ff66ea209a92bc02fff6e62ce0515a0dbaecd103983d6decddb377b4a5feeaaa

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Size

60KB
MD5

fdb89067b1ffa6ece1b8e9bcae4d1140
SHA1

668bb27b71d1ddfd36a6951634ff3867d7e10f82
SHA256

ff66ea209a92bc02fff6e62ce0515a0dbaecd103983d6decddb377b4a5feeaaa
SHA512

914b327f59ed7c61b1e3ea935af9f7170353d5b0e57e862fac743764527d6017fc04ede022838946cbbfda55fddf01892a5a931aa46506c0cf86fdef50ed41d3
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwnh4/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroh4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7979C9D-0937-4232-A3F2-5687DA0103FE}	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7979C9D-0937-4232-A3F2-5687DA0103FE}\stubpath = "C:\\Windows\\{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe"	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6310B58F-BA1A-402c-90F0-90E1B6E4E377}\stubpath = "C:\\Windows\\{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe"	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE2502F6-1C49-4d94-ABD1-11C5388C5382}\stubpath = "C:\\Windows\\{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe"	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A06BF4-3846-4983-8E89-821B42EC2F97}\stubpath = "C:\\Windows\\{31A06BF4-3846-4983-8E89-821B42EC2F97}.exe"	{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78CB4955-EBF2-4101-BABC-06CBA0B7212E}\stubpath = "C:\\Windows\\{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe"	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}\stubpath = "C:\\Windows\\{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe"	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AEA0019-6054-4a0b-8DD4-070D45751B96}	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AEA0019-6054-4a0b-8DD4-070D45751B96}\stubpath = "C:\\Windows\\{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe"	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE2502F6-1C49-4d94-ABD1-11C5388C5382}	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6310B58F-BA1A-402c-90F0-90E1B6E4E377}	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}\stubpath = "C:\\Windows\\{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe"	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99783250-70D6-4009-8FB9-2B7A6828CC23}	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99783250-70D6-4009-8FB9-2B7A6828CC23}\stubpath = "C:\\Windows\\{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe"	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}\stubpath = "C:\\Windows\\{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe"	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}\stubpath = "C:\\Windows\\{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe"	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78CB4955-EBF2-4101-BABC-06CBA0B7212E}	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}\stubpath = "C:\\Windows\\{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe"	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A06BF4-3846-4983-8E89-821B42EC2F97}	{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe
464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe
3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe
2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe
3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe
1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe
1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe
1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe
3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe
3372	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe
4392	{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe
4424	{31A06BF4-3846-4983-8E89-821B42EC2F97}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
File created	C:\Windows\{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe
File created	C:\Windows\{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe
File created	C:\Windows\{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe
File created	C:\Windows\{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe
File created	C:\Windows\{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe
File created	C:\Windows\{31A06BF4-3846-4983-8E89-821B42EC2F97}.exe	{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe
File created	C:\Windows\{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe
File created	C:\Windows\{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe
File created	C:\Windows\{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe
File created	C:\Windows\{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe
File created	C:\Windows\{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2596	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe
Token: SeIncBasePriorityPrivilege	464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe
Token: SeIncBasePriorityPrivilege	3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe
Token: SeIncBasePriorityPrivilege	2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe
Token: SeIncBasePriorityPrivilege	3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe
Token: SeIncBasePriorityPrivilege	1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe
Token: SeIncBasePriorityPrivilege	1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe
Token: SeIncBasePriorityPrivilege	1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe
Token: SeIncBasePriorityPrivilege	3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe
Token: SeIncBasePriorityPrivilege	3372	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe
Token: SeIncBasePriorityPrivilege	4392	{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4476	2596	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	89
PID 2596 wrote to memory of 4476	2596	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	89
PID 2596 wrote to memory of 4476	2596	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	89
PID 2596 wrote to memory of 4180	2596	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	90
PID 2596 wrote to memory of 4180	2596	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	90
PID 2596 wrote to memory of 4180	2596	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	90
PID 4476 wrote to memory of 464	4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe	91
PID 4476 wrote to memory of 464	4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe	91
PID 4476 wrote to memory of 464	4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe	91
PID 4476 wrote to memory of 2872	4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe	92
PID 4476 wrote to memory of 2872	4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe	92
PID 4476 wrote to memory of 2872	4476	{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe	92
PID 464 wrote to memory of 3692	464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe	94
PID 464 wrote to memory of 3692	464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe	94
PID 464 wrote to memory of 3692	464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe	94
PID 464 wrote to memory of 3068	464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe	95
PID 464 wrote to memory of 3068	464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe	95
PID 464 wrote to memory of 3068	464	{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe	95
PID 3692 wrote to memory of 2980	3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe	96
PID 3692 wrote to memory of 2980	3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe	96
PID 3692 wrote to memory of 2980	3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe	96
PID 3692 wrote to memory of 2056	3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe	97
PID 3692 wrote to memory of 2056	3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe	97
PID 3692 wrote to memory of 2056	3692	{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe	97
PID 2980 wrote to memory of 3052	2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe	98
PID 2980 wrote to memory of 3052	2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe	98
PID 2980 wrote to memory of 3052	2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe	98
PID 2980 wrote to memory of 3340	2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe	99
PID 2980 wrote to memory of 3340	2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe	99
PID 2980 wrote to memory of 3340	2980	{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe	99
PID 3052 wrote to memory of 1116	3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe	100
PID 3052 wrote to memory of 1116	3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe	100
PID 3052 wrote to memory of 1116	3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe	100
PID 3052 wrote to memory of 2184	3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe	101
PID 3052 wrote to memory of 2184	3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe	101
PID 3052 wrote to memory of 2184	3052	{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe	101
PID 1116 wrote to memory of 1988	1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe	102
PID 1116 wrote to memory of 1988	1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe	102
PID 1116 wrote to memory of 1988	1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe	102
PID 1116 wrote to memory of 792	1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe	103
PID 1116 wrote to memory of 792	1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe	103
PID 1116 wrote to memory of 792	1116	{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe	103
PID 1988 wrote to memory of 1480	1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe	104
PID 1988 wrote to memory of 1480	1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe	104
PID 1988 wrote to memory of 1480	1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe	104
PID 1988 wrote to memory of 1672	1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe	105
PID 1988 wrote to memory of 1672	1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe	105
PID 1988 wrote to memory of 1672	1988	{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe	105
PID 1480 wrote to memory of 3516	1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe	106
PID 1480 wrote to memory of 3516	1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe	106
PID 1480 wrote to memory of 3516	1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe	106
PID 1480 wrote to memory of 4148	1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe	107
PID 1480 wrote to memory of 4148	1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe	107
PID 1480 wrote to memory of 4148	1480	{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe	107
PID 3516 wrote to memory of 3372	3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe	108
PID 3516 wrote to memory of 3372	3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe	108
PID 3516 wrote to memory of 3372	3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe	108
PID 3516 wrote to memory of 1220	3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe	109
PID 3516 wrote to memory of 1220	3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe	109
PID 3516 wrote to memory of 1220	3516	{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe	109
PID 3372 wrote to memory of 4392	3372	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe	110
PID 3372 wrote to memory of 4392	3372	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe	110
PID 3372 wrote to memory of 4392	3372	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe	110
PID 3372 wrote to memory of 4380	3372	{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe	111

C:\Users\Admin\AppData\Local\Temp\fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe
  C:\Windows\{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe
    C:\Windows\{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe
      C:\Windows\{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe
        
        C:\Windows\{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe
        
        C:\Windows\{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe
        
        C:\Windows\{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe
        
        C:\Windows\{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe
        
        C:\Windows\{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe
        
        C:\Windows\{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe
        
        C:\Windows\{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe
        
        C:\Windows\{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\{31A06BF4-3846-4983-8E89-821B42EC2F97}.exe
        
        C:\Windows\{31A06BF4-3846-4983-8E89-821B42EC2F97}.exe
        13⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{959FB~1.EXE > nul
        13⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC40E~1.EXE > nul
        12⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C89AD~1.EXE > nul
        11⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99783~1.EXE > nul
        10⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE250~1.EXE > nul
        9⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CCC0~1.EXE > nul
        8⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AEA0~1.EXE > nul
        7⤵
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0AA4~1.EXE > nul
        6⤵
        
        PID:3340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6310B~1.EXE > nul
        5⤵
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{78CB4~1.EXE > nul
      4⤵
      PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7979~1.EXE > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FDB890~1.EXE > nul
  2⤵
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{31A06BF4-3846-4983-8E89-821B42EC2F97}.exe

Filesize
60KB

MD5
5d7207f00ba08836a09b80571e2c47ea

SHA1
8ea8175baa05acfd36ee25e1261b430b21e9f7f6

SHA256
c4bc55ee9ff516c893dbcc8c368fa81bf1f7ceafa84c97030feb3373b8cee90d

SHA512
9be285e087c74b4a5dda210d2f6310aebdd3dec6bce3ceb3dd163079a45bb4de7ca89a1012bbf3f849cac29aef5492c02947f8a1ecb895353dfa9b2222fe9e18

Download Submit
C:\Windows\{4CCC0697-1B7E-4a0e-9E14-E7D2EE1BD482}.exe

Filesize
60KB

MD5
364ecc0d1b3e85d2f4d9e03958808324

SHA1
b582b5e4c2fa7317140425ece7e6c184c3e81b98

SHA256
2b49838df48dea6ba3390a162edddf72c9b5e00a0bc4853c764194f92e6e9d42

SHA512
44bcf462d707c658d213f114c75d24cda519670948a9d1c49355b882e59b2e57b8eb032d77eba3ac45d9ff141e17fdc82970763c03b8cb6546f7bd0c6dc4708b

Download Submit
C:\Windows\{6310B58F-BA1A-402c-90F0-90E1B6E4E377}.exe

Filesize
60KB

MD5
4989ecfa0b476436b215b4b283854b4e

SHA1
879a644b9ec29b2f693a43767cac228755e62dca

SHA256
2eab4b211b169cfbaf320190e3a80950c5d885eb32578f95a47c4227aeb346ef

SHA512
cf3ff0e0442280e18cd16f87d0e922cbd2b032ab0d7f90e92eadc7445d4a884bb3049d796b8dda4077a6ae3913ae1ffa529a3645ba6a2c205e824ec2d0f0ac3f

Download Submit
C:\Windows\{6AEA0019-6054-4a0b-8DD4-070D45751B96}.exe

Filesize
60KB

MD5
fb2288102c3fa635706e988cbe15c342

SHA1
620fcf9b26fa5c14002dda9101f7b12ad282737d

SHA256
6473d4622953cabef69c33fe9be467570c140cd8c826553181cc5aaaf4e23d65

SHA512
08a0182ab1774bb048ce2c25d8fbbdab81aa1e21a4d87acd1589095563939ba882b34cc0ecdac8ea22046ba34055061129a00b78fa874cc0c43d384a8e3f2816

Download Submit
C:\Windows\{78CB4955-EBF2-4101-BABC-06CBA0B7212E}.exe

Filesize
60KB

MD5
62ccbba29c4dcf798b167723c92fab20

SHA1
5f32d8c609d7f5bf76cf22c42bac05e6954a8dca

SHA256
6fb9ab74f3595425eba0f86f983622ea4260af7f9affe5ec5c01dedea0f0c6ca

SHA512
10dc567bc4c4eec49def2a6dd66fa5a8d848776eaaa4437139b121114599cacb3c68d6ea58a9c1a0606ab2af04dd6fece4252992f654bcf29513e70389ad8e27

Download Submit
C:\Windows\{959FB7C1-9A96-4f37-8485-6203CE6AEC7F}.exe

Filesize
60KB

MD5
8eef68db27f7330552b11ca7d4029966

SHA1
618775ebb06d085358862852ac06d5b6be1b60a7

SHA256
edd2558c3d0e467975e226f641b38354721f679fc662311563607cae19e11a39

SHA512
0fe04dde70cef0d452c95ebc6738747dac3e0a79455db642efdd9f903bce2672f96ca6f5343294af098ac2d42612be2413b65a6fc7921d688d82bba64dd9f319

Download Submit
C:\Windows\{99783250-70D6-4009-8FB9-2B7A6828CC23}.exe

Filesize
60KB

MD5
c20af2ee3a3a720ed3310f60a4305bd8

SHA1
ebee3d72e011510477da840792d09283ffd2d27d

SHA256
798c0c27a19ad6f57c4d0e5e0b81a5200e913e2378eab5d09f85312cb26fcb63

SHA512
5d46b1b129dc33e0b8ef9a0a44ae5afed501e488d3987b46ebf39544b02adad5118850a6f39d0b810b254e41dd066538da85203c8024b8cca54d083e0b2a97d3

Download Submit
C:\Windows\{C89ADC7E-79E6-4177-9A1F-3557AEBDD5B9}.exe

Filesize
60KB

MD5
346749aac0fcd801c5210cb2e4cdd27a

SHA1
f73e13e6ee1853832e44f03d1458327a1f13428f

SHA256
da18709e818b434be3032367453ccf6d2485f024c04068afd3dc345baf3a3600

SHA512
fd460fba81b532c535096e6370266237abfbc94d6dbf232ea09a5d4f099da1e7f65d493b657b7eb27fbe33950519d7ebecfb5db0b564df9a3f1deaf73b089011

Download Submit
C:\Windows\{DC40EFEC-C60F-4a95-902A-D06D0035EDC5}.exe

Filesize
60KB

MD5
4515c2b0776fce91af133e4c01388637

SHA1
bed9c1377cd48c642112055d937bfd8c0a964abe

SHA256
5cff337fb92c4742cddf83200212d12882574a53be2fbfb34d5c28b67437ed6c

SHA512
c1ddac20efff81c5835c569a23d5cd0109dcfb108618e8798cb55aa98795422e3455f9fdebb26cec4f4db985cb744645ac4b1abecdd3aae970de591617881356

Download Submit
C:\Windows\{F0AA46C6-2A6C-4bf9-8798-0646C6F6C065}.exe

Filesize
60KB

MD5
aacecb28c76440fd0b2b09cae3f7df48

SHA1
7b345e4dae3efcc19da8597f2c8e2e791e191fa4

SHA256
477cd747e52a2c3e5e03c87531f19c7f05f1a90a2dc39a64e72f5ad012499486

SHA512
36ea04fe49ba8b15d0aae208e8647b052356ad8b16f2345c61f46df099cf8acb63c489d3926bdeef60d8185f3336ba0d3df58f2e9534a0faba5bc108aec0498c

Download Submit
C:\Windows\{F7979C9D-0937-4232-A3F2-5687DA0103FE}.exe

Filesize
60KB

MD5
6338eac10947c0a2248b50decbfdec3e

SHA1
c6779c3a3795d6a9dac3cabde77f7f6a60b783de

SHA256
3dc8d4d0414dd6a6dff81149fc1bf30dae30e59e9cd8990494bcff9422037f0a

SHA512
1a8c8f3d36dc13e5297c6916a29cc8587e6fd3302b3eec1b6f8a971cbcea5487aa7abcf72a0555233390234600de298155f58c069805dea81c62d21bd2da69c1

Download Submit
C:\Windows\{FE2502F6-1C49-4d94-ABD1-11C5388C5382}.exe

Filesize
60KB

MD5
43272b1227cde7131ab7fa07c3bf2ddb

SHA1
f641d293abb4c91e3ed150f6b710aa079258aeeb

SHA256
687c6a9c6d17c4c7356dd7ae30d1808b0d7d998a68a2752f8e5fba3528f37a86

SHA512
8fb2ab2db58bf8d4a0e44c17224b0f398cf3fe8f347431a3ba057aab16040fc87b2132c3be59868bfaf5ac47fe4fc0e55e55b71612f3c1da3e3631afe6588471

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads