPrivilege	1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe
Token: SeIncBasePriorityPrivilege	2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe
Token: SeIncBasePriorityPrivilege	1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe
Token: SeIncBasePriorityPrivilege	1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe
Token: SeIncBasePriorityPrivilege	4160	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe
Token: SeIncBasePriorityPrivilege	4196	{0423DD96-8C2B-4c73-B919-FE594982976E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3516	4560	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	95
PID 4560 wrote to memory of 3516	4560	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	95
PID 4560 wrote to memory of 3516	4560	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	95
PID 4560 wrote to memory of 4576	4560	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	96
PID 4560 wrote to memory of 4576	4560	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	96
PID 4560 wrote to memory of 4576	4560	9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe	96
PID 3516 wrote to memory of 1080	3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe	97
PID 3516 wrote to memory of 1080	3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe	97
PID 3516 wrote to memory of 1080	3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe	97
PID 3516 wrote to memory of 4632	3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe	98
PID 3516 wrote to memory of 4632	3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe	98
PID 3516 wrote to memory of 4632	3516	{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe	98
PID 1080 wrote to memory of 4800	1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe	101
PID 1080 wrote to memory of 4800	1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe	101
PID 1080 wrote to memory of 4800	1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe	101
PID 1080 wrote to memory of 1856	1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe	102
PID 1080 wrote to memory of 1856	1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe	102
PID 1080 wrote to memory of 1856	1080	{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe	102
PID 4800 wrote to memory of 3476	4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe	103
PID 4800 wrote to memory of 3476	4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe	103
PID 4800 wrote to memory of 3476	4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe	103
PID 4800 wrote to memory of 220	4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe	104
PID 4800 wrote to memory of 220	4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe	104
PID 4800 wrote to memory of 220	4800	{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe	104
PID 3476 wrote to memory of 2668	3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe	105
PID 3476 wrote to memory of 2668	3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe	105
PID 3476 wrote to memory of 2668	3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe	105
PID 3476 wrote to memory of 4804	3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe	106
PID 3476 wrote to memory of 4804	3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe	106
PID 3476 wrote to memory of 4804	3476	{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe	106
PID 2668 wrote to memory of 1312	2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe	108
PID 2668 wrote to memory of 1312	2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe	108
PID 2668 wrote to memory of 1312	2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe	108
PID 2668 wrote to memory of 3660	2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe	109
PID 2668 wrote to memory of 3660	2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe	109
PID 2668 wrote to memory of 3660	2668	{13528206-0732-46f3-98D8-85FA60D3698B}.exe	109
PID 1312 wrote to memory of 2768	1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe	110
PID 1312 wrote to memory of 2768	1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe	110
PID 1312 wrote to memory of 2768	1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe	110
PID 1312 wrote to memory of 3972	1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe	111
PID 1312 wrote to memory of 3972	1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe	111
PID 1312 wrote to memory of 3972	1312	{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe	111
PID 2768 wrote to memory of 1020	2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe	112
PID 2768 wrote to memory of 1020	2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe	112
PID 2768 wrote to memory of 1020	2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe	112
PID 2768 wrote to memory of 2388	2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe	113
PID 2768 wrote to memory of 2388	2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe	113
PID 2768 wrote to memory of 2388	2768	{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe	113
PID 1020 wrote to memory of 1832	1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe	120
PID 1020 wrote to memory of 1832	1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe	120
PID 1020 wrote to memory of 1832	1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe	120
PID 1020 wrote to memory of 2336	1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe	121
PID 1020 wrote to memory of 2336	1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe	121
PID 1020 wrote to memory of 2336	1020	{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe	121
PID 1832 wrote to memory of 4160	1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe	122
PID 1832 wrote to memory of 4160	1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe	122
PID 1832 wrote to memory of 4160	1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe	122
PID 1832 wrote to memory of 800	1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe	123
PID 1832 wrote to memory of 800	1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe	123
PID 1832 wrote to memory of 800	1832	{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe	123
PID 4160 wrote to memory of 4196	4160	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe	126
PID 4160 wrote to memory of 4196	4160	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe	126
PID 4160 wrote to memory of 4196	4160	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe	126
PID 4160 wrote to memory of 1732	4160	{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe	127

C:\Users\Admin\AppData\Local\Temp\9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d56365d37172a8ead58c786f168b810_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe
  C:\Windows\{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe
    C:\Windows\{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe
      C:\Windows\{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe
        
        C:\Windows\{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Windows\{13528206-0732-46f3-98D8-85FA60D3698B}.exe
        
        C:\Windows\{13528206-0732-46f3-98D8-85FA60D3698B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe
        
        C:\Windows\{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe
        
        C:\Windows\{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe
        
        C:\Windows\{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe
        
        C:\Windows\{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe
        
        C:\Windows\{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\{0423DD96-8C2B-4c73-B919-FE594982976E}.exe
        
        C:\Windows\{0423DD96-8C2B-4c73-B919-FE594982976E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\{EC486B04-B909-4134-88E8-A7021F67F34D}.exe
        
        C:\Windows\{EC486B04-B909-4134-88E8-A7021F67F34D}.exe
        13⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0423D~1.EXE > nul
        13⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A25E~1.EXE > nul
        12⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D522E~1.EXE > nul
        11⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{022F5~1.EXE > nul
        10⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4C25~1.EXE > nul
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C83~1.EXE > nul
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13528~1.EXE > nul
        7⤵
        
        PID:3660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB24A~1.EXE > nul
        6⤵
        
        PID:4804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5BA1~1.EXE > nul
        5⤵
        
        PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0223~1.EXE > nul
      4⤵
      PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CBAF5~1.EXE > nul
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9D5636~1.EXE > nul
  2⤵
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022F5C28-2D24-4f7b-9EDD-58E8EAEA4B7A}.exe

Filesize
90KB

MD5
d3c06f5399be39f2494403c4e647c077

SHA1
faad9021650767c59bccbeba3296157c188dacc1

SHA256
d1ae86b60cab0f78f90d9b5c0b855f904a84549e44a7d90669e1eaa9b66893fd

SHA512
6c6ac00c73ec2f2eaf2bed3e7b9b96d38c5ae146b1f1d66d4f76ec53546d549716b00f4e05f748366890f4b0938eaf843766366c4f20b128a9a0354d4ef934ea

Download Submit
C:\Windows\{0423DD96-8C2B-4c73-B919-FE594982976E}.exe

Filesize
90KB

MD5
c312478066927a4e707e23f9c479b549

SHA1
96fa5cc5cf564dea158926c7a64c71fe684d63a7

SHA256
a9a85f0e26edc11789c3284585a90d9134e3f93fe2c3c1ae00b5e8525003db2c

SHA512
b22a54442f5e0c84fdb9529e33a11d4ac193880935f28e44626d102730d3172ad80ba0817ead467ee3e223b34744c333afc354d34c3a3a24426fdc32942f1b9d

Download Submit
C:\Windows\{13528206-0732-46f3-98D8-85FA60D3698B}.exe

Filesize
90KB

MD5
f0b465f4731e371eee599242d63648a8

SHA1
b7b39984ea222244171a417fc1bb09433c7ee808

SHA256
7b154a29f2cc573e13c8fea92a088e8f5c018a103d6b1463f6feb99edbae6c12

SHA512
39b43f5d3ae3ddeaea6eda3f7eed8c01117e27756ec838f142d1653ea6878a14d782d44a98bd55249dc532c9c1efb1f22a05507e0a1aa6f8579325368d30b16c

Download Submit
C:\Windows\{49C831AB-9482-4a13-B89A-3998D1E1516F}.exe

Filesize
90KB

MD5
4b752dd4ece6c4eb360adb1609fc35f4

SHA1
3c28ab75bcb725813f1368491ecad399774330ab

SHA256
c6d524df4cb6de831cefff0451240a03490a9096c6b0ba4f97812f0754355f32

SHA512
1a20f41fb16aaf040b242655bf2bc6ef045093eae6febf1a9d32dbbfb1769ed5d575d8476f33b9763a6918c7134f0e95ee65f0fd603db186a887bb62d0396cb6

Download Submit
C:\Windows\{4A25EB2C-0A09-4669-979E-44FB43E5C028}.exe

Filesize
90KB

MD5
1a05fc0052f459dfae00082cc6d0cdb9

SHA1
75b031c939d80a4b759d63401d3dd158a160fb09

SHA256
43167cf5c655ff28b0dd05f4fefb89201303ab6ac86e995d8efa40e784215144

SHA512
8d005318057ef47293135e214887345a23a334c09923dd378cc6435128e661bec6f2d472d6cbf6d66cf692e80e3f8f1fce68aa0fa688bf4db3a855f1bc63a517

Download Submit
C:\Windows\{B5BA10E9-263B-4b89-AA7A-E75A1E4D8ACF}.exe

Filesize
90KB

MD5
8b613bd3dea2b1dc64b7d0a9cbc614ba

SHA1
c2c89113407ad1ec06b2c4d4e6203be26144c0ba

SHA256
45f9ecf507395a0aaf865c4bcd98db8bf3aa1525ca52f92cc99c81fcd83130e7

SHA512
adc8948cbe27cf38a4188379d41b8e0cd3cab0856421e9e8ccff460290d7d64cec1ea0522a4ed085481e5c2ef0d455dd6e23b5bdfdd3fe453cb26bf982fe8178

Download Submit
C:\Windows\{CBAF58E3-6D5A-4745-ADFF-71D0626C55BE}.exe

Filesize
90KB

MD5
be010f3fae2c56198d070372afe43b2f

SHA1
770b5186c112ea4e356ba891b7c30ce92126bfbb

SHA256
70ead8d3d412ef205e4188e04411400c88f011419f5ecb5f09fccf9df5111c69

SHA512
be7b1e10ec30e1cd477ce234637acdde1d9be40cf64a66ff41d91fcd59b9098886a63fc616e4491f89939d1f999968ebb15ac7930d9e7672dcee3f7f6f80b594

Download Submit
C:\Windows\{D522EB08-E2E9-45f1-9356-514D39F6F4E2}.exe

Filesize
90KB

MD5
c31ebb2c508ea8396889ac82735ee1d7

SHA1
0a2e073ee454096f9a5931b78e53b1d8b3a4e10a

SHA256
2df6a6cdc1d4bef10a4f5c2ce5824f304ac61e0bd8debc74d39d984184b19918

SHA512
6d9ee498acfaf9c6b88a90204b7333a5b94303eab7f9b3b6f3704900ac9c0e2fde60f849dcdcfc0342debb22fe01f8946c3f577304ed8567d8eb397e6d4d9751

Download Submit
C:\Windows\{DB24ACD0-9E05-442d-9E20-2A68AC365D77}.exe

Filesize
90KB

MD5
6a92e8933eb87fad8a176db48bdd0540

SHA1
f96bb5c91221549895b7fd95c6e8bbae8c100eaa

SHA256
1c1266e4aa212cdff0065e188beaf3ba04d0f42408a16e762d2161605699e1e7

SHA512
95df24cf6c1c67b7e5ef25af1caefb1c50fa25471c94e8f3e31fa9f36df88a52e92ead5a64a2fd26ef19f55454c72e6e60658505b44c44a97ac9dcc071ff6534

Download Submit
C:\Windows\{E022324A-5BBD-464c-9681-F1A8AEE05080}.exe

Filesize
90KB

MD5
49d74366d1c04053e204169ff78e1686

SHA1
2e5552e613812021592d93ca8a70b58b3f03fc7f

SHA256
c742c6f9ff0eba3f22d9063ec3594b97700bc4b2e7a728c7ffbbd12c94518179

SHA512
91c73de3b5c0c7e74000c6208c2c3f2dcaa84c5dd038b06e55c75ce46069846dccde02d26416d1fdf5c9322c099e7dbda38bbd19c206db1a78232bef64ff861d

Download Submit
C:\Windows\{EC486B04-B909-4134-88E8-A7021F67F34D}.exe

Filesize
90KB

MD5
25ee6607fcc2a551ddff00e140c14737

SHA1
5e4a17e91290080b24c069b73909321069b2b66d

SHA256
ec5ac87c7f764fa2272c8da2f55ce5af43895558821a60d8951756092b063b96

SHA512
2df762d6bc59e13a3547e3fedd73313e554cc865cdf5e8f4b742117887ae5907800dff4367970a11205c9d4c8a195fa040a24506985e7a95643ef2823382f01e

Download Submit
C:\Windows\{F4C2570E-DF15-443d-8400-6E6BBF57D81E}.exe

Filesize
90KB

MD5
d75d59813cab819309bf59e59d2d0c7d

SHA1
56c4b98356c1914bbe1c8073ef4f07f01ff9eb3d

SHA256
2d53ca64fad0d3dc1383a4884c3d410a6d7be6c0583c394d9927767ce5767c05

SHA512
47c523a8fa5d165c96f793b29623f639cdde50e51284a2563e00ab54b70b73e76b5d22208cf81b3e4e50977b12c668660169801834b6fdd6b5532f773594f029

Download Submit
memory/1020-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1080-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1080-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1312-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1832-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2668-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2668-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2768-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2768-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3476-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3476-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3516-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3516-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4160-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4160-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4196-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4560-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4560-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads