596d389882bdd8f3ef274864e8f71c7d0b3ad4e5811123b5142ee3e061d91700

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe
Size

88KB
MD5

6a3ad0414c30b9badbd1ec2871aa8e40
SHA1

9426b2b1ba8420d99f0bf2c5f33b2dcc7e9d804a
SHA256

596d389882bdd8f3ef274864e8f71c7d0b3ad4e5811123b5142ee3e061d91700
SHA512

8425571086f8cae8fccefb802df4e6f652e99903ba09ffc3ac75626a91a7e7525c7e0182c061f09963dea63bce28b5d0407a6ecd011b6a6e5b2c7eee0f24837f
SSDEEP

768:uvw981E9hKQLrojL4/wQDNrfrunMxVFA3r:aEGJ0ojLlYunMxVS3r

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2639CCDD-7290-460a-A4EA-F908E0D73107}	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50DC24B-6060-4087-B251-6CB80D806768}	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F60162-CC65-4c25-A942-5E28FDEFE324}\stubpath = "C:\\Windows\\{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe"	{F50DC24B-6060-4087-B251-6CB80D806768}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}	{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}\stubpath = "C:\\Windows\\{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}.exe"	{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71065153-A503-4404-9E69-492270C6FF7A}\stubpath = "C:\\Windows\\{71065153-A503-4404-9E69-492270C6FF7A}.exe"	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23473F2F-9455-4cc6-A4CA-AFE887126C3A}\stubpath = "C:\\Windows\\{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe"	{71065153-A503-4404-9E69-492270C6FF7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}\stubpath = "C:\\Windows\\{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe"	{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094ED5DD-E3CB-4c28-B74C-684898E653BD}	{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094ED5DD-E3CB-4c28-B74C-684898E653BD}\stubpath = "C:\\Windows\\{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe"	{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}	{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2639CCDD-7290-460a-A4EA-F908E0D73107}\stubpath = "C:\\Windows\\{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe"	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50DC24B-6060-4087-B251-6CB80D806768}\stubpath = "C:\\Windows\\{F50DC24B-6060-4087-B251-6CB80D806768}.exe"	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}\stubpath = "C:\\Windows\\{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe"	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}\stubpath = "C:\\Windows\\{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe"	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F60162-CC65-4c25-A942-5E28FDEFE324}	{F50DC24B-6060-4087-B251-6CB80D806768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}\stubpath = "C:\\Windows\\{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe"	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71065153-A503-4404-9E69-492270C6FF7A}	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23473F2F-9455-4cc6-A4CA-AFE887126C3A}	{71065153-A503-4404-9E69-492270C6FF7A}.exe

Executes dropped EXE 11 IoCs

pid	Process
2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe
376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe
2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe
2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe
1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe
1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe
2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe
1816	{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe
1752	{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe
704	{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe
832	{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe
File created	C:\Windows\{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe
File created	C:\Windows\{F50DC24B-6060-4087-B251-6CB80D806768}.exe	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe
File created	C:\Windows\{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe	{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe
File created	C:\Windows\{71065153-A503-4404-9E69-492270C6FF7A}.exe	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe
File created	C:\Windows\{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe
File created	C:\Windows\{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	{F50DC24B-6060-4087-B251-6CB80D806768}.exe
File created	C:\Windows\{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe
File created	C:\Windows\{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe	{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe
File created	C:\Windows\{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}.exe	{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe
File created	C:\Windows\{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	{71065153-A503-4404-9E69-492270C6FF7A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe
Token: SeIncBasePriorityPrivilege	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe
Token: SeIncBasePriorityPrivilege	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe
Token: SeIncBasePriorityPrivilege	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe
Token: SeIncBasePriorityPrivilege	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe
Token: SeIncBasePriorityPrivilege	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe
Token: SeIncBasePriorityPrivilege	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe
Token: SeIncBasePriorityPrivilege	1816	{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe
Token: SeIncBasePriorityPrivilege	1752	{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe
Token: SeIncBasePriorityPrivilege	704	{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2524	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2524	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2524	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2524	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2988	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	29
PID 2360 wrote to memory of 2988	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	29
PID 2360 wrote to memory of 2988	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	29
PID 2360 wrote to memory of 2988	2360	6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe	29
PID 2524 wrote to memory of 376	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	30
PID 2524 wrote to memory of 376	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	30
PID 2524 wrote to memory of 376	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	30
PID 2524 wrote to memory of 376	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	30
PID 2524 wrote to memory of 2580	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	31
PID 2524 wrote to memory of 2580	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	31
PID 2524 wrote to memory of 2580	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	31
PID 2524 wrote to memory of 2580	2524	{71065153-A503-4404-9E69-492270C6FF7A}.exe	31
PID 376 wrote to memory of 2868	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	32
PID 376 wrote to memory of 2868	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	32
PID 376 wrote to memory of 2868	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	32
PID 376 wrote to memory of 2868	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	32
PID 376 wrote to memory of 2740	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	33
PID 376 wrote to memory of 2740	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	33
PID 376 wrote to memory of 2740	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	33
PID 376 wrote to memory of 2740	376	{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe	33
PID 2868 wrote to memory of 2472	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	36
PID 2868 wrote to memory of 2472	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	36
PID 2868 wrote to memory of 2472	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	36
PID 2868 wrote to memory of 2472	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	36
PID 2868 wrote to memory of 2560	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	37
PID 2868 wrote to memory of 2560	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	37
PID 2868 wrote to memory of 2560	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	37
PID 2868 wrote to memory of 2560	2868	{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe	37
PID 2472 wrote to memory of 1588	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	38
PID 2472 wrote to memory of 1588	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	38
PID 2472 wrote to memory of 1588	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	38
PID 2472 wrote to memory of 1588	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	38
PID 2472 wrote to memory of 2688	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	39
PID 2472 wrote to memory of 2688	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	39
PID 2472 wrote to memory of 2688	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	39
PID 2472 wrote to memory of 2688	2472	{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe	39
PID 1588 wrote to memory of 1936	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	40
PID 1588 wrote to memory of 1936	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	40
PID 1588 wrote to memory of 1936	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	40
PID 1588 wrote to memory of 1936	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	40
PID 1588 wrote to memory of 1944	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	41
PID 1588 wrote to memory of 1944	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	41
PID 1588 wrote to memory of 1944	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	41
PID 1588 wrote to memory of 1944	1588	{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe	41
PID 1936 wrote to memory of 2620	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	42
PID 1936 wrote to memory of 2620	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	42
PID 1936 wrote to memory of 2620	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	42
PID 1936 wrote to memory of 2620	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	42
PID 1936 wrote to memory of 2684	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	43
PID 1936 wrote to memory of 2684	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	43
PID 1936 wrote to memory of 2684	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	43
PID 1936 wrote to memory of 2684	1936	{F50DC24B-6060-4087-B251-6CB80D806768}.exe	43
PID 2620 wrote to memory of 1816	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	44
PID 2620 wrote to memory of 1816	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	44
PID 2620 wrote to memory of 1816	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	44
PID 2620 wrote to memory of 1816	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	44
PID 2620 wrote to memory of 1652	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	45
PID 2620 wrote to memory of 1652	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	45
PID 2620 wrote to memory of 1652	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	45
PID 2620 wrote to memory of 1652	2620	{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe	45

C:\Users\Admin\AppData\Local\Temp\6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a3ad0414c30b9badbd1ec2871aa8e40_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{71065153-A503-4404-9E69-492270C6FF7A}.exe
  C:\Windows\{71065153-A503-4404-9E69-492270C6FF7A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe
    C:\Windows\{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe
      C:\Windows\{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe
        
        C:\Windows\{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe
        
        C:\Windows\{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{F50DC24B-6060-4087-B251-6CB80D806768}.exe
        
        C:\Windows\{F50DC24B-6060-4087-B251-6CB80D806768}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe
        
        C:\Windows\{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe
        
        C:\Windows\{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe
        
        C:\Windows\{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe
        
        C:\Windows\{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}.exe
        
        C:\Windows\{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}.exe
        12⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{094ED~1.EXE > nul
        12⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2762C~1.EXE > nul
        11⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61A4B~1.EXE > nul
        10⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F60~1.EXE > nul
        9⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F50DC~1.EXE > nul
        8⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{778CF~1.EXE > nul
        7⤵
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2639C~1.EXE > nul
        6⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A06DB~1.EXE > nul
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{23473~1.EXE > nul
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71065~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A3AD0~1.EXE > nul
  2⤵
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{094ED5DD-E3CB-4c28-B74C-684898E653BD}.exe

Filesize
88KB

MD5
a4136ccfa2146f9509a5db9cdab24b93

SHA1
d537183f4c86e02075a97541672690f125fcec9a

SHA256
7e4f5b53fed908767e832ce374c9b0914a07fe12da13f13eb3d77f9c2e4120f3

SHA512
9ebee63376804535b5fec70c470f593991f9b22b8db0c073179dbfd7c4b5fd5ba232b819d05052eae686b97ec14d0f5cc1ee0a33e39c5a0b74a0ec679fbd9206

Download Submit
C:\Windows\{18F60162-CC65-4c25-A942-5E28FDEFE324}.exe

Filesize
88KB

MD5
07c16b895c08f494c9ef2153d36d2144

SHA1
f19fd6434a11ab84c24a99ed78a6b5eafa70b5a3

SHA256
7c03b06a6bd4c7959366d1dea1640bdd554bc9dcb2f463f3755c3f9a47e7db27

SHA512
c8948bc1a01c6a5655552a27e104645b7a60411505faf277f8b56882e8640680d6d3631b9b744049f50ee1cbb7f6c7da8a217a975565725e187bd28489d3485e

Download Submit
C:\Windows\{23473F2F-9455-4cc6-A4CA-AFE887126C3A}.exe

Filesize
88KB

MD5
f1d3b6ec023841f2128ec3df7a7786ff

SHA1
98e0c31ed85947734ba25f151e3e756c23d44839

SHA256
4e58c557b20e70a54e381452bd5d66236dc52bd6a0be33e7dde45a949a7d5df8

SHA512
61fa8a0fa6782fc9a97f9fbe944b2ceb8cf1d72feafb8f35958c7d5f1e78910f3308bcb066c2a7e0ab38702f5c9f590efe57550f100aae33bfcba0592c812e1a

Download Submit
C:\Windows\{2639CCDD-7290-460a-A4EA-F908E0D73107}.exe

Filesize
88KB

MD5
36a0afc152fb0684c390fbd8b0957d1d

SHA1
0fb7678fc24654aad0b1dd8e9390491b3a50b8ff

SHA256
e8e9323790b5eae317c79599c5f2f258f4e58cd82531417f3e8038de3f98c225

SHA512
9457786dadc78d13bcf6032978df5b80c82983b7b55a38367f981309699a877bd9d440032a0aaeae917fce070ec48871e63705f05803dd57af08879052970832

Download Submit
C:\Windows\{2762CFA3-5E10-4fbc-94D5-ACA9BF80069D}.exe

Filesize
88KB

MD5
ac1d5755b6dda70bd5a704301e23030f

SHA1
3030076823d6ab5ae5f8c914c05c938d35f0c9e3

SHA256
08f01299bf145de3a03ecd39fc4fea32bfe9c4d0e7cc86dbee87c83d6c321f62

SHA512
efd5c4e17dd4a669dbabb62fd5a010d864947c0e9d5dc1cf9277a6f81c50b63f93b66a7ec7560facb607faae078d00ad14cad7967d71ca0f0554e11c084737c0

Download Submit
C:\Windows\{2D916E66-FCFC-4717-9110-C5CF29EDCE1B}.exe

Filesize
88KB

MD5
5c070c074cabafb3499ebd20796258f4

SHA1
7e45e409d6da99359a44bea5ae899c839bf8060f

SHA256
15b1e11fe577667eca8a913bef952f7d6ff7cdc7ecf803479fd611294e7ff23d

SHA512
82b6450f04d53f66403b1e711a49d7ef991b842fead76bf7e0bc0449518fc2c0c5e62c5131a0ee2acf2a22fb23ed96e52904f9ee5c8db65770b42a189908a304

Download Submit
C:\Windows\{61A4B02F-FC54-4589-8581-2CAA5ABE1AA1}.exe

Filesize
88KB

MD5
260a2be519ebfa2195a28be400343419

SHA1
c86a5fc14a70e0da9cfa6ad82e017db110e2ee3c

SHA256
634005ad2689ffe98848b6925c2300e1862440aba5ce6518d0db777b17013b66

SHA512
14e22a76ef46f19d6d2b2f1456362b25e1b3a7e7db5078706b5d1d7fe49f4db2f6658a82b60097ad4abf4d713106cdf1db0c8b99f8e61243a9827ef367f727b9

Download Submit
C:\Windows\{71065153-A503-4404-9E69-492270C6FF7A}.exe

Filesize
88KB

MD5
49713d652b590251b0f4facc80ef4504

SHA1
988c37c6ac315b99e77d53979db14392afbbe0cc

SHA256
813aaddead01ee34cdfca74fce7db229a351844e7a994fcdbaa7bc2d5d5c05e0

SHA512
001432e89ba18c3209cb1281230ba300184c87b65b464a7d61f98b70879ca110e88cfd3bc37a087d48cb5164b725bc61f54b065b4040d66795b2b2a9704ffb96

Download Submit
C:\Windows\{778CF15C-14E2-4e7c-B1FE-2B63C8BCD316}.exe

Filesize
88KB

MD5
db6ad833ca2dcebc73c9a2f247991f07

SHA1
23ab34a746caf0e62744555f5869cc7d7ce5a90d

SHA256
c5590956c80b8ae68a0d53d3f1dbfd2dd9189f6f71653c1a3614aedb911c0494

SHA512
3bbedc254e5e8cf8f1f84f6fb928eb0bdb52b1fbdb3fb52bb6b441ab6d1fd2b96cdd2a83dceb9babaf5b50e942e7969a964f0d6fd2ef9d97d92640eb21b55572

Download Submit
C:\Windows\{A06DBD1B-5B5E-43a8-9F7F-BD8B1A3C33D0}.exe

Filesize
88KB

MD5
452bad3f7ccae2e5456c0dbd4924b544

SHA1
02079c5e892561a2192c5acc3fd7bf16c396cd9e

SHA256
dbf178aa7e40500549fe2ae8d230ac087ac30f6a487d8f6ab663391cb67cfbae

SHA512
709587ac15173747fe59f1a6b44060944908083e37ca2454383a8272df1538c514b3fa1ba7a3e94735ddb4d2507deca3c6f552252daa8420aab8e18e2f578ca9

Download Submit
C:\Windows\{F50DC24B-6060-4087-B251-6CB80D806768}.exe

Filesize
88KB

MD5
d75078d5bbd35a986455c0656206b093

SHA1
eaa39f1f5b84a98408d51f33b3e1aaefed6898c0

SHA256
690e59b049a904859feddac0ccff0b2fd8661be2e0a3f0c73c91ac99a0cc69a3

SHA512
02284e44d5fcade1e16eb064e3f5580e9bd96605523bbb4f6e387497fec59d08fbcb0fb8d9f1de83cad9734324eef1b9f0869c3f06a5f70f17d89819ac2ab671

Download Submit
memory/376-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/376-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/704-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1588-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1588-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1816-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1816-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1936-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-7-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2472-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2472-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2524-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2620-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2620-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2868-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2868-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads