a9efb2696c3b9e6b6d745e4357808a47afe55131d817639828ef8781960a3472

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Size

60KB
MD5

89682278dc54afbb08e79c1ca955c450
SHA1

370acc4f7dadee425f2db96eda954ba2aad5cb38
SHA256

a9efb2696c3b9e6b6d745e4357808a47afe55131d817639828ef8781960a3472
SHA512

99f41db211a50c0bfda783649d9f1d075fa57d1ed9dfbe6d4bc60dad78b9bf03c211cd48379afe7cbea14b0c2e9701c081ff0180597c50713b0bf5bac8ab65b8
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwZh4/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro74/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C2E205-F46C-432c-BC68-288BE0489648}	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C2E205-F46C-432c-BC68-288BE0489648}\stubpath = "C:\\Windows\\{44C2E205-F46C-432c-BC68-288BE0489648}.exe"	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90F04B9F-9A69-4926-9BB2-5C84F3946869}	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40CC433D-89B2-4b91-8235-97628508D6B7}	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}\stubpath = "C:\\Windows\\{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe"	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}	{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E5B2B9B-90D5-400c-B476-43A57A1AD839}\stubpath = "C:\\Windows\\{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe"	{44C2E205-F46C-432c-BC68-288BE0489648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98690AF2-31B7-46b3-A24C-9567989739F5}	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A8AE24-555B-4559-A8BE-32473640F8CD}	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A8AE24-555B-4559-A8BE-32473640F8CD}\stubpath = "C:\\Windows\\{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe"	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}\stubpath = "C:\\Windows\\{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}.exe"	{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B87D058-44C0-4206-B118-36F1C7DB4246}\stubpath = "C:\\Windows\\{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe"	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40CC433D-89B2-4b91-8235-97628508D6B7}\stubpath = "C:\\Windows\\{40CC433D-89B2-4b91-8235-97628508D6B7}.exe"	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}\stubpath = "C:\\Windows\\{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe"	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98690AF2-31B7-46b3-A24C-9567989739F5}\stubpath = "C:\\Windows\\{98690AF2-31B7-46b3-A24C-9567989739F5}.exe"	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}\stubpath = "C:\\Windows\\{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe"	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B87D058-44C0-4206-B118-36F1C7DB4246}	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E5B2B9B-90D5-400c-B476-43A57A1AD839}	{44C2E205-F46C-432c-BC68-288BE0489648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}\stubpath = "C:\\Windows\\{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe"	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90F04B9F-9A69-4926-9BB2-5C84F3946869}\stubpath = "C:\\Windows\\{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe"	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe

Executes dropped EXE 12 IoCs

pid	Process
1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe
1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe
1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe
4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe
2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe
532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe
2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe
4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe
32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe
4600	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe
1336	{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe
4812	{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe
File created	C:\Windows\{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe
File created	C:\Windows\{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe
File created	C:\Windows\{40CC433D-89B2-4b91-8235-97628508D6B7}.exe	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe
File created	C:\Windows\{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe
File created	C:\Windows\{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe	{44C2E205-F46C-432c-BC68-288BE0489648}.exe
File created	C:\Windows\{98690AF2-31B7-46b3-A24C-9567989739F5}.exe	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe
File created	C:\Windows\{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe
File created	C:\Windows\{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe
File created	C:\Windows\{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}.exe	{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe
File created	C:\Windows\{44C2E205-F46C-432c-BC68-288BE0489648}.exe	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
File created	C:\Windows\{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1204	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe
Token: SeIncBasePriorityPrivilege	1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe
Token: SeIncBasePriorityPrivilege	1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe
Token: SeIncBasePriorityPrivilege	4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe
Token: SeIncBasePriorityPrivilege	2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe
Token: SeIncBasePriorityPrivilege	532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe
Token: SeIncBasePriorityPrivilege	2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe
Token: SeIncBasePriorityPrivilege	4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe
Token: SeIncBasePriorityPrivilege	32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe
Token: SeIncBasePriorityPrivilege	4600	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe
Token: SeIncBasePriorityPrivilege	1336	{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1580	1204	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	96
PID 1204 wrote to memory of 1580	1204	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	96
PID 1204 wrote to memory of 1580	1204	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	96
PID 1204 wrote to memory of 1036	1204	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	97
PID 1204 wrote to memory of 1036	1204	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	97
PID 1204 wrote to memory of 1036	1204	89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe	97
PID 1580 wrote to memory of 1932	1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe	98
PID 1580 wrote to memory of 1932	1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe	98
PID 1580 wrote to memory of 1932	1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe	98
PID 1580 wrote to memory of 4484	1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe	99
PID 1580 wrote to memory of 4484	1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe	99
PID 1580 wrote to memory of 4484	1580	{44C2E205-F46C-432c-BC68-288BE0489648}.exe	99
PID 1932 wrote to memory of 1540	1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe	103
PID 1932 wrote to memory of 1540	1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe	103
PID 1932 wrote to memory of 1540	1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe	103
PID 1932 wrote to memory of 3972	1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe	104
PID 1932 wrote to memory of 3972	1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe	104
PID 1932 wrote to memory of 3972	1932	{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe	104
PID 1540 wrote to memory of 4388	1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe	105
PID 1540 wrote to memory of 4388	1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe	105
PID 1540 wrote to memory of 4388	1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe	105
PID 1540 wrote to memory of 452	1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe	106
PID 1540 wrote to memory of 452	1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe	106
PID 1540 wrote to memory of 452	1540	{98690AF2-31B7-46b3-A24C-9567989739F5}.exe	106
PID 4388 wrote to memory of 2192	4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe	107
PID 4388 wrote to memory of 2192	4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe	107
PID 4388 wrote to memory of 2192	4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe	107
PID 4388 wrote to memory of 2632	4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe	108
PID 4388 wrote to memory of 2632	4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe	108
PID 4388 wrote to memory of 2632	4388	{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe	108
PID 2192 wrote to memory of 532	2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe	110
PID 2192 wrote to memory of 532	2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe	110
PID 2192 wrote to memory of 532	2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe	110
PID 2192 wrote to memory of 4908	2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe	111
PID 2192 wrote to memory of 4908	2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe	111
PID 2192 wrote to memory of 4908	2192	{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe	111
PID 532 wrote to memory of 2456	532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe	112
PID 532 wrote to memory of 2456	532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe	112
PID 532 wrote to memory of 2456	532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe	112
PID 532 wrote to memory of 1044	532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe	113
PID 532 wrote to memory of 1044	532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe	113
PID 532 wrote to memory of 1044	532	{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe	113
PID 2456 wrote to memory of 4484	2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe	116
PID 2456 wrote to memory of 4484	2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe	116
PID 2456 wrote to memory of 4484	2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe	116
PID 2456 wrote to memory of 3256	2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe	117
PID 2456 wrote to memory of 3256	2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe	117
PID 2456 wrote to memory of 3256	2456	{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe	117
PID 4484 wrote to memory of 32	4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe	122
PID 4484 wrote to memory of 32	4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe	122
PID 4484 wrote to memory of 32	4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe	122
PID 4484 wrote to memory of 2236	4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe	123
PID 4484 wrote to memory of 2236	4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe	123
PID 4484 wrote to memory of 2236	4484	{40CC433D-89B2-4b91-8235-97628508D6B7}.exe	123
PID 32 wrote to memory of 4600	32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe	124
PID 32 wrote to memory of 4600	32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe	124
PID 32 wrote to memory of 4600	32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe	124
PID 32 wrote to memory of 4340	32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe	125
PID 32 wrote to memory of 4340	32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe	125
PID 32 wrote to memory of 4340	32	{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe	125
PID 4600 wrote to memory of 1336	4600	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe	128
PID 4600 wrote to memory of 1336	4600	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe	128
PID 4600 wrote to memory of 1336	4600	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe	128
PID 4600 wrote to memory of 4144	4600	{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe	129

C:\Users\Admin\AppData\Local\Temp\89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89682278dc54afbb08e79c1ca955c450_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\{44C2E205-F46C-432c-BC68-288BE0489648}.exe
  C:\Windows\{44C2E205-F46C-432c-BC68-288BE0489648}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe
    C:\Windows\{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\{98690AF2-31B7-46b3-A24C-9567989739F5}.exe
      C:\Windows\{98690AF2-31B7-46b3-A24C-9567989739F5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe
        
        C:\Windows\{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe
        
        C:\Windows\{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe
        
        C:\Windows\{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe
        
        C:\Windows\{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{40CC433D-89B2-4b91-8235-97628508D6B7}.exe
        
        C:\Windows\{40CC433D-89B2-4b91-8235-97628508D6B7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe
        
        C:\Windows\{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe
        
        C:\Windows\{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe
        
        C:\Windows\{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}.exe
        
        C:\Windows\{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}.exe
        13⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90F04~1.EXE > nul
        13⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BEB~1.EXE > nul
        12⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{315BF~1.EXE > nul
        11⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40CC4~1.EXE > nul
        10⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B87D~1.EXE > nul
        9⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7A8A~1.EXE > nul
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D64D3~1.EXE > nul
        7⤵
        
        PID:4908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBD9C~1.EXE > nul
        6⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98690~1.EXE > nul
        5⤵
        
        PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E5B2~1.EXE > nul
      4⤵
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44C2E~1.EXE > nul
    3⤵
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\896822~1.EXE > nul
  2⤵
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B87D058-44C0-4206-B118-36F1C7DB4246}.exe

Filesize
60KB

MD5
0ae1461db7b937f133570243321dae06

SHA1
364df4334a394d6cb0f5fc59fc6c8db93ac54f83

SHA256
c7dd06aa08750f2679cf384c87713694d97d0733111161860221fd3ed3f6ff58

SHA512
56eb9bb31b8be514d4b70f47deb54088fbd24c264c2ce5590cef589dccb0a31de49bda4ee0497b0532c1937ed8dbf2df9b183aa04ce03510947c3a7c49aca9b9

Download Submit
C:\Windows\{315BFD68-5AAB-4ed2-8142-B10A164FAE6B}.exe

Filesize
60KB

MD5
d4594502caaab2f01259b52dc34583f5

SHA1
d7c69c48a9dc3268e9f133ce8d52c31eadd7d05c

SHA256
4ef1cf9f69fcd9ee90b18b8bdb74cf5704366bf1e31e1cc848f3b5ee5accbd0e

SHA512
08004778b815d5c83545f5c1fac0d8254cff5764de47f5a5c92bf108168a7bc28eced2497d871999d426893f021c589158ae1fbc4b0d90639b8caf5bbb128bac

Download Submit
C:\Windows\{40CC433D-89B2-4b91-8235-97628508D6B7}.exe

Filesize
60KB

MD5
4f45f545691d9a4fba8410f44025a4be

SHA1
faaecf785b68ce80dd8a98947a6ff2a004f20b31

SHA256
ac8906d3df0b66160aea14fd4c8a51fac31340bbf3a47610784939a513863488

SHA512
269720802effa186eb71f4ec096b0fd341659cfab06fcdca6adacd7feb0cd31acd0df0a26780b09264947405067f02e308d5946d7d35f8f8f7813b21616ce08a

Download Submit
C:\Windows\{44C2E205-F46C-432c-BC68-288BE0489648}.exe

Filesize
60KB

MD5
cc865c9b10ca7a703de2373f623e1e3a

SHA1
2de123850b12c055e0e94ccf1878f82f640d27b1

SHA256
aff655b6fe5c9ec95d8bb87d66ac678bda2f76e411a49423d2d3b11aa57a0cc9

SHA512
05a6aff9e0b64f9a2ffd5c4b2b5cbda1ec12b2100d08739ce05e384fc71d5cde5477c1ba62c928628d5dcbced0d7f70f2cb3857cac58e721be9bc223e81fab84

Download Submit
C:\Windows\{75EF19F6-2EC5-427c-AE1A-5D6AD6DDBFF4}.exe

Filesize
60KB

MD5
af6c704c150ba5effeb6b6d519b36c73

SHA1
a525ba8dcfdad454a231d82c26c4652ad8d95dde

SHA256
07bd82f2ca88127f18b30e5ea3c021e79e7a78b3c2b43dde93984f552e2af81e

SHA512
a8ba9310731ac7b377d6be37818d7f7c3b84c929a27b427e2ecaa2d900893c6fa58d1f4d4e2ce32ce3a86ef42f2b480a957297cee363be2a9c85f072a8623fee

Download Submit
C:\Windows\{90F04B9F-9A69-4926-9BB2-5C84F3946869}.exe

Filesize
60KB

MD5
f23de301f95d38283259cd73ec38731d

SHA1
58aec3828e37d86764007b3a382e45bfa6550c5f

SHA256
ef5a5120411508b70350c8aff5f9e9cf8eeb0c0b778bd3d12727fbe0cb02926a

SHA512
ccb57a8b6c56fb14b04d5788762e29b96487dc22a28e75394556de6a5fa3f688ea2e067de39efe88ddb662e7ed368a64d4ec5bd10218e91be9549e68db2f491f

Download Submit
C:\Windows\{98690AF2-31B7-46b3-A24C-9567989739F5}.exe

Filesize
60KB

MD5
81df6672314c54d8f9dea07312cdfe81

SHA1
3b01fc3ae0744a048a1aed306d32f062da3ddc98

SHA256
e85c377c2763e8be48f815de6eb445ed5a535dd64751f2a089f15b7f64f453df

SHA512
4a1eaba55b0b90a22c913bb7cd89f6be3c2170a0cecedec764961f07a9777ab6d7de6672e12e5ad241c850c954945c237cbf19f131a7eedc68ad233a10336caa

Download Submit
C:\Windows\{9E5B2B9B-90D5-400c-B476-43A57A1AD839}.exe

Filesize
60KB

MD5
50b7da613760ab2653947d109b771126

SHA1
11c71b80c97ee9312385fa9b9c71b1185dbba6be

SHA256
13d5a9e719215df32cfce1d8be8c42c0d16416f3389a152e83e085e7e6dc85e5

SHA512
bdcdd9ea7ea3c1ff2dbd177cb77a42956f662f95da4dcfadeb9b2b2f09f215cec5f89b115023706396f044bddd1cf0fe7c12b2fefb2ec65e84c946077f6280c5

Download Submit
C:\Windows\{B7A8AE24-555B-4559-A8BE-32473640F8CD}.exe

Filesize
60KB

MD5
e04c21df26c227d8cdf2db4c968016a9

SHA1
dcae60ec23e2211c30e38b5e0c41835337c907e7

SHA256
be0da98fe4fc3de3a66199f7fb23183a8be913ca97fe84c5118d5022d2c4663e

SHA512
54d0de4027a4b14572234151c8369045bc2f83534f5fa3a4d2d83840a00c14c39594cf6f32862eb79d3963c7ffb33dab56ee4d6b6a6273bfe3c3c56d1fbe54cd

Download Submit
C:\Windows\{C5BEB7BC-E6A1-4904-A26D-ADE90EA76F31}.exe

Filesize
60KB

MD5
dec6308c3c4289da5b64d4e5679cdcb6

SHA1
40918436df859caede5910f8d79ea4d2d329a2e8

SHA256
ce50ff2551a80a3287d3ca22481614084b371c0cfe5e0ce1f25a200f2e217787

SHA512
64c371846888afe5ddc4a588cb87997c7be89013f0aaa0f0e970242bdf8d720f0133cf50b124c825b5c557dc62588f5e10347cea8f19d7fc6e298cf79ab7efba

Download Submit
C:\Windows\{D64D3FA1-CD45-4f5b-A1CD-CA659EB90575}.exe

Filesize
60KB

MD5
e1c384a9247aa26bbebefbb779fa7ace

SHA1
3c753d8b78d163de487272731369f634c86df3ff

SHA256
9d998e3b01f4903a98477c99e4597ccd0d818ba90df488faf86b04c26207227f

SHA512
e96f7091007d8b4c4a53a8439798708250f865b19c3e58f1ddc564b8f0b8c91b606da42c9898802bfc9524c2383e2bd4b01116d08171ce617a8e64c59204cad3

Download Submit
C:\Windows\{DBD9C6E5-BD27-4f7f-BBD6-8A9985D6D197}.exe

Filesize
60KB

MD5
c39a1acdfcfb2b241002a6b0ea7a23fc

SHA1
fc67d6e552dda8ed1ebb81d9b225b2e86f5b5f0d

SHA256
ea4f9e0c1c73e09279b9aaf5f56f53f1aab5ede322451dfd3789ac9a95f9711e

SHA512
626820fae9eb0bbdf7e46a3697c9ffbe8898ce82f98e96aafe64b38ebe7e62cc4b07a6fe693eeeb6730166e509c7100bb83c27369bcf69376aa8482220793301

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads