29e77c171cb98f383b5832906eb8e5ac43227ef0bf966adaa137cd3b476ce39f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Size

64KB
MD5

86873cd458b3b51982b3b158a1c25fb0
SHA1

b46fc369ef55caf3b0301a6144a490d6704b0200
SHA256

29e77c171cb98f383b5832906eb8e5ac43227ef0bf966adaa137cd3b476ce39f
SHA512

b69f3555a75cdb0654e30bbb092aa51028d21899e9e21c3b6aaae050f865558966ce897ddbb3c8f2cfea9d1b0e5d2b361f34b24d89783012057f8a8b5a8c464a
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLroE4/CFsrdHWMZw:Ovw981xvhKQLroE4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}\stubpath = "C:\\Windows\\{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe"	{678538DA-6096-4fdc-9513-1881383B3C15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}\stubpath = "C:\\Windows\\{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe"	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE82D16-E20D-4766-83A3-CB3AC8105E38}\stubpath = "C:\\Windows\\{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe"	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}\stubpath = "C:\\Windows\\{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe"	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{678538DA-6096-4fdc-9513-1881383B3C15}	{F14D6574-F4EC-4d80-A150-06D731200995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{678538DA-6096-4fdc-9513-1881383B3C15}\stubpath = "C:\\Windows\\{678538DA-6096-4fdc-9513-1881383B3C15}.exe"	{F14D6574-F4EC-4d80-A150-06D731200995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}	{678538DA-6096-4fdc-9513-1881383B3C15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8996FF60-2982-491a-8E6E-94CA83D80DD9}	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8996FF60-2982-491a-8E6E-94CA83D80DD9}\stubpath = "C:\\Windows\\{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe"	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195481B5-2563-4949-8109-81C0246D345A}\stubpath = "C:\\Windows\\{195481B5-2563-4949-8109-81C0246D345A}.exe"	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8053A27A-4C09-4865-9510-8696E0C51984}	{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE82D16-E20D-4766-83A3-CB3AC8105E38}	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195481B5-2563-4949-8109-81C0246D345A}	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC940575-2B42-4fe0-BBAC-8E7865213244}	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F14D6574-F4EC-4d80-A150-06D731200995}	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F14D6574-F4EC-4d80-A150-06D731200995}\stubpath = "C:\\Windows\\{F14D6574-F4EC-4d80-A150-06D731200995}.exe"	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC940575-2B42-4fe0-BBAC-8E7865213244}\stubpath = "C:\\Windows\\{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe"	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8053A27A-4C09-4865-9510-8696E0C51984}\stubpath = "C:\\Windows\\{8053A27A-4C09-4865-9510-8696E0C51984}.exe"	{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}\stubpath = "C:\\Windows\\{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe"	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}	{195481B5-2563-4949-8109-81C0246D345A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}\stubpath = "C:\\Windows\\{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe"	{195481B5-2563-4949-8109-81C0246D345A}.exe

Executes dropped EXE 12 IoCs

pid	Process
2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe
2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe
320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe
4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe
3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe
2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe
1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe
4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe
2552	{195481B5-2563-4949-8109-81C0246D345A}.exe
4524	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe
5092	{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe
2912	{8053A27A-4C09-4865-9510-8696E0C51984}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe
File created	C:\Windows\{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe
File created	C:\Windows\{F14D6574-F4EC-4d80-A150-06D731200995}.exe	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe
File created	C:\Windows\{678538DA-6096-4fdc-9513-1881383B3C15}.exe	{F14D6574-F4EC-4d80-A150-06D731200995}.exe
File created	C:\Windows\{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe	{678538DA-6096-4fdc-9513-1881383B3C15}.exe
File created	C:\Windows\{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe
File created	C:\Windows\{195481B5-2563-4949-8109-81C0246D345A}.exe	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe
File created	C:\Windows\{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe	{195481B5-2563-4949-8109-81C0246D345A}.exe
File created	C:\Windows\{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe
File created	C:\Windows\{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
File created	C:\Windows\{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe
File created	C:\Windows\{8053A27A-4C09-4865-9510-8696E0C51984}.exe	{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2004	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe
Token: SeIncBasePriorityPrivilege	2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe
Token: SeIncBasePriorityPrivilege	320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe
Token: SeIncBasePriorityPrivilege	4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe
Token: SeIncBasePriorityPrivilege	3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe
Token: SeIncBasePriorityPrivilege	2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe
Token: SeIncBasePriorityPrivilege	1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe
Token: SeIncBasePriorityPrivilege	4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe
Token: SeIncBasePriorityPrivilege	2552	{195481B5-2563-4949-8109-81C0246D345A}.exe
Token: SeIncBasePriorityPrivilege	4524	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe
Token: SeIncBasePriorityPrivilege	5092	{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2168	2004	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	88
PID 2004 wrote to memory of 2168	2004	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	88
PID 2004 wrote to memory of 2168	2004	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	88
PID 2004 wrote to memory of 652	2004	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	89
PID 2004 wrote to memory of 652	2004	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	89
PID 2004 wrote to memory of 652	2004	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	89
PID 2168 wrote to memory of 2108	2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe	90
PID 2168 wrote to memory of 2108	2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe	90
PID 2168 wrote to memory of 2108	2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe	90
PID 2168 wrote to memory of 2884	2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe	91
PID 2168 wrote to memory of 2884	2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe	91
PID 2168 wrote to memory of 2884	2168	{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe	91
PID 2108 wrote to memory of 320	2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe	93
PID 2108 wrote to memory of 320	2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe	93
PID 2108 wrote to memory of 320	2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe	93
PID 2108 wrote to memory of 3596	2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe	94
PID 2108 wrote to memory of 3596	2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe	94
PID 2108 wrote to memory of 3596	2108	{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe	94
PID 320 wrote to memory of 4760	320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe	95
PID 320 wrote to memory of 4760	320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe	95
PID 320 wrote to memory of 4760	320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe	95
PID 320 wrote to memory of 2152	320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe	96
PID 320 wrote to memory of 2152	320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe	96
PID 320 wrote to memory of 2152	320	{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe	96
PID 4760 wrote to memory of 3972	4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe	97
PID 4760 wrote to memory of 3972	4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe	97
PID 4760 wrote to memory of 3972	4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe	97
PID 4760 wrote to memory of 1868	4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe	98
PID 4760 wrote to memory of 1868	4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe	98
PID 4760 wrote to memory of 1868	4760	{F14D6574-F4EC-4d80-A150-06D731200995}.exe	98
PID 3972 wrote to memory of 2060	3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe	99
PID 3972 wrote to memory of 2060	3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe	99
PID 3972 wrote to memory of 2060	3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe	99
PID 3972 wrote to memory of 2660	3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe	100
PID 3972 wrote to memory of 2660	3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe	100
PID 3972 wrote to memory of 2660	3972	{678538DA-6096-4fdc-9513-1881383B3C15}.exe	100
PID 2060 wrote to memory of 1576	2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe	101
PID 2060 wrote to memory of 1576	2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe	101
PID 2060 wrote to memory of 1576	2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe	101
PID 2060 wrote to memory of 1260	2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe	102
PID 2060 wrote to memory of 1260	2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe	102
PID 2060 wrote to memory of 1260	2060	{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe	102
PID 1576 wrote to memory of 4664	1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe	103
PID 1576 wrote to memory of 4664	1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe	103
PID 1576 wrote to memory of 4664	1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe	103
PID 1576 wrote to memory of 1652	1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe	104
PID 1576 wrote to memory of 1652	1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe	104
PID 1576 wrote to memory of 1652	1576	{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe	104
PID 4664 wrote to memory of 2552	4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe	105
PID 4664 wrote to memory of 2552	4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe	105
PID 4664 wrote to memory of 2552	4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe	105
PID 4664 wrote to memory of 4580	4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe	106
PID 4664 wrote to memory of 4580	4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe	106
PID 4664 wrote to memory of 4580	4664	{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe	106
PID 2552 wrote to memory of 4524	2552	{195481B5-2563-4949-8109-81C0246D345A}.exe	107
PID 2552 wrote to memory of 4524	2552	{195481B5-2563-4949-8109-81C0246D345A}.exe	107
PID 2552 wrote to memory of 4524	2552	{195481B5-2563-4949-8109-81C0246D345A}.exe	107
PID 2552 wrote to memory of 936	2552	{195481B5-2563-4949-8109-81C0246D345A}.exe	108
PID 2552 wrote to memory of 936	2552	{195481B5-2563-4949-8109-81C0246D345A}.exe	108
PID 2552 wrote to memory of 936	2552	{195481B5-2563-4949-8109-81C0246D345A}.exe	108
PID 4524 wrote to memory of 5092	4524	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe	109
PID 4524 wrote to memory of 5092	4524	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe	109
PID 4524 wrote to memory of 5092	4524	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe	109
PID 4524 wrote to memory of 2308	4524	{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe	110

C:\Users\Admin\AppData\Local\Temp\86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe
  C:\Windows\{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe
    C:\Windows\{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe
      C:\Windows\{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\{F14D6574-F4EC-4d80-A150-06D731200995}.exe
        
        C:\Windows\{F14D6574-F4EC-4d80-A150-06D731200995}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\{678538DA-6096-4fdc-9513-1881383B3C15}.exe
        
        C:\Windows\{678538DA-6096-4fdc-9513-1881383B3C15}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe
        
        C:\Windows\{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe
        
        C:\Windows\{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe
        
        C:\Windows\{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\{195481B5-2563-4949-8109-81C0246D345A}.exe
        
        C:\Windows\{195481B5-2563-4949-8109-81C0246D345A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe
        
        C:\Windows\{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe
        
        C:\Windows\{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\{8053A27A-4C09-4865-9510-8696E0C51984}.exe
        
        C:\Windows\{8053A27A-4C09-4865-9510-8696E0C51984}.exe
        13⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC940~1.EXE > nul
        13⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADA8A~1.EXE > nul
        12⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19548~1.EXE > nul
        11⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8996F~1.EXE > nul
        10⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E25~1.EXE > nul
        9⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CFA3~1.EXE > nul
        8⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67853~1.EXE > nul
        7⤵
        
        PID:2660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F14D6~1.EXE > nul
        6⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBF65~1.EXE > nul
        5⤵
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4940~1.EXE > nul
      4⤵
      PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE82~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\86873C~1.EXE > nul
  2⤵
  PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{195481B5-2563-4949-8109-81C0246D345A}.exe

Filesize
64KB

MD5
c070453a3db7c406b11f8c41bf24aca6

SHA1
b9990d197112d423a4a5b83fef3c6bcf73cccaf1

SHA256
4f858fad569da0cb6db2adb6378405e7dd7b1e663a046f7f1c29ef75c06012f6

SHA512
7246dc0c144c887fef679dd90ebf408dfe8877314952287162ff89f1a045c59b6260447c93a77ec73fa512f1f892f101e3d2adce09de51d58273d7b496d1b319

Download Submit
C:\Windows\{678538DA-6096-4fdc-9513-1881383B3C15}.exe

Filesize
64KB

MD5
1ad82a6ae8bf089f345ce31044e2123d

SHA1
3d2aa80661f4dfd5188f428cf7b7548e61f816da

SHA256
b691031daae0d49f99f6e2911f3753f5c5a924042d7bef1d821003379c79ba69

SHA512
144a4fe41ab2ac376c8c6673a1f6ae46edfb554c90db59e7b20d7144771e7a4815379cc78e02bd690450501ca00ac6c2e0e04ff2cb62decc7ecb18aaf9e10f6a

Download Submit
C:\Windows\{7DE82D16-E20D-4766-83A3-CB3AC8105E38}.exe

Filesize
64KB

MD5
c6556d83211d6d82964f6a18f1f12b13

SHA1
a577b853e3eae1e46a172dcac9a3b2af90d44e7d

SHA256
5b055ff87b540e94eba438df79c918f1fba96e952d20a78f2e2d08d375cddfc3

SHA512
59c26e181796346eb4fa3fa459bfd02f3dbb5be1e849caa3795d32d0369051d31cab48d58c951fa073b664483f35f7a9c687b8db58807af1b9fd7bc683ef5bf9

Download Submit
C:\Windows\{8053A27A-4C09-4865-9510-8696E0C51984}.exe

Filesize
64KB

MD5
ce8d7821270c47b46f2813133d90548e

SHA1
e413defe8d13f320c700e70b1512775ceb5dc744

SHA256
d9adf2096e2a20d7a430c9320390bd271067acaf221f03287e977b9a1c5d1e4d

SHA512
bb54925821590076b65a17b76acfa3ed6e6070f59c42a56122c4c8b644b1c881e948b9f25c60c071c445515afc8aef2b2fe0d2e86426e337159fdfadb121b484

Download Submit
C:\Windows\{8996FF60-2982-491a-8E6E-94CA83D80DD9}.exe

Filesize
64KB

MD5
c82fc52e9ab364a728115800fabb80a0

SHA1
b0224d0e2cc06ef52de6f01fd4f306bf11bd1fad

SHA256
e089160bde5284ab0b2e5b6455b2a272931a6b7d5e993205d2c097279a85253b

SHA512
435b6d38c8c0ed8fe8f16c6991170799b6a63878ef02f3cdaa32ff6d0110ec541f273dc69b83064fe5c507af61cdc43011203888b63533f1756f617076e60b10

Download Submit
C:\Windows\{9CFA35E7-B3B1-4393-B97C-0DB8DCC20C2E}.exe

Filesize
64KB

MD5
367dd9f323c49d236b705fbde58425ee

SHA1
2ae44be0c64721e24cca6408210cc2584d1475ff

SHA256
718104d31fbf453d330e96a841adccbc214e3d1db8a8e8764050fcc83212e5b8

SHA512
6c1d6200efb1ddf426331c6a80c974fc210761b56590277f4e96f125963486590c1799ba50b8c6f7ae56ef92df2ff32561a1354d3fabb794789f6dbcc486ad29

Download Submit
C:\Windows\{ADA8A4E0-B4BC-4d1b-A8EA-E86F75DCBCC9}.exe

Filesize
64KB

MD5
037baec417b810528f3df4a7e5d96c67

SHA1
6da88f7d35d1fce52d53b5e57f0fbacf925534c4

SHA256
7b987edb145fa41e60e5d6174fca0a7d34e85793d79d2a076e84a937a6dfecd5

SHA512
7944485f1b0216afe2ebf179da2ec93df3012a34b1ffb681270921bd6a4cd20eb35d4dee4bd53163a32475cb040037822fbcc5f7cf37c8f86cb69edd69c3652a

Download Submit
C:\Windows\{B4940F7B-22F0-48ff-92B7-8F51EE8A25A4}.exe

Filesize
64KB

MD5
2725b9239598317657628176e6c08557

SHA1
80bfc93b8472c3e8db0612a5addc12735d2d466d

SHA256
9a0665dd840819b9275ed3325db25b03c249957ebd915773fb2e8a4a343d0f60

SHA512
5bf4235a8de3fdb5a6d3b356b8023c359c9d70f96cd13159de9e14de23a1856cf7239d38089cb3aa16e963b97fc8aaff5f1a6b5eed98186490e9ef93ec39b356

Download Submit
C:\Windows\{BC940575-2B42-4fe0-BBAC-8E7865213244}.exe

Filesize
64KB

MD5
da0a8aeda5b83d3ba882cb1e1f321e4f

SHA1
1894caaea29948f993a3a56d6927e45ba09d012d

SHA256
050d2400fcd6abf9b350c9f67089c0aae08a9fe78060702239b0eb62313844ed

SHA512
9d1c82bba40f9dfbc9e99e7179d5d19b2fac9f3f6e045948e95436eea9e5a4936a5868e3a159010955beef02dcfd0af5ffc700e537ec4035dee236c399cd3791

Download Submit
C:\Windows\{CBF657CB-37F4-4ab8-A6CA-5A03B3EA35A2}.exe

Filesize
64KB

MD5
1bfbfd5b2a26d96b144f6a5c29889eda

SHA1
38f20208f90b042e9f22f8a0270d86b6c582cf5c

SHA256
9f01b845f5e8c7d7efafb817044a8e0b8fec130ad7961bf20ac238e876b91926

SHA512
85522f20f0cfea6de13875ad66f09f382055e9f25b2caa55381566f73466e52f53e69be863234f6e7878d44208657904bc79b0d1e78ba1c8a3a696c480a68e94

Download Submit
C:\Windows\{D4E2527C-FBFE-4659-BBFD-B47D08E8AECF}.exe

Filesize
64KB

MD5
495481eae055f0e28b2d69e4d645a85a

SHA1
696ad4b520dd81f514c41cbfb4e60a8fb3465453

SHA256
dd1a0666c0dfb2d85d754c7ecba2bcdddd9113bca07a08abf5770c9fbe04fbf0

SHA512
ddd24117f8e3eadcbb2565416f925cfcd905f0523d6cdd51d08689e35fa73fe82dc1f4051dad543d1a92d014abc0dd29373be5bd2a39a09eef0f5b1c1504451d

Download Submit
C:\Windows\{F14D6574-F4EC-4d80-A150-06D731200995}.exe

Filesize
64KB

MD5
eaca1cee5905189991ba251a96d45237

SHA1
48eebb99b24acee1c857b59b21a7053e12e761a1

SHA256
fa989ab01bc5b3c71ae8f618b4a4b54d8a42a76fa9218923247bfb5ea9b23f9e

SHA512
d2ad7fc3ed06bd697c32fe557b43ca2aca43cd922f5db7881dd380e88ad8914ff141ec1effd9629e7e8fdfe9891864ded160db9098f3a73ff491bd164ab581e4

Download Submit
memory/320-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/320-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1576-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1576-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2004-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2004-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2060-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2060-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2108-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2108-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2552-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2552-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2912-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3972-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4524-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4664-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4664-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4760-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4760-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5092-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5092-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads