048a61ba5919eedd1130020a55a20edeba21a77a65f069964e553433cbdc99e4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 20:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe
Size

91KB
MD5

04e74db233c7ccf95ef8e31eaead10d0
SHA1

aa4dd2142b6b8233b90bfdc5209eacad4921f2dc
SHA256

048a61ba5919eedd1130020a55a20edeba21a77a65f069964e553433cbdc99e4
SHA512

41f544d7b45ca5bf5af3e94a3259e0ad7a8bf99fe982104b3df700ee847537de223d22e6ef745ee71959d5552cfcc05849bed48a169cf9d4e959e9138d1e5dcb
SSDEEP

768:5vw9816uhKiro14/wQNNrfrunMxVFA3b7t:lEGkmo1lCunMxVS3Ht

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1693AA29-1392-4e2d-AB95-7B45CF6985C0}\stubpath = "C:\\Windows\\{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe"	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C748EE6F-CB4C-4584-B04D-CB1468957FAF}	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3501314F-0BEB-4f5c-A97F-264E738E7975}	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3501314F-0BEB-4f5c-A97F-264E738E7975}\stubpath = "C:\\Windows\\{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe"	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECCD6794-FDAA-476d-8F79-3EAE163371A1}	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C7A03A6-774E-454d-BB31-BC478A37B23E}\stubpath = "C:\\Windows\\{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe"	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F695119B-8529-464d-8DC3-C76A010A1540}	{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F695119B-8529-464d-8DC3-C76A010A1540}\stubpath = "C:\\Windows\\{F695119B-8529-464d-8DC3-C76A010A1540}.exe"	{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}\stubpath = "C:\\Windows\\{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe"	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65299D78-B593-4455-83AF-15E39033E75E}\stubpath = "C:\\Windows\\{65299D78-B593-4455-83AF-15E39033E75E}.exe"	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{088E026D-B04A-4c37-B31D-89B38873BBAC}	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{088E026D-B04A-4c37-B31D-89B38873BBAC}\stubpath = "C:\\Windows\\{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe"	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1693AA29-1392-4e2d-AB95-7B45CF6985C0}	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD76F54-E002-4d5b-8040-3A386462F086}\stubpath = "C:\\Windows\\{2FD76F54-E002-4d5b-8040-3A386462F086}.exe"	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C748EE6F-CB4C-4584-B04D-CB1468957FAF}\stubpath = "C:\\Windows\\{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe"	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC54318-2D81-4b39-A7AB-F21538AD140F}	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC54318-2D81-4b39-A7AB-F21538AD140F}\stubpath = "C:\\Windows\\{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe"	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C7A03A6-774E-454d-BB31-BC478A37B23E}	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD76F54-E002-4d5b-8040-3A386462F086}	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65299D78-B593-4455-83AF-15E39033E75E}	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}	{65299D78-B593-4455-83AF-15E39033E75E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}\stubpath = "C:\\Windows\\{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe"	{65299D78-B593-4455-83AF-15E39033E75E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECCD6794-FDAA-476d-8F79-3EAE163371A1}\stubpath = "C:\\Windows\\{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe"	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe

Executes dropped EXE 12 IoCs

pid	Process
1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe
4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe
5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe
4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe
4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe
440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe
388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe
2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe
3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe
2764	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe
3884	{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe
4460	{F695119B-8529-464d-8DC3-C76A010A1540}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe
File created	C:\Windows\{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe
File created	C:\Windows\{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe
File created	C:\Windows\{65299D78-B593-4455-83AF-15E39033E75E}.exe	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe
File created	C:\Windows\{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe	{65299D78-B593-4455-83AF-15E39033E75E}.exe
File created	C:\Windows\{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe
File created	C:\Windows\{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe
File created	C:\Windows\{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe
File created	C:\Windows\{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe
File created	C:\Windows\{2FD76F54-E002-4d5b-8040-3A386462F086}.exe	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe
File created	C:\Windows\{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe
File created	C:\Windows\{F695119B-8529-464d-8DC3-C76A010A1540}.exe	{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1920	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe
Token: SeIncBasePriorityPrivilege	4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe
Token: SeIncBasePriorityPrivilege	5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe
Token: SeIncBasePriorityPrivilege	4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe
Token: SeIncBasePriorityPrivilege	4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe
Token: SeIncBasePriorityPrivilege	440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe
Token: SeIncBasePriorityPrivilege	388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe
Token: SeIncBasePriorityPrivilege	2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe
Token: SeIncBasePriorityPrivilege	3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe
Token: SeIncBasePriorityPrivilege	2764	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe
Token: SeIncBasePriorityPrivilege	3884	{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1152	1920	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe	90
PID 1920 wrote to memory of 1152	1920	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe	90
PID 1920 wrote to memory of 1152	1920	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe	90
PID 1920 wrote to memory of 736	1920	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe	91
PID 1920 wrote to memory of 736	1920	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe	91
PID 1920 wrote to memory of 736	1920	04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe	91
PID 1152 wrote to memory of 4560	1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe	94
PID 1152 wrote to memory of 4560	1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe	94
PID 1152 wrote to memory of 4560	1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe	94
PID 1152 wrote to memory of 2044	1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe	95
PID 1152 wrote to memory of 2044	1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe	95
PID 1152 wrote to memory of 2044	1152	{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe	95
PID 4560 wrote to memory of 5116	4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe	97
PID 4560 wrote to memory of 5116	4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe	97
PID 4560 wrote to memory of 5116	4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe	97
PID 4560 wrote to memory of 1812	4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe	98
PID 4560 wrote to memory of 1812	4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe	98
PID 4560 wrote to memory of 1812	4560	{2FD76F54-E002-4d5b-8040-3A386462F086}.exe	98
PID 5116 wrote to memory of 4712	5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe	99
PID 5116 wrote to memory of 4712	5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe	99
PID 5116 wrote to memory of 4712	5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe	99
PID 5116 wrote to memory of 456	5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe	100
PID 5116 wrote to memory of 456	5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe	100
PID 5116 wrote to memory of 456	5116	{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe	100
PID 4712 wrote to memory of 4380	4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe	101
PID 4712 wrote to memory of 4380	4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe	101
PID 4712 wrote to memory of 4380	4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe	101
PID 4712 wrote to memory of 4584	4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe	102
PID 4712 wrote to memory of 4584	4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe	102
PID 4712 wrote to memory of 4584	4712	{65299D78-B593-4455-83AF-15E39033E75E}.exe	102
PID 4380 wrote to memory of 440	4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe	103
PID 4380 wrote to memory of 440	4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe	103
PID 4380 wrote to memory of 440	4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe	103
PID 4380 wrote to memory of 1952	4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe	104
PID 4380 wrote to memory of 1952	4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe	104
PID 4380 wrote to memory of 1952	4380	{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe	104
PID 440 wrote to memory of 388	440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe	105
PID 440 wrote to memory of 388	440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe	105
PID 440 wrote to memory of 388	440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe	105
PID 440 wrote to memory of 3228	440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe	106
PID 440 wrote to memory of 3228	440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe	106
PID 440 wrote to memory of 3228	440	{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe	106
PID 388 wrote to memory of 2260	388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe	107
PID 388 wrote to memory of 2260	388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe	107
PID 388 wrote to memory of 2260	388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe	107
PID 388 wrote to memory of 320	388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe	108
PID 388 wrote to memory of 320	388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe	108
PID 388 wrote to memory of 320	388	{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe	108
PID 2260 wrote to memory of 3236	2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe	109
PID 2260 wrote to memory of 3236	2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe	109
PID 2260 wrote to memory of 3236	2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe	109
PID 2260 wrote to memory of 2460	2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe	110
PID 2260 wrote to memory of 2460	2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe	110
PID 2260 wrote to memory of 2460	2260	{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe	110
PID 3236 wrote to memory of 2764	3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe	111
PID 3236 wrote to memory of 2764	3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe	111
PID 3236 wrote to memory of 2764	3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe	111
PID 3236 wrote to memory of 4048	3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe	112
PID 3236 wrote to memory of 4048	3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe	112
PID 3236 wrote to memory of 4048	3236	{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe	112
PID 2764 wrote to memory of 3884	2764	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe	113
PID 2764 wrote to memory of 3884	2764	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe	113
PID 2764 wrote to memory of 3884	2764	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe	113
PID 2764 wrote to memory of 2408	2764	{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe	114

C:\Users\Admin\AppData\Local\Temp\04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04e74db233c7ccf95ef8e31eaead10d0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe
  C:\Windows\{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\{2FD76F54-E002-4d5b-8040-3A386462F086}.exe
    C:\Windows\{2FD76F54-E002-4d5b-8040-3A386462F086}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe
      C:\Windows\{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\{65299D78-B593-4455-83AF-15E39033E75E}.exe
        
        C:\Windows\{65299D78-B593-4455-83AF-15E39033E75E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe
        
        C:\Windows\{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe
        
        C:\Windows\{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe
        
        C:\Windows\{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe
        
        C:\Windows\{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe
        
        C:\Windows\{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe
        
        C:\Windows\{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe
        
        C:\Windows\{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\{F695119B-8529-464d-8DC3-C76A010A1540}.exe
        
        C:\Windows\{F695119B-8529-464d-8DC3-C76A010A1540}.exe
        13⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1693A~1.EXE > nul
        13⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C7A0~1.EXE > nul
        12⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC54~1.EXE > nul
        11⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECCD6~1.EXE > nul
        10⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{088E0~1.EXE > nul
        9⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35013~1.EXE > nul
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE026~1.EXE > nul
        7⤵
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65299~1.EXE > nul
        6⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C748E~1.EXE > nul
        5⤵
        
        PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2FD76~1.EXE > nul
      4⤵
      PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB6C3~1.EXE > nul
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\04E74D~1.EXE > nul
  2⤵
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{088E026D-B04A-4c37-B31D-89B38873BBAC}.exe

Filesize
91KB

MD5
bd3dcc31d52b5ace77b39edfae0c90e5

SHA1
e9c3981beedf7afaaebd9cea867c8eb17c8df8f3

SHA256
455b9a75de329d63695d17e4a27875b5b9ff45e24fd62e1fefcf1b18dab86ad4

SHA512
e399f6d87b74384cc7701fd0d643b4ea8767386daaaf95d21bd4d80e15819511dafc98ac058ad2fa70c82738c480ef907033eb2042e07a66d086c03cb693c71c

Download Submit
C:\Windows\{1693AA29-1392-4e2d-AB95-7B45CF6985C0}.exe

Filesize
91KB

MD5
df9c954ccf16bca1a69636918fa72fb6

SHA1
34727484bb3855daeea81b97433999bec5af89b2

SHA256
6050e35b17a17acbd195b765ca4735c61148b50b267e754271a747c526417ce0

SHA512
7bfe03d78788148c47634100e03f8826e830497997a67f5dfa62348cc0594bab21ee4869b9c05cf7c5c4dbd0f189a934c7b50b6f9a913c3d8a0deca9a210ab5a

Download Submit
C:\Windows\{2FD76F54-E002-4d5b-8040-3A386462F086}.exe

Filesize
91KB

MD5
680789472e2173847524e68e2f99c5d5

SHA1
305d3196d43ef9f71bfa146fd495f39d169745b4

SHA256
070a076152bc5f070ad8d43c47826b64331d170b9fd6961e6d82b0bd59521bd6

SHA512
b366938e242eab61445ecd59f3e89c9451be20f8f03afd5b7f487ee7b2f0c3da872eb847144ad996d5f726ac650bd0ee62c2118192af092b4c13fb92b94c1a3c

Download Submit
C:\Windows\{3501314F-0BEB-4f5c-A97F-264E738E7975}.exe

Filesize
91KB

MD5
df58fdcf45a4dce37eaf6e96940f95ec

SHA1
98c331bc5c15f60a641e39e94dc3cfa5bb88844d

SHA256
61023af85aa4949b7a926d4a46de5ec7ac7f74d2d981fb2446f2667a518b8a71

SHA512
37977099c09668ad0728078b7b7fa00b805a04406790383a0e5189ee1cae3e80637a532c1ff239eb4a9e33aaf75c7cdd0a63c3fd8a573da6425bba7245e278fa

Download Submit
C:\Windows\{65299D78-B593-4455-83AF-15E39033E75E}.exe

Filesize
91KB

MD5
5f02da511506e4ef387ffb0b88c3d75d

SHA1
f90ff9145ed6997989615c130e3d580775234e53

SHA256
ff02436915990ce5ab6bc7135e18298eea881d94f3ef8a67ca3b86062308e3b0

SHA512
bdd517fa4b2116961b47220f5742603dc2be58c8e43a6ab676a1215e0a6d83c5c9936273e85ea5ee4542b9ee97c7e8fceeeb1ced4683f8100151451bffc5d4b2

Download Submit
C:\Windows\{9C7A03A6-774E-454d-BB31-BC478A37B23E}.exe

Filesize
91KB

MD5
64920dddbe7670cc29ba6f2b62b26a85

SHA1
34c05fff317621f64a3083038fb5e15d04a3a1a4

SHA256
632bab9c92ce26a72ff01f4ebe9cb2facf19d6672121621e11b2bd0fda299882

SHA512
5484793203c7d2083f89d828dfd2e815820a548cb14541d782f25a12a4f641ca84f9ce3c3466088d37d97aaa693c489397b19b9a168509370f1e63642ae1ac43

Download Submit
C:\Windows\{BCC54318-2D81-4b39-A7AB-F21538AD140F}.exe

Filesize
91KB

MD5
431d63400b5db79dfbbdc497b12c4caf

SHA1
17c0afbf5c15da5064e975483e1081d92ad5638d

SHA256
252cfbe05a151b1744cc014fdcdbe57a56f7997f0237d59d706052a9ed0c162d

SHA512
12b106d025a5747227c36987ff807e44957f7e342d3a2a67f11fec69ad20f6594d43413469c6626cdb524110d2be680e42b9598abdab81c34e7f8c44e4954be9

Download Submit
C:\Windows\{C748EE6F-CB4C-4584-B04D-CB1468957FAF}.exe

Filesize
91KB

MD5
64786f1e1c6abf8e2dcf0838778f2aab

SHA1
c7196019c8bf7e6ae9b64ec4ed85526fe96dacfb

SHA256
188317418facb8600ca89ea26dd9219dd16cdefd9cc28a0f9cae5a3bf3668537

SHA512
808c46035309c3aa49095a6b5ab8ec5c4c4b25bd40b155a0e6fde3a5cf4053881f5d14724533b6e2e57400704435dec8367dae57f14b1005b1fa88cecdba400c

Download Submit
C:\Windows\{CB6C36ED-81FA-4c62-9D3A-A1909A5EC0FF}.exe

Filesize
91KB

MD5
a1b0aebe457075437bc554015ed6e38e

SHA1
39f029fe839e33dd682ed21f2066e8d5ae9e5139

SHA256
1ab349161b56d54a97094f1aa5fd6911b58210a3cdb8181851e012a3d5f8a1a0

SHA512
0a5324799aad6b0bc14e2a23dd275bc1a7a576962616086653389aee479c38883275612e623e35973ac2a4f56fb06fa4e7fe7f7fb915dbd98c801a03cf8f4a03

Download Submit
C:\Windows\{ECCD6794-FDAA-476d-8F79-3EAE163371A1}.exe

Filesize
91KB

MD5
fe29f6f5bf3cd17ce261355ed4d6540a

SHA1
b5f0080cbe7323586ed9adf070c60e5fb6edffea

SHA256
a3539d9617fd48c1b21d0eb9527d400b0d4d629cacddc285d135e7a2a4a93a7a

SHA512
ca249cb73a57220c18c9bc45b812ff9207ef54602772b79718e5f2136f0d5117cd72461d12e3cbc247fd3bb1f33a84c70210bbf6ea4f31e613ff7205d1f69ccf

Download Submit
C:\Windows\{EE026B08-7D2C-4b8e-9DDC-FC39DA01870E}.exe

Filesize
91KB

MD5
92fc908b319c6565341075426f42ab83

SHA1
e19872f24020414debe377f7e8f34f354b7d7c7b

SHA256
0a560d866b75d4cbc930c7df521a7dc7979209c36fe6b4963ad4a517880fbfa9

SHA512
43530df50f0330744f1f6cc864ae64c1a96279a23a362acb48df9814fccdbff367a04a234130f81026ad811309a45eef9725dfb7523c7bb7695950f0abe4bccd

Download Submit
C:\Windows\{F695119B-8529-464d-8DC3-C76A010A1540}.exe

Filesize
91KB

MD5
91dc3ee39d5b2b04e6fc721ae011711b

SHA1
7497fa33faaabc1ba1a24f3d466f421dcc8f5f76

SHA256
8c12a1db8812858b65990811822dc1620a2376c058f0da250f6af21500dd33f4

SHA512
4779ed29abc2d3ddd511a8d7e122bef080fe77b1ba689a745c950c1ede8225cfd260be960e6a86b7edbbfaf0d58ae350e0a5c809d1ab96024eb7f7905026da89

Download Submit
memory/388-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/388-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/440-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/440-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1152-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1152-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1920-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1920-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2260-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2260-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2764-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2764-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3236-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3884-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3884-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4380-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4380-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4460-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4560-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4560-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4712-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4712-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads