a9efb2696c3b9e6b6d745e4357808a47afe55131d817639828ef8781960a3472

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Size

60KB
MD5

89682278dc54afbb08e79c1ca955c450
SHA1

370acc4f7dadee425f2db96eda954ba2aad5cb38
SHA256

a9efb2696c3b9e6b6d745e4357808a47afe55131d817639828ef8781960a3472
SHA512

99f41db211a50c0bfda783649d9f1d075fa57d1ed9dfbe6d4bc60dad78b9bf03c211cd48379afe7cbea14b0c2e9701c081ff0180597c50713b0bf5bac8ab65b8
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwZh4/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro74/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47713A26-2C04-4efc-82B8-99F99E10CE5C}\stubpath = "C:\\Windows\\{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe"	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}\stubpath = "C:\\Windows\\{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe"	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}\stubpath = "C:\\Windows\\{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe"	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F55AD61E-0286-48df-9495-09A6A0684EE3}\stubpath = "C:\\Windows\\{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe"	{F507C42C-386F-424d-8318-4CE244F559F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F507C42C-386F-424d-8318-4CE244F559F0}\stubpath = "C:\\Windows\\{F507C42C-386F-424d-8318-4CE244F559F0}.exe"	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}\stubpath = "C:\\Windows\\{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe"	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC2733BE-913D-45b6-BB93-0F6C682169CB}	{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E7660BE-A5C5-45ee-AA30-78F68C025A68}\stubpath = "C:\\Windows\\{0E7660BE-A5C5-45ee-AA30-78F68C025A68}.exe"	{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B32B2CF-4C72-4f8d-A685-A3D80F732490}	{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC2733BE-913D-45b6-BB93-0F6C682169CB}\stubpath = "C:\\Windows\\{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe"	{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}\stubpath = "C:\\Windows\\{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe"	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F55AD61E-0286-48df-9495-09A6A0684EE3}	{F507C42C-386F-424d-8318-4CE244F559F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B32B2CF-4C72-4f8d-A685-A3D80F732490}\stubpath = "C:\\Windows\\{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe"	{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E7660BE-A5C5-45ee-AA30-78F68C025A68}	{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F507C42C-386F-424d-8318-4CE244F559F0}	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47713A26-2C04-4efc-82B8-99F99E10CE5C}	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}\stubpath = "C:\\Windows\\{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe"	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe

Deletes itself 1 IoCs

pid	Process
1984	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe
2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe
1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe
2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe
2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe
1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe
320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe
1544	{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe
1224	{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe
2844	{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe
1064	{0E7660BE-A5C5-45ee-AA30-78F68C025A68}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe	{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe
File created	C:\Windows\{0E7660BE-A5C5-45ee-AA30-78F68C025A68}.exe	{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe
File created	C:\Windows\{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
File created	C:\Windows\{F507C42C-386F-424d-8318-4CE244F559F0}.exe	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe
File created	C:\Windows\{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	{F507C42C-386F-424d-8318-4CE244F559F0}.exe
File created	C:\Windows\{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe
File created	C:\Windows\{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe
File created	C:\Windows\{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe
File created	C:\Windows\{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe
File created	C:\Windows\{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe
File created	C:\Windows\{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe	{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe
Token: SeIncBasePriorityPrivilege	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe
Token: SeIncBasePriorityPrivilege	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe
Token: SeIncBasePriorityPrivilege	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe
Token: SeIncBasePriorityPrivilege	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe
Token: SeIncBasePriorityPrivilege	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe
Token: SeIncBasePriorityPrivilege	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe
Token: SeIncBasePriorityPrivilege	1544	{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe
Token: SeIncBasePriorityPrivilege	1224	{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe
Token: SeIncBasePriorityPrivilege	2844	{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2940	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2940	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2940	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2940	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 1984	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 1984	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 1984	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 1984	2868	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	29
PID 2940 wrote to memory of 2648	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	30
PID 2940 wrote to memory of 2648	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	30
PID 2940 wrote to memory of 2648	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	30
PID 2940 wrote to memory of 2648	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	30
PID 2940 wrote to memory of 2716	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	31
PID 2940 wrote to memory of 2716	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	31
PID 2940 wrote to memory of 2716	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	31
PID 2940 wrote to memory of 2716	2940	{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe	31
PID 2648 wrote to memory of 1744	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	32
PID 2648 wrote to memory of 1744	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	32
PID 2648 wrote to memory of 1744	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	32
PID 2648 wrote to memory of 1744	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	32
PID 2648 wrote to memory of 2348	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	33
PID 2648 wrote to memory of 2348	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	33
PID 2648 wrote to memory of 2348	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	33
PID 2648 wrote to memory of 2348	2648	{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe	33
PID 1744 wrote to memory of 2060	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	36
PID 1744 wrote to memory of 2060	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	36
PID 1744 wrote to memory of 2060	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	36
PID 1744 wrote to memory of 2060	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	36
PID 1744 wrote to memory of 1976	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	37
PID 1744 wrote to memory of 1976	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	37
PID 1744 wrote to memory of 1976	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	37
PID 1744 wrote to memory of 1976	1744	{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe	37
PID 2060 wrote to memory of 2876	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	38
PID 2060 wrote to memory of 2876	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	38
PID 2060 wrote to memory of 2876	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	38
PID 2060 wrote to memory of 2876	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	38
PID 2060 wrote to memory of 2388	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	39
PID 2060 wrote to memory of 2388	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	39
PID 2060 wrote to memory of 2388	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	39
PID 2060 wrote to memory of 2388	2060	{F507C42C-386F-424d-8318-4CE244F559F0}.exe	39
PID 2876 wrote to memory of 1800	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	40
PID 2876 wrote to memory of 1800	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	40
PID 2876 wrote to memory of 1800	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	40
PID 2876 wrote to memory of 1800	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	40
PID 2876 wrote to memory of 2032	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	41
PID 2876 wrote to memory of 2032	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	41
PID 2876 wrote to memory of 2032	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	41
PID 2876 wrote to memory of 2032	2876	{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe	41
PID 1800 wrote to memory of 320	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	42
PID 1800 wrote to memory of 320	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	42
PID 1800 wrote to memory of 320	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	42
PID 1800 wrote to memory of 320	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	42
PID 1800 wrote to memory of 376	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	43
PID 1800 wrote to memory of 376	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	43
PID 1800 wrote to memory of 376	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	43
PID 1800 wrote to memory of 376	1800	{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe	43
PID 320 wrote to memory of 1544	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	44
PID 320 wrote to memory of 1544	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	44
PID 320 wrote to memory of 1544	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	44
PID 320 wrote to memory of 1544	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	44
PID 320 wrote to memory of 1432	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	45
PID 320 wrote to memory of 1432	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	45
PID 320 wrote to memory of 1432	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	45
PID 320 wrote to memory of 1432	320	{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe	45

C:\Users\Admin\AppData\Local\Temp\89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe
  C:\Windows\{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe
    C:\Windows\{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe
      C:\Windows\{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\{F507C42C-386F-424d-8318-4CE244F559F0}.exe
        
        C:\Windows\{F507C42C-386F-424d-8318-4CE244F559F0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe
        
        C:\Windows\{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe
        
        C:\Windows\{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe
        
        C:\Windows\{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe
        
        C:\Windows\{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe
        
        C:\Windows\{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe
        
        C:\Windows\{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{0E7660BE-A5C5-45ee-AA30-78F68C025A68}.exe
        
        C:\Windows\{0E7660BE-A5C5-45ee-AA30-78F68C025A68}.exe
        12⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC273~1.EXE > nul
        12⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B32B~1.EXE > nul
        11⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E956~1.EXE > nul
        10⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47713~1.EXE > nul
        9⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F0D~1.EXE > nul
        8⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F55AD~1.EXE > nul
        7⤵
        
        PID:2032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F507C~1.EXE > nul
        6⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7550B~1.EXE > nul
        5⤵
        
        PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE516~1.EXE > nul
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E5BA3~1.EXE > nul
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\896822~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E7660BE-A5C5-45ee-AA30-78F68C025A68}.exe

Filesize
60KB

MD5
2fa25c751dfa3c4c5c5ddea2d4aa4f7b

SHA1
59776422042cc06a9b714616087e51a476bf5113

SHA256
8c23264f17db86c0b7247471a2bc2ec3cae078104f6ea931434c4b886826f39b

SHA512
cd61ce866924c8640c7c881c34e142b7bb9374caf7759b6c7d31aec9d29f7d1342319cb339d8effe812462c19a70d88d8c88ae3a9fbb18d5bf6ae9f724a8a6fd

Download Submit
C:\Windows\{0E956F60-CAD6-4685-94C5-4771A1ED5C2E}.exe

Filesize
60KB

MD5
4c5d4b7a688c974fb290940b7ab2817d

SHA1
677f6c4af7c0c04e3fc80219866fbf3334d38e1c

SHA256
3f60ef81135549ab9c4f6ce20b9e498d2c99f310f7afcb1f41046bdfd11e4cc3

SHA512
f2aa7041c3b9504578bfdc301e76859106341fa9017318d0c791b457935cdf34ac45aef806e48e22ea1cea1675ad05167547ccb0ce1717516f41aa8dca4724fe

Download Submit
C:\Windows\{2B32B2CF-4C72-4f8d-A685-A3D80F732490}.exe

Filesize
60KB

MD5
670c23ed9aa9204dc80028c75049a770

SHA1
c167b55f6879230692180da1cb8f39af43dd8c0b

SHA256
a25d878e0267186c53d0250e8267d65da8ab61686682cdc2fe1d8a04c10d765e

SHA512
748d2f7ddc55ae27f750097d16ddbd1fe1f0e0150a37751f0fba787d045d5bbd3fb509c9517c80a27732d17cd4be1b7c14dcdffa699d2dbf3db40cb68535c9f0

Download Submit
C:\Windows\{34F0D8F1-D756-4a85-B2DB-1ACF6C8AF9E9}.exe

Filesize
60KB

MD5
8341cc1ada6300e359df8c2011baf8cb

SHA1
f4c979061c23093fa14ff211f5ada9e91c21a9c8

SHA256
4dc2eda0f7aa72a5d2cbcd15f68cdd6bddc2c72e8057473deaf03350db8d5dcc

SHA512
03c418c80aded359540d7c759899762b973a58732c6eedb36b723220a51d3d2e9740609bbe0fe63a4420c72d0bea32170d6906776e7607f75aadd84aed479d6c

Download Submit
C:\Windows\{47713A26-2C04-4efc-82B8-99F99E10CE5C}.exe

Filesize
60KB

MD5
8042e65a19be9c8165637469421caf67

SHA1
c599c6ee4fa4dc3e9c9edf5f07150de3de423b1a

SHA256
5f065322b78b95d620c4b0d66cb09277c5e94351cd48e727752cfdbd1602fb08

SHA512
f30bbaa21f44b281277287b2f923a6f5dffbfc48dc040cea3fc2aed1f9dff6605c903d165f32117dd37dfe02ac8f537d109be70cee55d20e70a3f45dd97e13ba

Download Submit
C:\Windows\{7550BF99-A9E5-4e6e-84EA-D725CC4633E4}.exe

Filesize
60KB

MD5
441a983139133c4da5b725f80cb7a638

SHA1
d2843fd88d6c8bf81ee6681640b9d1f3f9378ef0

SHA256
840f0c72663dcbb971a1dea6adb85746cff428ba29f185a51b4984f528c7feb8

SHA512
9d6f402248cadb4b929b0998114239242442b44d41f6a65546950df2dd0bdcba49159aaf6e0f73fe0c2c1253c3d95e7c38120f5951befbc5fd2e0d04cf776162

Download Submit
C:\Windows\{CC2733BE-913D-45b6-BB93-0F6C682169CB}.exe

Filesize
60KB

MD5
9c9ffab1525b98477c1d2ac833acf152

SHA1
f221d21b154d0783ace741d5055491c26f1a507a

SHA256
e0db2dfc7b148d2df2179efeb8ecbd7a5eae680fdd16dbbff2f6ceb4aa052527

SHA512
435358c53717d07eac7ba500c1a646f3aac96f331a3a81a29b984b552c5fb0a35149601232d5a2554f90d6022043dc707b3af3eabd643a8989be7011ff260b7a

Download Submit
C:\Windows\{E5BA32D5-017C-480e-8D5A-49B4908C8AAD}.exe

Filesize
60KB

MD5
ceb4cb67a2d42c800206a9551f8c2f83

SHA1
45fce0b05c25601dd2ad898fba81e233df9257d2

SHA256
d469eb9a4fb3a26e433abb1081aabba649b55f59ceef86a61800608ac3a2445f

SHA512
5c1b166368ce39b208a09e383038b070ae2de6bd6bf49ea91b99a9fe38cc596ea0ce1fb7aa7df18e5862881a4a872874557e6b605bad0dfbe442a91de88deb44

Download Submit
C:\Windows\{F507C42C-386F-424d-8318-4CE244F559F0}.exe

Filesize
60KB

MD5
37b78c7cb3407c6b0db6b8a04aec6726

SHA1
3777c58853d3fc949793051decf63d0bdf053282

SHA256
544924fbd06b6307a127401a5229e3193064d438c85a34c8aa0d91f84242f867

SHA512
8ee2af7207e86d44889d2d134f89fed23be1c8c531b7e5b737854265a020790debefef8eb2a5919ed42260276543ed9b2352b87ce3586560ed84e8717550e460

Download Submit
C:\Windows\{F55AD61E-0286-48df-9495-09A6A0684EE3}.exe

Filesize
60KB

MD5
62c31f3690edf050e0d5a94cc64e7390

SHA1
0e592042d6895e69ca4874df1e1cef899378bfca

SHA256
4da9cd648fb5b081bb4cc434000ff649cf3a13fc58f7166ca829997cd0dad3aa

SHA512
eeb48484f9d4dd7798826c3fd6e038b37c75cb2a6d02e8b247e2fca6876fa704ff37cebb06b9eb5d10f626b478b2f6094cb933a35d6ab3d93e6d8e1699b2a904

Download Submit
C:\Windows\{FE51672A-124C-47e0-B5B1-63FD8EF46CDC}.exe

Filesize
60KB

MD5
1a593fc8d59fa963b35dbc73eedfffa6

SHA1
242c42b3e4121647d52c12beae5f316061bc9e59

SHA256
dcb83cc0e59db91ac31f0a8c221f75156bd0f9d4931db650a7f585213309c98a

SHA512
01450fc2355da3c52bc369c10f0527fd5abab9899a218557c5761f4f87424c8ef172769c33e5b088e2aed1db5192f60dece293965bdfc782222819a355d0dead

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads