Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
-
Size
90KB
-
MD5
76f33b38bc9569b5155b7245f15e8d30
-
SHA1
cd86c322b5b4bbb98e75e2f0d9368036f884a343
-
SHA256
b12ed006872e73b97ba1e8ff1312311a8abb22605380d600f1ade592bef7bfe6
-
SHA512
2160c0601e0c679565bd78fddfe1b18e4d699b439ad4d134f89c45349f92c278f8906def10cf35a22f81b835c6ffdb08901ce5dc97148acb590ec2361f5a3447
-
SSDEEP
768:5vw98169hKjro34/wQCNrfrunMxVFA3b:lEG/Ho3lxunMxVS3
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}\stubpath = "C:\\Windows\\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe" {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9186D66F-5A2B-449e-AE63-10A708BB72C8} {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C} {435859EF-1983-4383-8901-19A4A5F0BD05}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B007E9-7191-476c-AC7C-C486207357E9} {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}\stubpath = "C:\\Windows\\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe" {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435859EF-1983-4383-8901-19A4A5F0BD05}\stubpath = "C:\\Windows\\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe" {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B007E9-7191-476c-AC7C-C486207357E9}\stubpath = "C:\\Windows\\{63B007E9-7191-476c-AC7C-C486207357E9}.exe" {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF840DF1-A1F9-44f4-A13A-6D1502483A35} 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}\stubpath = "C:\\Windows\\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe" 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4050ABA0-496C-4498-97C4-AD65EA511E84}\stubpath = "C:\\Windows\\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe" {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D} {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A45AC3F-C55C-4423-83F1-A45031A49FF3} {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}\stubpath = "C:\\Windows\\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe" {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}\stubpath = "C:\\Windows\\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe" {63B007E9-7191-476c-AC7C-C486207357E9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98AAC933-328A-41f2-B5B6-2E26D2C029D1} {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}\stubpath = "C:\\Windows\\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe" {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45} {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9186D66F-5A2B-449e-AE63-10A708BB72C8}\stubpath = "C:\\Windows\\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe" {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A} {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E182DC24-4CD0-4bb4-A30A-E2846595AA16} {63B007E9-7191-476c-AC7C-C486207357E9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4050ABA0-496C-4498-97C4-AD65EA511E84} {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435859EF-1983-4383-8901-19A4A5F0BD05} {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}\stubpath = "C:\\Windows\\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe" {435859EF-1983-4383-8901-19A4A5F0BD05}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}\stubpath = "C:\\Windows\\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe" {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe -
Executes dropped EXE 12 IoCs
pid Process 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe 5052 {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe 4808 {63B007E9-7191-476c-AC7C-C486207357E9}.exe 2388 {E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe File created C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe File created C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe File created C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe File created C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe File created C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe File created C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe File created C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe {435859EF-1983-4383-8901-19A4A5F0BD05}.exe File created C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe File created C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe File created C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe File created C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe {63B007E9-7191-476c-AC7C-C486207357E9}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4816 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe Token: SeIncBasePriorityPrivilege 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe Token: SeIncBasePriorityPrivilege 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe Token: SeIncBasePriorityPrivilege 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe Token: SeIncBasePriorityPrivilege 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe Token: SeIncBasePriorityPrivilege 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe Token: SeIncBasePriorityPrivilege 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe Token: SeIncBasePriorityPrivilege 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe Token: SeIncBasePriorityPrivilege 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe Token: SeIncBasePriorityPrivilege 5052 {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe Token: SeIncBasePriorityPrivilege 4808 {63B007E9-7191-476c-AC7C-C486207357E9}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4816 wrote to memory of 4796 4816 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 93 PID 4816 wrote to memory of 4796 4816 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 93 PID 4816 wrote to memory of 4796 4816 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 93 PID 4816 wrote to memory of 1592 4816 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 94 PID 4816 wrote to memory of 1592 4816 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 94 PID 4816 wrote to memory of 1592 4816 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 94 PID 4796 wrote to memory of 2436 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 95 PID 4796 wrote to memory of 2436 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 95 PID 4796 wrote to memory of 2436 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 95 PID 4796 wrote to memory of 4996 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 96 PID 4796 wrote to memory of 4996 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 96 PID 4796 wrote to memory of 4996 4796 {FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe 96 PID 2436 wrote to memory of 3772 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe 100 PID 2436 wrote to memory of 3772 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe 100 PID 2436 wrote to memory of 3772 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe 100 PID 2436 wrote to memory of 4948 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe 101 PID 2436 wrote to memory of 4948 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe 101 PID 2436 wrote to memory of 4948 2436 {4050ABA0-496C-4498-97C4-AD65EA511E84}.exe 101 PID 3772 wrote to memory of 1992 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe 102 PID 3772 wrote to memory of 1992 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe 102 PID 3772 wrote to memory of 1992 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe 102 PID 3772 wrote to memory of 4036 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe 103 PID 3772 wrote to memory of 4036 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe 103 PID 3772 wrote to memory of 4036 3772 {98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe 103 PID 1992 wrote to memory of 1856 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe 105 PID 1992 wrote to memory of 1856 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe 105 PID 1992 wrote to memory of 1856 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe 105 PID 1992 wrote to memory of 4468 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe 106 PID 1992 wrote to memory of 4468 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe 106 PID 1992 wrote to memory of 4468 1992 {6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe 106 PID 1856 wrote to memory of 1332 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe 108 PID 1856 wrote to memory of 1332 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe 108 PID 1856 wrote to memory of 1332 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe 108 PID 1856 wrote to memory of 2180 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe 109 PID 1856 wrote to memory of 2180 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe 109 PID 1856 wrote to memory of 2180 1856 {9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe 109 PID 1332 wrote to memory of 4260 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe 110 PID 1332 wrote to memory of 4260 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe 110 PID 1332 wrote to memory of 4260 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe 110 PID 1332 wrote to memory of 3300 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe 111 PID 1332 wrote to memory of 3300 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe 111 PID 1332 wrote to memory of 3300 1332 {852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe 111 PID 4260 wrote to memory of 3156 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe 116 PID 4260 wrote to memory of 3156 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe 116 PID 4260 wrote to memory of 3156 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe 116 PID 4260 wrote to memory of 4104 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe 117 PID 4260 wrote to memory of 4104 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe 117 PID 4260 wrote to memory of 4104 4260 {435859EF-1983-4383-8901-19A4A5F0BD05}.exe 117 PID 3156 wrote to memory of 2116 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe 118 PID 3156 wrote to memory of 2116 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe 118 PID 3156 wrote to memory of 2116 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe 118 PID 3156 wrote to memory of 4384 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe 119 PID 3156 wrote to memory of 4384 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe 119 PID 3156 wrote to memory of 4384 3156 {81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe 119 PID 2116 wrote to memory of 5052 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe 120 PID 2116 wrote to memory of 5052 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe 120 PID 2116 wrote to memory of 5052 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe 120 PID 2116 wrote to memory of 1504 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe 121 PID 2116 wrote to memory of 1504 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe 121 PID 2116 wrote to memory of 1504 2116 {2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe 121 PID 5052 wrote to memory of 4808 5052 {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe 125 PID 5052 wrote to memory of 4808 5052 {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe 125 PID 5052 wrote to memory of 4808 5052 {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe 125 PID 5052 wrote to memory of 2616 5052 {76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exeC:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exeC:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exeC:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exeC:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exeC:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exeC:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exeC:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exeC:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exeC:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exeC:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exeC:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4808 -
C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exeC:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe13⤵
- Executes dropped EXE
PID:2388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{63B00~1.EXE > nul13⤵PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76AD7~1.EXE > nul12⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A45A~1.EXE > nul11⤵PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81EAE~1.EXE > nul10⤵PID:4384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{43585~1.EXE > nul9⤵PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{852CD~1.EXE > nul8⤵PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9186D~1.EXE > nul7⤵PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E4E0~1.EXE > nul6⤵PID:4468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{98AAC~1.EXE > nul5⤵PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4050A~1.EXE > nul4⤵PID:4948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FF840~1.EXE > nul3⤵PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76F33B~1.EXE > nul2⤵PID:1592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD52337f258a567d20ce5c2260e0bc35c29
SHA111d43ee6b1b1fb3283596493f2ab54ad5224e6b0
SHA2564c45bb0e0244fc24bbb8cf1a7ecf94317d09da20ace89b258e42693cfd20a152
SHA512180cbaa79d0b89d3a1931e40d7926a29d11906eb2d46fb2ce3375e2935961a174cff82e34dea3f74fde1f252af187796b539f4e7f56928456f18f0904274be5f
-
Filesize
90KB
MD56fb32be8797837e8b6d72fa0d8d53e32
SHA15e7e0ce8da3fff339ea5453fb35802ea7fbfb171
SHA256b2a0d20c76752beda2011c76bceb8058f813ed878023c1911440fc613cac2016
SHA5128d84c9982a5aff7bccd7301e497e8d15dfe08d855de1254485b9a66561024a345af6d071e4ef3341f0827d3b29f9b23fbc6dec362cffab15d6d80814ff70f0cc
-
Filesize
90KB
MD5bc9a4e619de85c04ca9f7f7330953af6
SHA16fd382d80960974040d757fa33f7498cc21a9633
SHA2568bf5d244fe02e01a13c4f57adf460804ae0d8a8c7f88a01287f451a98c0d65b3
SHA512b912044a6df35f09924b2a603fbe9ddedbf7949deb3ae600249b8a1b468e6d3cd1aeb045f62aa0275272c4f6c701096cda28611167e47c831871235e3cb023b1
-
Filesize
90KB
MD54371ea714015ea91c3985a2b84b6ba83
SHA1417bcf0047741b271658b17956df7ff955323741
SHA2560fa31687df36cf995d3c315d4f056123fe6496222fe122649da1e5609157cfcd
SHA512c13647dd35b8637a36c9b43a861ede42c9d0254676bbc87e4b512a87705f6319c307a78d44019e3403486c3a55d84811a0cb47f832df801a657a1e063a7b2486
-
Filesize
90KB
MD5a8386ab3f5e9e33b2217bfb47bc7dcc9
SHA146f457f9bb441344272af973805bb2f12fe23494
SHA25611ce1fe4ef8f5f4526dca11ee74f99d29577ec6ca6d59c889be996e9139d8860
SHA5122c0d04ccceaa2562ef54491435ad3707470f467e1f2968300bde416fc1e91f75b54df3affb2b5f7ed89d35aa03e42f5d27810ada0e3e5010656c11ce85f7e79f
-
Filesize
90KB
MD52f0bba10a2ed5870eb1037a26846968a
SHA1dcde1371331f1fa9ddf0a6033adb56be4ee29c7c
SHA2565429f86c0ac2122d8df7cda0f3278655c55c359b38d6ace5b54e04a5500575f7
SHA512e82016fc92a918eda29d412d6f96df03fc5417f2baffd8ef5d3ed4c01d1cf903dfefd6b6a563fdc3248579d0bb636188de0f608fde8992aa9068755569c60c24
-
Filesize
90KB
MD53e06f4283108e67c923903cdcd7e150a
SHA190668858fe99aa15f2b4f1f13274fba501aaf8a5
SHA25643c620b6eef3644b4f0a1a1dc4a4b3071bd84355cb83d6c55297cd84df1b9a27
SHA5129c2f77542873160674d4cbbba065d71a5b17f9e28752eb1beb6fa2ccd4e3bc7ed8d13b2eb1c5a932af428ec2f20729f1302677aa8a48d73199f98a831d324f79
-
Filesize
90KB
MD5eeeba1ec5fb100cd86c4c28e718782a9
SHA16e4b3ebe49c4f990dea2c06295eea202f8fa3293
SHA2564d575429535c51f1953613f817aef8fd5be54dd1b945ce884665f0715c53b4c5
SHA5128452cb8b9e28e1fc2ea2d48cbf2d05812ce4d5c9364a50340f20ec7fd1efb33af33952f79367f1a73868ab8e2516686b024e15ebf9e8b3fba49b2d571717bd75
-
Filesize
90KB
MD50ce92e8b3ca5113749644d0b5c374c76
SHA11312c6aa2343a4c28708351664275032a73e283e
SHA256c9cce07934ecb0d531928a954d9b555cc5dd01c315bb2517c9071325ee272bab
SHA51239a29a9cb7d830ed7af580c3a38269d4f7883cce82e79ff76169a7c531d4f622e0cf50373684585c47a95924c700391123856e4710c8f0bd1963c16c4726285e
-
Filesize
90KB
MD5ef0bf0197ffea8f688042d9bd84144c4
SHA1b007f197d3123f760b2d4a0deca161539d768e4e
SHA2566404db9cc9c0aeb784940f848caa805f888a14daa3215d13771defad9a90a31d
SHA5129fddd9c2c4cb85c02337ea8b6370d1793a70148a154c7cafc87f0103da4d7d93fb0ee41d45eb9c7255feeadcdbe491b6c4e10495fea7a2b6286e058fd17f7ed4
-
Filesize
90KB
MD5189538440d46f798fa2e5765be4f149e
SHA13cab64a9345962405e6b177175d340604647aa57
SHA256bafb1baba6e54dd8446c28972383087f421030e342e4bbf69ea203f52884c3fd
SHA512afa16c523e7d14ca9457280a5d770cc00d395cf1247fe8dcd334c2c9226673b5c4f8230ab877ddad1c8a14b377bfeff42996611d2182007bd43c88f10008e42a
-
Filesize
90KB
MD504a6deda8663b335400a3e1d4d6f35c9
SHA1ba336be324630e92092ece6eed85b8f4609cfae2
SHA256143dc6df1129e4e3d29363874eb4d1188a5575e3a00eeeacc013d2ee3ee92bf2
SHA512aea43101c21d813bf690556b40d71a262ed76f8a03d18e32a9224ac92888a4468942ef2c5dc38e461804f25c892e6ec867bf163e961c75540f76a9459ee23b36