73d3875e491b4dfd9521ea50d6334f7214e6e0e973689f1d484dcbdb2bb68ed7

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe
Size

64KB
MD5

a1b8365bcc04d4acea139bc6b51e2ee0
SHA1

33c0919d9cdb2cd490b0052290e76eccd875aeb0
SHA256

73d3875e491b4dfd9521ea50d6334f7214e6e0e973689f1d484dcbdb2bb68ed7
SHA512

98a1afc4ad57d7a382b9dc6929eb8b8f44cd6894976b29febaef5d24f7b63494fb9577b3e05b40b3a5eb313cbcd89de5b548ce31b16238192637c3580d27a647
SSDEEP

384:ObLwOs8AHsc4sMf9hKQLroK4/CFsrdHWMZr:Ovw9816mhKQLroK4/wQpWMZr

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFECE3E-9209-4271-9BA4-F98333F64650}	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFECE3E-9209-4271-9BA4-F98333F64650}\stubpath = "C:\\Windows\\{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe"	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4A26590-548C-428e-A8D5-8C0685FA78D7}\stubpath = "C:\\Windows\\{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe"	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}\stubpath = "C:\\Windows\\{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}.exe"	{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4A26590-548C-428e-A8D5-8C0685FA78D7}	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5E6DB3C-03D8-422e-A606-6C45BA45696A}	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5E6DB3C-03D8-422e-A606-6C45BA45696A}\stubpath = "C:\\Windows\\{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe"	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D9D441-77D8-45fb-B594-734D89B77CD6}	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AFCA36C-7CF4-42fc-B524-F01708EC5866}	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07B9E146-95B5-479e-BA37-F4FA8B07F82D}	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07B9E146-95B5-479e-BA37-F4FA8B07F82D}\stubpath = "C:\\Windows\\{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe"	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}\stubpath = "C:\\Windows\\{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe"	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}\stubpath = "C:\\Windows\\{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe"	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}\stubpath = "C:\\Windows\\{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe"	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}	{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D9D441-77D8-45fb-B594-734D89B77CD6}\stubpath = "C:\\Windows\\{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe"	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AFCA36C-7CF4-42fc-B524-F01708EC5866}\stubpath = "C:\\Windows\\{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe"	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79F854D9-5C8A-4156-8213-12FCCD3D6393}	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79F854D9-5C8A-4156-8213-12FCCD3D6393}\stubpath = "C:\\Windows\\{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe"	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}\stubpath = "C:\\Windows\\{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe"	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe

Executes dropped EXE 12 IoCs

pid	Process
1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe
3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe
436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe
1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe
1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe
3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe
2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe
2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe
4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe
564	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe
2008	{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe
1580	{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe
File created	C:\Windows\{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe
File created	C:\Windows\{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}.exe	{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe
File created	C:\Windows\{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe
File created	C:\Windows\{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe
File created	C:\Windows\{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe
File created	C:\Windows\{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe
File created	C:\Windows\{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe
File created	C:\Windows\{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe
File created	C:\Windows\{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe
File created	C:\Windows\{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe
File created	C:\Windows\{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2948	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe
Token: SeIncBasePriorityPrivilege	3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe
Token: SeIncBasePriorityPrivilege	436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe
Token: SeIncBasePriorityPrivilege	1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe
Token: SeIncBasePriorityPrivilege	1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe
Token: SeIncBasePriorityPrivilege	3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe
Token: SeIncBasePriorityPrivilege	2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe
Token: SeIncBasePriorityPrivilege	2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe
Token: SeIncBasePriorityPrivilege	4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe
Token: SeIncBasePriorityPrivilege	564	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe
Token: SeIncBasePriorityPrivilege	2008	{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1688	2948	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe	96
PID 2948 wrote to memory of 1688	2948	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe	96
PID 2948 wrote to memory of 1688	2948	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe	96
PID 2948 wrote to memory of 968	2948	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe	97
PID 2948 wrote to memory of 968	2948	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe	97
PID 2948 wrote to memory of 968	2948	a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe	97
PID 1688 wrote to memory of 3188	1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe	98
PID 1688 wrote to memory of 3188	1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe	98
PID 1688 wrote to memory of 3188	1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe	98
PID 1688 wrote to memory of 956	1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe	99
PID 1688 wrote to memory of 956	1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe	99
PID 1688 wrote to memory of 956	1688	{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe	99
PID 3188 wrote to memory of 436	3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe	103
PID 3188 wrote to memory of 436	3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe	103
PID 3188 wrote to memory of 436	3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe	103
PID 3188 wrote to memory of 3536	3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe	104
PID 3188 wrote to memory of 3536	3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe	104
PID 3188 wrote to memory of 3536	3188	{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe	104
PID 436 wrote to memory of 1172	436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe	105
PID 436 wrote to memory of 1172	436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe	105
PID 436 wrote to memory of 1172	436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe	105
PID 436 wrote to memory of 3172	436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe	106
PID 436 wrote to memory of 3172	436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe	106
PID 436 wrote to memory of 3172	436	{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe	106
PID 1172 wrote to memory of 1532	1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe	107
PID 1172 wrote to memory of 1532	1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe	107
PID 1172 wrote to memory of 1532	1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe	107
PID 1172 wrote to memory of 3248	1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe	108
PID 1172 wrote to memory of 3248	1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe	108
PID 1172 wrote to memory of 3248	1172	{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe	108
PID 1532 wrote to memory of 3908	1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe	110
PID 1532 wrote to memory of 3908	1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe	110
PID 1532 wrote to memory of 3908	1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe	110
PID 1532 wrote to memory of 3740	1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe	111
PID 1532 wrote to memory of 3740	1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe	111
PID 1532 wrote to memory of 3740	1532	{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe	111
PID 3908 wrote to memory of 2824	3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe	112
PID 3908 wrote to memory of 2824	3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe	112
PID 3908 wrote to memory of 2824	3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe	112
PID 3908 wrote to memory of 2344	3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe	113
PID 3908 wrote to memory of 2344	3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe	113
PID 3908 wrote to memory of 2344	3908	{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe	113
PID 2824 wrote to memory of 2644	2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe	116
PID 2824 wrote to memory of 2644	2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe	116
PID 2824 wrote to memory of 2644	2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe	116
PID 2824 wrote to memory of 2920	2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe	117
PID 2824 wrote to memory of 2920	2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe	117
PID 2824 wrote to memory of 2920	2824	{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe	117
PID 2644 wrote to memory of 4064	2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe	122
PID 2644 wrote to memory of 4064	2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe	122
PID 2644 wrote to memory of 4064	2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe	122
PID 2644 wrote to memory of 4296	2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe	123
PID 2644 wrote to memory of 4296	2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe	123
PID 2644 wrote to memory of 4296	2644	{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe	123
PID 4064 wrote to memory of 564	4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe	124
PID 4064 wrote to memory of 564	4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe	124
PID 4064 wrote to memory of 564	4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe	124
PID 4064 wrote to memory of 3868	4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe	125
PID 4064 wrote to memory of 3868	4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe	125
PID 4064 wrote to memory of 3868	4064	{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe	125
PID 564 wrote to memory of 2008	564	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe	128
PID 564 wrote to memory of 2008	564	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe	128
PID 564 wrote to memory of 2008	564	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe	128
PID 564 wrote to memory of 4396	564	{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe	129

C:\Users\Admin\AppData\Local\Temp\a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1b8365bcc04d4acea139bc6b51e2ee0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe
  C:\Windows\{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe
    C:\Windows\{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe
      C:\Windows\{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe
        
        C:\Windows\{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe
        
        C:\Windows\{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe
        
        C:\Windows\{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe
        
        C:\Windows\{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe
        
        C:\Windows\{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe
        
        C:\Windows\{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe
        
        C:\Windows\{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe
        
        C:\Windows\{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}.exe
        
        C:\Windows\{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8C97~1.EXE > nul
        13⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2DB6~1.EXE > nul
        12⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07B9E~1.EXE > nul
        11⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F85~1.EXE > nul
        10⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AFCA~1.EXE > nul
        9⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2D9D~1.EXE > nul
        8⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1656A~1.EXE > nul
        7⤵
        
        PID:3740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC1B~1.EXE > nul
        6⤵
        
        PID:3248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5E6D~1.EXE > nul
        5⤵
        
        PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4A26~1.EXE > nul
      4⤵
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFEC~1.EXE > nul
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A1B836~1.EXE > nul
  2⤵
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07B9E146-95B5-479e-BA37-F4FA8B07F82D}.exe

Filesize
64KB

MD5
06f17af041004880ad617233637264da

SHA1
83fdf9ac3442f011da9e63e86c046751e19068a4

SHA256
11659e7e1eef2c133bd6a33d0f0b776ad342b79fb772ac3da8a13b8dd947e203

SHA512
def54951e42dcd69da2e431070d1766ff46481d89147ea8260c8ee1e8e9b45ee88e18f3c4890c4615e52ef78d21f4e611231a67cae3c2d5b9fab0b01c4d0be5f

Download Submit
C:\Windows\{1656ADF4-0661-4a4b-A14E-F5B6DCE4C8F3}.exe

Filesize
64KB

MD5
47e5c8bc8022c6f8fce4e88f5af16e92

SHA1
5ac769e95caf83df0e6c968ebad27b894474d1ef

SHA256
17332cc0af0f990cf6e792afbcefb1291977bbd792f442e86519a65452c3e0bb

SHA512
615c60541cab1cc9c3a59c7ad7ef63c492b6fbd861f79dab055e2844131c6cfadcc8cea4d48858518242771ae8019d119726c593723af1d3f0babb8a22e730df

Download Submit
C:\Windows\{5AFCA36C-7CF4-42fc-B524-F01708EC5866}.exe

Filesize
64KB

MD5
0340d9c0b0a1178c5534617fd09cb634

SHA1
ccd54cb4e8aa2bbed6e0922696b8c9ff0dec89e6

SHA256
21fa4ffbeb20da8d734a2e5f4d28d722abc55c0780381717c2b5a5337eb1db67

SHA512
4221a16e3c0bc0a2d2470da13ce3b04b8026f7572c610dd73629b180a14f71df9c8a45a33dd6c0c38e36d5b35730d03638f649ef320075cd62ad35958527a2ec

Download Submit
C:\Windows\{79F854D9-5C8A-4156-8213-12FCCD3D6393}.exe

Filesize
64KB

MD5
a6d11c18f3313a8e9bc8c4c8159a5aa0

SHA1
dc8ab388bac94cdae5f139dd1502c9639624db52

SHA256
aba9f251786d5260478f6b412648f7c35f98e217699cacb7c07085f3cbd7f087

SHA512
3c6cc7e5d4ef0fc2cfdeb347f100cf33a1106594e1f8c18189e05b79a4ecc5ffdeb68c604d4535b5eebf1b3da0fad912556f46c456b2580e2940ece926170ba2

Download Submit
C:\Windows\{9DFECE3E-9209-4271-9BA4-F98333F64650}.exe

Filesize
64KB

MD5
12c763fba324b20d5a520bd2a2f73f0a

SHA1
cdfe22eb3cbf97871f74e9a6a54a76eca6d32e6b

SHA256
cd8407239bef5276cfa41bad82f5d0300d235f6f926c39fcefd83c3c9fd14127

SHA512
0a9de2a312032e488724743826c1b1d03ea76bfe72ad427c0d1414e36666024d6d3647da9c2eb11cde17f85b5a3af58cbb4c3ad1e38acaa4a7a5cdbbbd7f7bb6

Download Submit
C:\Windows\{9EC1B852-7AB2-4d4a-8DCE-9D64FFD6F33B}.exe

Filesize
64KB

MD5
f14326b1d8962185bcd1d65147c539b7

SHA1
75877646c93761dcc453e4c1fffd4f2678b549f8

SHA256
a741157d4c3c8bf5a486a98e962d4a32cb50f77726593cd706c351097d1aa336

SHA512
249acf1965516421fbc8f28eb2d8d2978d39814a03cfd20440f3dad00f85257764f1e78a510d958c8913d51b19f55a6254901e38a337a92b6108755f2b4a113d

Download Submit
C:\Windows\{A2DB6E1E-9EF2-4c37-88ED-2CB540824F51}.exe

Filesize
64KB

MD5
19c3e09557083b19d1d4ef41d88f4de6

SHA1
1f689fb6dfa4c61d115ade8b1289b9bd992a7d4b

SHA256
f9a96efe9cf77343fd26fed96c0fa0fc1e03a6b68bf46dd598c299abd1466940

SHA512
5468ec349b0c424e78117a15e78ed473e0782ba59bfb57d31b7bb5417d0079f81fd2f62a48c0365c757c0021fe17a617308345da319e7554f4f966ade7187902

Download Submit
C:\Windows\{B4A26590-548C-428e-A8D5-8C0685FA78D7}.exe

Filesize
64KB

MD5
d149b4465aeb64226f221c3726eb5766

SHA1
7d007f5224364bf958f29c1d313f96bddddf72ab

SHA256
4fb4a58e803c17dbc4acfc556afbd16bfac62cf9350913780cd5f7e7c7e898fc

SHA512
766244ae767715796a7500f4668788a1648459d8e399eb91018b961a4c7a7a207d33c907b544f0a0313ff1ecb28a26bcdc1fc9a9c8c125ee2ff84a7551f56e13

Download Submit
C:\Windows\{C2962E88-0C58-48d8-B5CE-4F8C1D43D34D}.exe

Filesize
64KB

MD5
b34446cf697db9f8419ac7a201b63c27

SHA1
5fbe374ccf36aa70e757225ebecdc8a4539dccf1

SHA256
ca5a8481c35f6b729d89bad9c4303e1d8c2dc3c7593576bd3e09ea5ebe90d305

SHA512
a7636136c3f2b52fb4d5205f0eb5d1671283614ef2697f2c1a137238747293b6092aabdb6dc0a720147af090f0978650794bda8a6700610c803d8b9be95f68fa

Download Submit
C:\Windows\{C8C9743B-7190-4bc5-9430-FB2FE6685CAB}.exe

Filesize
64KB

MD5
485ce9697126845084ebf8fde31b76c1

SHA1
278593829a588cc10fab82b09f77df217065a413

SHA256
f87de2fcd2d515620bbf0dda2f4a2d592bf6d639e235fb7af3f6d172001de009

SHA512
819cb33e59d14b49fa2d93367986ccca967c81050bc62de06d96d29348e21cf9fa7496a19607cd867e14a2cf6a2764dcf73f99e502cbf6439e2a3b0702f64821

Download Submit
C:\Windows\{D2D9D441-77D8-45fb-B594-734D89B77CD6}.exe

Filesize
64KB

MD5
f314cc9584d39c649440d15c550b6f55

SHA1
d52a5ca4bec08e25e5e2e4219fd2e6517580e735

SHA256
46a6ee72d6fd2a866186b6e9c514f6f67d142f7bf6e757456c5866b674130d61

SHA512
31d9c2087628eba6e9cecbda0cd975d9a81d27d63080371f34f6adfa99df98d1522922ad5efb1b443aea8d28d35db3d52b07c1c7ef157c28c779d34f74e14a7d

Download Submit
C:\Windows\{E5E6DB3C-03D8-422e-A606-6C45BA45696A}.exe

Filesize
64KB

MD5
c64f35e99dc7992d5342dec49ea7a594

SHA1
7aef4b7fb0ca9814deadb93d2d85bd52d317b2e8

SHA256
e48c9df3c20afd973cf5aa9589f36d6144480f1e01d85b802fd606587076bc62

SHA512
70634792c46463e97ed2ef52c0c175c4ee089f9488da2e4365c731c5c7d7c839a40bb2804b97dc36c973b72af77e6f31bab6a259f8cea6f40fac618eb4f62779

Download Submit
memory/436-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/436-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/564-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1172-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1532-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1580-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1688-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1688-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2008-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2008-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2644-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2644-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2948-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2948-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3188-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3188-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3908-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4064-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4064-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads