07d8e1f10ec94f2e40807b25aa3b81474c0c3baf1a22a6d5a88a857d914c48a6

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
Size

64KB
MD5

60c1107bb3d6d8f930111de5bf4ca410
SHA1

0d0abb32d66494bc73475eb8fdc699f96e1f3bad
SHA256

07d8e1f10ec94f2e40807b25aa3b81474c0c3baf1a22a6d5a88a857d914c48a6
SHA512

337c49054f6c0d2ade55379ffbd099ef418cfdb7b0436f5cf1262db8f76f162a7ed49dd7577dda0983bba52ed7480e18b22b3ac4be3eb776e59eebe43324e6af
SSDEEP

768:O0w981AvhKQLroCn4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdB:pEG70oCnlwWMZQcpmgDagIyS1loL7WrB

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7316278A-B511-4bae-A521-D00B46EA5178}	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}\stubpath = "C:\\Windows\\{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe"	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{086EA3C6-0F97-4319-9AFA-311891C07578}	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF5B99D6-357A-43f8-A652-08E0B7C7315C}	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF5B99D6-357A-43f8-A652-08E0B7C7315C}\stubpath = "C:\\Windows\\{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe"	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{086EA3C6-0F97-4319-9AFA-311891C07578}\stubpath = "C:\\Windows\\{086EA3C6-0F97-4319-9AFA-311891C07578}.exe"	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}\stubpath = "C:\\Windows\\{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe"	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDAB7678-CD36-4353-A053-3FDB891E0408}	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}	{F142DF0A-418C-4561-A475-396505E01C62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}\stubpath = "C:\\Windows\\{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}.exe"	{F142DF0A-418C-4561-A475-396505E01C62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}	{7316278A-B511-4bae-A521-D00B46EA5178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4706A9C1-2E41-4871-A79E-ABAF00B247DB}	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF76DF7F-204C-4a39-BD69-FA58D88B915E}\stubpath = "C:\\Windows\\{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe"	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69977DC1-5A89-4996-94FE-4DA1F54186A2}	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69977DC1-5A89-4996-94FE-4DA1F54186A2}\stubpath = "C:\\Windows\\{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe"	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDAB7678-CD36-4353-A053-3FDB891E0408}\stubpath = "C:\\Windows\\{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe"	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4706A9C1-2E41-4871-A79E-ABAF00B247DB}\stubpath = "C:\\Windows\\{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe"	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF76DF7F-204C-4a39-BD69-FA58D88B915E}	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7316278A-B511-4bae-A521-D00B46EA5178}\stubpath = "C:\\Windows\\{7316278A-B511-4bae-A521-D00B46EA5178}.exe"	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}\stubpath = "C:\\Windows\\{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe"	{7316278A-B511-4bae-A521-D00B46EA5178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F142DF0A-418C-4561-A475-396505E01C62}	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F142DF0A-418C-4561-A475-396505E01C62}\stubpath = "C:\\Windows\\{F142DF0A-418C-4561-A475-396505E01C62}.exe"	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe

Executes dropped EXE 12 IoCs

pid	Process
2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe
4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe
4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe
1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe
3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe
2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe
4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe
4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe
4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe
544	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe
2356	{F142DF0A-418C-4561-A475-396505E01C62}.exe
3888	{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe
File created	C:\Windows\{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe
File created	C:\Windows\{086EA3C6-0F97-4319-9AFA-311891C07578}.exe	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe
File created	C:\Windows\{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
File created	C:\Windows\{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe
File created	C:\Windows\{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe
File created	C:\Windows\{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe
File created	C:\Windows\{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe
File created	C:\Windows\{F142DF0A-418C-4561-A475-396505E01C62}.exe	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe
File created	C:\Windows\{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}.exe	{F142DF0A-418C-4561-A475-396505E01C62}.exe
File created	C:\Windows\{7316278A-B511-4bae-A521-D00B46EA5178}.exe	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe
File created	C:\Windows\{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe	{7316278A-B511-4bae-A521-D00B46EA5178}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	868	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe
Token: SeIncBasePriorityPrivilege	4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe
Token: SeIncBasePriorityPrivilege	4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe
Token: SeIncBasePriorityPrivilege	1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe
Token: SeIncBasePriorityPrivilege	3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe
Token: SeIncBasePriorityPrivilege	2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe
Token: SeIncBasePriorityPrivilege	4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe
Token: SeIncBasePriorityPrivilege	4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe
Token: SeIncBasePriorityPrivilege	4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe
Token: SeIncBasePriorityPrivilege	544	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe
Token: SeIncBasePriorityPrivilege	2356	{F142DF0A-418C-4561-A475-396505E01C62}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2184	868	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	91
PID 868 wrote to memory of 2184	868	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	91
PID 868 wrote to memory of 2184	868	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	91
PID 868 wrote to memory of 1924	868	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	92
PID 868 wrote to memory of 1924	868	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	92
PID 868 wrote to memory of 1924	868	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	92
PID 2184 wrote to memory of 4360	2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe	93
PID 2184 wrote to memory of 4360	2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe	93
PID 2184 wrote to memory of 4360	2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe	93
PID 2184 wrote to memory of 2520	2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe	94
PID 2184 wrote to memory of 2520	2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe	94
PID 2184 wrote to memory of 2520	2184	{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe	94
PID 4360 wrote to memory of 4384	4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe	96
PID 4360 wrote to memory of 4384	4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe	96
PID 4360 wrote to memory of 4384	4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe	96
PID 4360 wrote to memory of 4940	4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe	97
PID 4360 wrote to memory of 4940	4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe	97
PID 4360 wrote to memory of 4940	4360	{7316278A-B511-4bae-A521-D00B46EA5178}.exe	97
PID 4384 wrote to memory of 1220	4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe	98
PID 4384 wrote to memory of 1220	4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe	98
PID 4384 wrote to memory of 1220	4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe	98
PID 4384 wrote to memory of 4720	4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe	99
PID 4384 wrote to memory of 4720	4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe	99
PID 4384 wrote to memory of 4720	4384	{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe	99
PID 1220 wrote to memory of 3436	1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe	100
PID 1220 wrote to memory of 3436	1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe	100
PID 1220 wrote to memory of 3436	1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe	100
PID 1220 wrote to memory of 3992	1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe	101
PID 1220 wrote to memory of 3992	1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe	101
PID 1220 wrote to memory of 3992	1220	{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe	101
PID 3436 wrote to memory of 2872	3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe	102
PID 3436 wrote to memory of 2872	3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe	102
PID 3436 wrote to memory of 2872	3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe	102
PID 3436 wrote to memory of 3584	3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe	103
PID 3436 wrote to memory of 3584	3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe	103
PID 3436 wrote to memory of 3584	3436	{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe	103
PID 2872 wrote to memory of 4268	2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe	104
PID 2872 wrote to memory of 4268	2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe	104
PID 2872 wrote to memory of 4268	2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe	104
PID 2872 wrote to memory of 4928	2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe	105
PID 2872 wrote to memory of 4928	2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe	105
PID 2872 wrote to memory of 4928	2872	{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe	105
PID 4268 wrote to memory of 4344	4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe	106
PID 4268 wrote to memory of 4344	4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe	106
PID 4268 wrote to memory of 4344	4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe	106
PID 4268 wrote to memory of 628	4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe	107
PID 4268 wrote to memory of 628	4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe	107
PID 4268 wrote to memory of 628	4268	{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe	107
PID 4344 wrote to memory of 4372	4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe	108
PID 4344 wrote to memory of 4372	4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe	108
PID 4344 wrote to memory of 4372	4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe	108
PID 4344 wrote to memory of 3884	4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe	109
PID 4344 wrote to memory of 3884	4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe	109
PID 4344 wrote to memory of 3884	4344	{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe	109
PID 4372 wrote to memory of 544	4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe	110
PID 4372 wrote to memory of 544	4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe	110
PID 4372 wrote to memory of 544	4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe	110
PID 4372 wrote to memory of 3796	4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe	111
PID 4372 wrote to memory of 3796	4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe	111
PID 4372 wrote to memory of 3796	4372	{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe	111
PID 544 wrote to memory of 2356	544	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe	112
PID 544 wrote to memory of 2356	544	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe	112
PID 544 wrote to memory of 2356	544	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe	112
PID 544 wrote to memory of 1604	544	{086EA3C6-0F97-4319-9AFA-311891C07578}.exe	113

C:\Users\Admin\AppData\Local\Temp\60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe
  C:\Windows\{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\{7316278A-B511-4bae-A521-D00B46EA5178}.exe
    C:\Windows\{7316278A-B511-4bae-A521-D00B46EA5178}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe
      C:\Windows\{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe
        
        C:\Windows\{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe
        
        C:\Windows\{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe
        
        C:\Windows\{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe
        
        C:\Windows\{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe
        
        C:\Windows\{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe
        
        C:\Windows\{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{086EA3C6-0F97-4319-9AFA-311891C07578}.exe
        
        C:\Windows\{086EA3C6-0F97-4319-9AFA-311891C07578}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{F142DF0A-418C-4561-A475-396505E01C62}.exe
        
        C:\Windows\{F142DF0A-418C-4561-A475-396505E01C62}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}.exe
        
        C:\Windows\{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}.exe
        13⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F142D~1.EXE > nul
        13⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{086EA~1.EXE > nul
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF5B9~1.EXE > nul
        11⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE71~1.EXE > nul
        10⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF76D~1.EXE > nul
        9⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4706A~1.EXE > nul
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDAB7~1.EXE > nul
        7⤵
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69977~1.EXE > nul
        6⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5352~1.EXE > nul
        5⤵
        
        PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73162~1.EXE > nul
      4⤵
      PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{94E2C~1.EXE > nul
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\60C110~1.EXE > nul
  2⤵
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{086EA3C6-0F97-4319-9AFA-311891C07578}.exe

Filesize
64KB

MD5
748f96c7178e3c502df0c1fb88a26bf0

SHA1
d9a1779b4680857acaf3c01dcb395b1b40e7b0e4

SHA256
3627bd6cbeb371eb27e12e2d7c593fd59057bed3c2ecddd1f8e04df77bb4b586

SHA512
e16d9da337d134eff176855ccff3d34c5b0a6bb6dccc3b403011d0398349e8b65ef01c0a1781a32688f1be6d5fc0172c043021f56c80183deb200804de94b2d1

Download Submit
C:\Windows\{246A41DB-91E5-49ce-BCE1-0B7174E83EA7}.exe

Filesize
64KB

MD5
57c855c4b96133904b050e5e9df3b0a0

SHA1
38b8685066de1a4b341cc79f156e144c49fc42b0

SHA256
6759b5f8f05f48f43b8acaa066cfb0173917acb3e48897337c4929fb60b7d872

SHA512
b3093da6038f94ff203df8c0de736d7d359e12580e0f38c21a08b69b01708a3ec9dfda4c9b4fe35866a7f49073080ed62c278ba6580b6f396b1eb1dbdecddb13

Download Submit
C:\Windows\{4706A9C1-2E41-4871-A79E-ABAF00B247DB}.exe

Filesize
64KB

MD5
1adfcde05b01fb1ea07ad326189ff392

SHA1
faf4f34b9f145c8d726ef6bdbe7f6e58e2807e9e

SHA256
77f2899f3ab8f05d71df6ae960abb8b24deb39c270b40018219dc63c1ac1fba2

SHA512
788d0b792ade97771d2fece026c3550cd1e280b7842a97b73c09d1db5ce65d5a9d8bb2709aa0999fe064b07ebc4e11543a94e1a4e55a440e375c47d0d4430546

Download Submit
C:\Windows\{69977DC1-5A89-4996-94FE-4DA1F54186A2}.exe

Filesize
64KB

MD5
2a55950b92e313b46ffdc3f63bc07dda

SHA1
d4fdb5b0ddff6ec4d20aa053ccc889e8626d0b22

SHA256
572ba901b9636da1afe9edf433efb3bc10feda9a59cc86edd5fe47f357ce1e10

SHA512
f2ccf7eb8c19701c00cf60d613aa374ca6e5dafd1af93241903862f970a8a2fd0c45be728575d5feed2a9cf70786cd7bca6f18212e7d4ea42dc2bc935beafca6

Download Submit
C:\Windows\{7316278A-B511-4bae-A521-D00B46EA5178}.exe

Filesize
64KB

MD5
f09fd4e71cd99b41366cc0486a1dece9

SHA1
2faaa6c5d52862ebe612ae7b9246282486cbe394

SHA256
c13a5af763ce846a4aab1aebebcd422f0ee70ab09ba9acb131acc1130f324401

SHA512
7f79e9cb3afdd74eb4e697176301dd7b3ad6cf422e7ca6df94fb948125be464df9a552fe0812a0bdd358bf7e3629cf136ab27891072d8c434783ecdc3e352336

Download Submit
C:\Windows\{94E2CAE6-423E-4f13-96A1-FD1DA52D5842}.exe

Filesize
64KB

MD5
d3f3552fae8542680ddbf8b8cc094eab

SHA1
5915a5ee0be0ba6f7808382599959e42fa2b54e3

SHA256
77101d72df2936bf2d70b6c6f1b719e11925ef5ce0addb6009549e71bc15e68b

SHA512
8ffb2081dbee80cf5e93eb3722a0d3126d807127b8e0ee2db7a7a3b066e334fdbff0e38ec08db7f6064ed7fa064e7dd58ec1c26a697882f132605ce9dcff72df

Download Submit
C:\Windows\{BDAB7678-CD36-4353-A053-3FDB891E0408}.exe

Filesize
64KB

MD5
4518fddcb050d27f92859175007cefeb

SHA1
6675aa0057694a6efc74ab1581267c496ace317e

SHA256
2962f082afe4646339981432b4976c05b49b20fe711b0dee92f7cba15d571ed2

SHA512
c6d69628a8fd117c3c6795a24540f46220751be6f0824ab93ddab13776ec4bc8d3139cfd5c004177d0b9be03038d90b81395eb275e4088b28467646e29c4b34a

Download Submit
C:\Windows\{DBE7109F-2AD6-4ff8-A401-8D203CF607BF}.exe

Filesize
64KB

MD5
316ac58c5a1ad63d2afb0ae49cb5027a

SHA1
e38d7767795e601e4860890824e64e8ed151aa24

SHA256
3067ebec21563111a56e1ab649719bad41504acf5182ae618563e9856ed16c0b

SHA512
94e101e017a8b4fde7035ec8222dc36b62f84c54f09b7473c355c44fc72cbacb1f4b0e2bde0e08f60e148f95ea9cb327765b9100b7d7a8ee07add11b80b2d46d

Download Submit
C:\Windows\{EF5B99D6-357A-43f8-A652-08E0B7C7315C}.exe

Filesize
64KB

MD5
e50b0f069d55b43f579909f32c4ec5eb

SHA1
85b51a2e04e115b05625225c02f4f8e4a553b4bf

SHA256
7376da9d8b50cfe4dab29288f14654a128ad826a10dec949dc13bf081932c1e1

SHA512
a2ed7e3d8e09c892eea2dbe7ba1b539837f420bb4524724079391175ace246151215ca68812c565fd5696866a8b79f50ef96ed55f327e8f8625e8da4fc31a18a

Download Submit
C:\Windows\{EF76DF7F-204C-4a39-BD69-FA58D88B915E}.exe

Filesize
64KB

MD5
1c092508af66f0c5784ebeac56827062

SHA1
c61896254676c6eac02e4e66c304a86ad3e6b6fe

SHA256
ab10496e874c444f1abefdb8d89703f2362cd147f3d46a7d978dce63d449e273

SHA512
ee6669c23fffaa9b05c552e46057277e7a9d2c50100a229f620199f3716b9af21cf5c21b010fcb797ce6f71f650da61fa69f74cd7789b30ed906b9f0aa005472

Download Submit
C:\Windows\{F142DF0A-418C-4561-A475-396505E01C62}.exe

Filesize
64KB

MD5
b52071d92f27ef0804230e2303fd1fb4

SHA1
6e95950243e7e2f463f52fa3f116c30cb56b648b

SHA256
d258bf8ac539cccfa9d3d020cb97b058d5baf94522f57d30fad6fd71f345b8a8

SHA512
6ec703467c4a49fbc581e793b6fa560a142ba9d43a395ff3d7cdff98b8b0c97defd93333cffc27f670faa0fe0e1bf28b170d570e95e27913ff14ec0cf1806597

Download Submit
C:\Windows\{F5352BE6-2CC3-4ac8-9BB8-67CE1D4E2766}.exe

Filesize
64KB

MD5
58a34c20c0b143503ee92eadc2689904

SHA1
92c5ecead1bf65ca14724fd1110069ec8ce94c43

SHA256
91c6fbc2ba0e31851f8367dc153b9e6f69c24dc16907accbf0c5a5843c18c0eb

SHA512
385cc02a735f069a4d025b6d1dfa21b69e0f1ad8c87264d648de4569568651b1aa0fad9ecea61c9d285d7d3eaa7c5eeb81ca19cbd73224377f7ea8f3134d3d9e

Download Submit
memory/544-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/544-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/868-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/868-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1220-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1220-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2184-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2184-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2356-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2872-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2872-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3436-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3436-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3888-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4268-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4268-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4344-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4344-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4360-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4360-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4372-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4372-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4384-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4384-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads