bc9f83267b454bce542d0ca8d3b26f7030451f5447f70f21c35cafdd8779ec13

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe
Size

60KB
MD5

1344aae5288b723c9fff8f53679abaf0
SHA1

f4e7bc505f932fdbcc98f1a33aec8571730122d1
SHA256

bc9f83267b454bce542d0ca8d3b26f7030451f5447f70f21c35cafdd8779ec13
SHA512

32fb367a335651a144517974f00e414acb9430e322afb2fc09535509c024d69ebe2512cd383db9e7d6b7aa0a7907ec01e4b2731d1da29459fb880413f2e15254
SSDEEP

768:vvw9816vhKQLroCq4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVd/:nEGh0oCqlwWMZQcpmgDagIyS1loL7Wr/

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBA59472-2099-405f-A6D3-F886E9E109D2}	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{512976BE-53FC-40b9-A79C-4876814837FD}	{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{512976BE-53FC-40b9-A79C-4876814837FD}\stubpath = "C:\\Windows\\{512976BE-53FC-40b9-A79C-4876814837FD}.exe"	{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}\stubpath = "C:\\Windows\\{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe"	{378264CF-D20C-422f-B472-88562796088A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}\stubpath = "C:\\Windows\\{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe"	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4678D410-4E9B-4f7e-9B8E-89C49C31396A}	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B839D09-6096-4dbd-B44A-356ED85DED52}	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA2FB165-685C-4875-AE85-2D47005480BB}\stubpath = "C:\\Windows\\{EA2FB165-685C-4875-AE85-2D47005480BB}.exe"	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{378264CF-D20C-422f-B472-88562796088A}	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}\stubpath = "C:\\Windows\\{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe"	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4678D410-4E9B-4f7e-9B8E-89C49C31396A}\stubpath = "C:\\Windows\\{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe"	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B839D09-6096-4dbd-B44A-356ED85DED52}\stubpath = "C:\\Windows\\{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe"	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA2FB165-685C-4875-AE85-2D47005480BB}	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBA59472-2099-405f-A6D3-F886E9E109D2}\stubpath = "C:\\Windows\\{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe"	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}\stubpath = "C:\\Windows\\{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe"	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}\stubpath = "C:\\Windows\\{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe"	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{378264CF-D20C-422f-B472-88562796088A}\stubpath = "C:\\Windows\\{378264CF-D20C-422f-B472-88562796088A}.exe"	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}	{378264CF-D20C-422f-B472-88562796088A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}\stubpath = "C:\\Windows\\{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe"	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe

Executes dropped EXE 12 IoCs

pid	Process
4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe
2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe
2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe
1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe
1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe
5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe
3880	{378264CF-D20C-422f-B472-88562796088A}.exe
2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe
2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe
4768	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe
4440	{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe
4780	{512976BE-53FC-40b9-A79C-4876814837FD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EA2FB165-685C-4875-AE85-2D47005480BB}.exe	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe
File created	C:\Windows\{378264CF-D20C-422f-B472-88562796088A}.exe	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe
File created	C:\Windows\{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe
File created	C:\Windows\{512976BE-53FC-40b9-A79C-4876814837FD}.exe	{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe
File created	C:\Windows\{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe
File created	C:\Windows\{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe
File created	C:\Windows\{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe
File created	C:\Windows\{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe
File created	C:\Windows\{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe
File created	C:\Windows\{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe
File created	C:\Windows\{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe
File created	C:\Windows\{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe	{378264CF-D20C-422f-B472-88562796088A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2576	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe
Token: SeIncBasePriorityPrivilege	2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe
Token: SeIncBasePriorityPrivilege	2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe
Token: SeIncBasePriorityPrivilege	1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe
Token: SeIncBasePriorityPrivilege	1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe
Token: SeIncBasePriorityPrivilege	5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe
Token: SeIncBasePriorityPrivilege	3880	{378264CF-D20C-422f-B472-88562796088A}.exe
Token: SeIncBasePriorityPrivilege	2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe
Token: SeIncBasePriorityPrivilege	2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe
Token: SeIncBasePriorityPrivilege	4768	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe
Token: SeIncBasePriorityPrivilege	4440	{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4536	2576	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe	88
PID 2576 wrote to memory of 4536	2576	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe	88
PID 2576 wrote to memory of 4536	2576	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe	88
PID 2576 wrote to memory of 2456	2576	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe	89
PID 2576 wrote to memory of 2456	2576	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe	89
PID 2576 wrote to memory of 2456	2576	1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe	89
PID 4536 wrote to memory of 2464	4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe	90
PID 4536 wrote to memory of 2464	4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe	90
PID 4536 wrote to memory of 2464	4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe	90
PID 4536 wrote to memory of 2248	4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe	91
PID 4536 wrote to memory of 2248	4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe	91
PID 4536 wrote to memory of 2248	4536	{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe	91
PID 2464 wrote to memory of 2936	2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe	93
PID 2464 wrote to memory of 2936	2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe	93
PID 2464 wrote to memory of 2936	2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe	93
PID 2464 wrote to memory of 1316	2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe	94
PID 2464 wrote to memory of 1316	2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe	94
PID 2464 wrote to memory of 1316	2464	{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe	94
PID 2936 wrote to memory of 1752	2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe	95
PID 2936 wrote to memory of 1752	2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe	95
PID 2936 wrote to memory of 1752	2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe	95
PID 2936 wrote to memory of 4940	2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe	96
PID 2936 wrote to memory of 4940	2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe	96
PID 2936 wrote to memory of 4940	2936	{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe	96
PID 1752 wrote to memory of 1080	1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe	97
PID 1752 wrote to memory of 1080	1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe	97
PID 1752 wrote to memory of 1080	1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe	97
PID 1752 wrote to memory of 4088	1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe	98
PID 1752 wrote to memory of 4088	1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe	98
PID 1752 wrote to memory of 4088	1752	{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe	98
PID 1080 wrote to memory of 5008	1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe	99
PID 1080 wrote to memory of 5008	1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe	99
PID 1080 wrote to memory of 5008	1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe	99
PID 1080 wrote to memory of 996	1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe	100
PID 1080 wrote to memory of 996	1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe	100
PID 1080 wrote to memory of 996	1080	{EA2FB165-685C-4875-AE85-2D47005480BB}.exe	100
PID 5008 wrote to memory of 3880	5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe	101
PID 5008 wrote to memory of 3880	5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe	101
PID 5008 wrote to memory of 3880	5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe	101
PID 5008 wrote to memory of 3904	5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe	102
PID 5008 wrote to memory of 3904	5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe	102
PID 5008 wrote to memory of 3904	5008	{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe	102
PID 3880 wrote to memory of 2228	3880	{378264CF-D20C-422f-B472-88562796088A}.exe	103
PID 3880 wrote to memory of 2228	3880	{378264CF-D20C-422f-B472-88562796088A}.exe	103
PID 3880 wrote to memory of 2228	3880	{378264CF-D20C-422f-B472-88562796088A}.exe	103
PID 3880 wrote to memory of 3632	3880	{378264CF-D20C-422f-B472-88562796088A}.exe	104
PID 3880 wrote to memory of 3632	3880	{378264CF-D20C-422f-B472-88562796088A}.exe	104
PID 3880 wrote to memory of 3632	3880	{378264CF-D20C-422f-B472-88562796088A}.exe	104
PID 2228 wrote to memory of 2672	2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe	105
PID 2228 wrote to memory of 2672	2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe	105
PID 2228 wrote to memory of 2672	2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe	105
PID 2228 wrote to memory of 1668	2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe	106
PID 2228 wrote to memory of 1668	2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe	106
PID 2228 wrote to memory of 1668	2228	{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe	106
PID 2672 wrote to memory of 4768	2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe	107
PID 2672 wrote to memory of 4768	2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe	107
PID 2672 wrote to memory of 4768	2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe	107
PID 2672 wrote to memory of 3300	2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe	108
PID 2672 wrote to memory of 3300	2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe	108
PID 2672 wrote to memory of 3300	2672	{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe	108
PID 4768 wrote to memory of 4440	4768	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe	109
PID 4768 wrote to memory of 4440	4768	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe	109
PID 4768 wrote to memory of 4440	4768	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe	109
PID 4768 wrote to memory of 4876	4768	{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe	110

C:\Users\Admin\AppData\Local\Temp\1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1344aae5288b723c9fff8f53679abaf0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe
  C:\Windows\{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe
    C:\Windows\{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe
      C:\Windows\{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe
        
        C:\Windows\{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\{EA2FB165-685C-4875-AE85-2D47005480BB}.exe
        
        C:\Windows\{EA2FB165-685C-4875-AE85-2D47005480BB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe
        
        C:\Windows\{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{378264CF-D20C-422f-B472-88562796088A}.exe
        
        C:\Windows\{378264CF-D20C-422f-B472-88562796088A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe
        
        C:\Windows\{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe
        
        C:\Windows\{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe
        
        C:\Windows\{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe
        
        C:\Windows\{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\{512976BE-53FC-40b9-A79C-4876814837FD}.exe
        
        C:\Windows\{512976BE-53FC-40b9-A79C-4876814837FD}.exe
        13⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EFF9~1.EXE > nul
        13⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEE6D~1.EXE > nul
        12⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5BC3~1.EXE > nul
        11⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCB1~1.EXE > nul
        10⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37826~1.EXE > nul
        9⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBA59~1.EXE > nul
        8⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA2FB~1.EXE > nul
        7⤵
        
        PID:996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4F3E~1.EXE > nul
        6⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC8CB~1.EXE > nul
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B839~1.EXE > nul
      4⤵
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4678D~1.EXE > nul
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1344AA~1.EXE > nul
  2⤵
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EFF98B5-A8B6-4191-8C1B-C4545C978F19}.exe

Filesize
60KB

MD5
22ee8b47193c3dfcc6b0a4776c265992

SHA1
3d57e31f80a84cf04f40ac9e968f12801ec8c5c0

SHA256
a9cc8920116ecbd1fa2101b6b6aa5d10db7b8c6007481a4398922f4f63234788

SHA512
aec3f3dfebe602b36a7f2514899582030e7f57faf6ea15d06d8a56eaaaef2f630c4e197fb290174eebaa9f6eb6bd1a6b83fccc1099c918c2936f17b99876d11f

Download Submit
C:\Windows\{378264CF-D20C-422f-B472-88562796088A}.exe

Filesize
60KB

MD5
7ee420708e9bd8b946c10c7531ca1212

SHA1
7053c5ef3b0a30e857ce1cbfebd98cabe2f8d0fd

SHA256
8a374869fa5624cdce7d6c8b7a7f36cc207810be84bb0415b207081aaf44e4f9

SHA512
d4bb7e0373a45dc72f3fd57f9c980f000e4b372fd61cf3c17d17fc78ef1a1ff9e292bc37d283cae36ba110e8c9734cfc554aba69c3db1ccfb23a311de4541f0f

Download Submit
C:\Windows\{4678D410-4E9B-4f7e-9B8E-89C49C31396A}.exe

Filesize
60KB

MD5
5c631143c5627711bd6ffc776acbbc64

SHA1
59a00ced903213f72ae13af42cee64e64b07a802

SHA256
6cfd4edaf23bc89bdfef1b94a2ec5d6c0d04a5ee971dcfbfd299e9bd65fa29a3

SHA512
3399113c75cfafd26ce5d14f0b6b38bf2892bdeaad46945fea7bcda23f502b2b53b8137ed601aed64a1cd8d5b7104c77529e8794d42396c2569284cf404e7921

Download Submit
C:\Windows\{512976BE-53FC-40b9-A79C-4876814837FD}.exe

Filesize
60KB

MD5
23fe4969909f5060e33e8a39b0499917

SHA1
c13ea30fb5cbf14bd9773042082ecd9b3505aa28

SHA256
9517aa397a5f32979de94236c8273c5fc486fc5747b541015ba1d98dc62a2546

SHA512
28bd5de3e5ed20498aa6655dec093633684b8531484aff2cf1d53a58775a669d742d7ed15572c396c2e689ec8273cc2def7d0a4f0e2ad403185dcaad94cb0690

Download Submit
C:\Windows\{7B839D09-6096-4dbd-B44A-356ED85DED52}.exe

Filesize
60KB

MD5
20504a0144fa5a3bac9ac6dd04b47bc7

SHA1
cb45af3e1ff0206b4bbc7ff343171661235a23fe

SHA256
eebb10baafcee4b38123e8568fefe941e64a093c880e569bb16a7b40e9ac6b71

SHA512
790ff5d6872d67aca9f07da32467c94961a007e3e75aaf59f8013c3718127e56dc7fc0301846bfd0cd028deebc37887ffad05c547fb837c40f1907650e3da23c

Download Submit
C:\Windows\{A4F3E91A-E11C-4b27-9BBC-799CD77B36DE}.exe

Filesize
60KB

MD5
1167d20e6f54c0feb413a68cff0e6835

SHA1
ca2e4038ce84b11876a465c171af004bd45baa9a

SHA256
c7899977bd0ced82b804f94b4f23f230720d7c0cda699e02c9cec0d8f36b9af3

SHA512
5cca424a1ab8a83828e26ec440fb1f5a77c76f0ef5b7df9044820d0fd72a2aaaf5a4ce99055c5baa20f0d395d17695f3fd4f740a0cbca30822314918965efe85

Download Submit
C:\Windows\{BEE6D01D-B53B-4d7f-A85F-4FD9A7132391}.exe

Filesize
60KB

MD5
e50814f895d9a51824e18302de53ef99

SHA1
249c251db6e26cf76fffb97990487239fffc4fc2

SHA256
bcb8605112d94fcbdd2220aa3aa86408e5d0c78fdb263adc2883695da54f738f

SHA512
d5fb7ce4f7d3039361b89ed89c60c595cebc27c3519d8d18fbd65e1d82655aacc6e6950f8552f1cc6710d09b75172f94a9edf8294da8e4b3fde4486410672a00

Download Submit
C:\Windows\{BFCB1734-450D-4ca1-817D-72E98F2B9F1C}.exe

Filesize
60KB

MD5
ca64641e96fd0e5c22e06b30b64fd0ec

SHA1
d4393e40887407eb6ad37edbbb9b5a2a2801ef34

SHA256
8eed3f081a6bcb54f49e4286a0577ae9209452958ae7a8b728f6b28d1305cfba

SHA512
9f459b1e649a0e0446689d72a8ea0aaf0b15c3635e3705bd0c2006543dd61800ded368c285ae154d5108743b7039f51fc51875df5a78383ef5d6130271bceb7b

Download Submit
C:\Windows\{DBA59472-2099-405f-A6D3-F886E9E109D2}.exe

Filesize
60KB

MD5
6781a1a680c51a31ce052f6888651812

SHA1
f010c408b4638f7f13ce4e52dc6b1eefa38fbd66

SHA256
bf91d6384c520f8dba14423f0a9bb2fbd83cc34ca306c9d91cc9d3c184702620

SHA512
2769846357f46be078f58e20226b84a36cb378eb5960beae461c8c4b759bec74eda3e24c7d6a2be6b3e2695c142e64ba8dc5bd65df555afe6fc7c7961fd4734e

Download Submit
C:\Windows\{E5BC347E-8B64-45f9-A322-8F9B2C398A9F}.exe

Filesize
60KB

MD5
11cfce3d85f02a1200aa7419c30116c2

SHA1
d960e0c9f3a970c822cbee035f9ee62d541901c4

SHA256
e34600614bcbd1fee761a1fb31ccca599fd176a0c0806f837c2bff5bb58fb7fa

SHA512
73ad72aadcc4dafd705275335b6d4f4816ea13c20f5f69a71148e6d09be4d57a5efef2063d7560cdb20b491678e98321caa67c72b9eab301fd195ffd7f170167

Download Submit
C:\Windows\{EA2FB165-685C-4875-AE85-2D47005480BB}.exe

Filesize
60KB

MD5
90ca10903ca2864160965b1998991e65

SHA1
f2d74feaeb1f05aaf3bf6f6584a29c40ef0e9a6d

SHA256
3d488ba543155155732377afe92fd83250ec62b04b40a5aca71e9452186f1b9f

SHA512
8c219f62ea4be565113782cda308e5075251871e3917254a85be68dffa1968a3cbbb92781cbe04d99e9f4a014a70eea9a8a0abc1df93df930efeda2b694e2c61

Download Submit
C:\Windows\{EC8CBE5C-9D5B-4a3e-8B71-83D6C9D29BAE}.exe

Filesize
60KB

MD5
221e3c12d1bc5d6c6c4432aa4faaf72c

SHA1
de404c47b50062295ec32eb3bf9772ea6fb64717

SHA256
13e82a9e0f9a5305de0c04586c04531b1cfdc8defc3a0d01fce5408713a4e7bb

SHA512
38bef15f6abd1697f040351b34360d43416f52161a3879ee932121bf8f522d0a3549cfd17d1da54209f7615df2abfbef3520472d7ba8695f4ba0dc3f3313bca3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads