Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
-
Size
90KB
-
MD5
3a5da7c21cb387512051c924cc484430
-
SHA1
9d952fdc523e88570edf71fb68f43ee6be13a86f
-
SHA256
af0def80b3c5accef3c73ee79df6f8026f125469a0037290efa229c1c6efc7db
-
SHA512
5e41ee35b4ff3862bb5eefb99c85defd33f42ea58fcfb0b314c9026d26956df5237e7e2f667119eedc3892e0539e1cabaa287d971f950ecb476182b380104c59
-
SSDEEP
768:Qvw9816vhKQLrog4/wQRNrfrunMxVFA3b7glws:YEGh0ogl2unMxVS3Hgz
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94} {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}\stubpath = "C:\\Windows\\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe" {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}\stubpath = "C:\\Windows\\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe" {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}\stubpath = "C:\\Windows\\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe" {C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}\stubpath = "C:\\Windows\\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe" {6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88} {C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78C804C-8D22-49f9-9EA4-3F9FB384C933} {6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB} 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1} {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}\stubpath = "C:\\Windows\\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe" {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3} {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}\stubpath = "C:\\Windows\\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe" {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41F3C5A-B732-4dd8-AB90-CD100D653489}\stubpath = "C:\\Windows\\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe" {C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383F0D35-F2BA-4048-AE81-4F43CB80E89E} {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}\stubpath = "C:\\Windows\\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe" {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123} {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}\stubpath = "C:\\Windows\\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe" 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C46E71A3-8097-4903-A697-120E23F9A7CA} {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C46E71A3-8097-4903-A697-120E23F9A7CA}\stubpath = "C:\\Windows\\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe" {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}\stubpath = "C:\\Windows\\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe" {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7F69F1D-C77E-4b28-B290-1814B884E1AA} {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41F3C5A-B732-4dd8-AB90-CD100D653489} {C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe -
Executes dropped EXE 11 IoCs
pid Process 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 284 {C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe 1160 {C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe 604 {6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe 1792 {D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe {6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe File created C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe File created C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe File created C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe File created C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe File created C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe {C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe File created C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe {C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe File created C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe File created C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe File created C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe File created C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe Token: SeIncBasePriorityPrivilege 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe Token: SeIncBasePriorityPrivilege 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe Token: SeIncBasePriorityPrivilege 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe Token: SeIncBasePriorityPrivilege 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe Token: SeIncBasePriorityPrivilege 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe Token: SeIncBasePriorityPrivilege 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe Token: SeIncBasePriorityPrivilege 284 {C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe Token: SeIncBasePriorityPrivilege 1160 {C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe Token: SeIncBasePriorityPrivilege 604 {6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2960 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2960 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2960 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2960 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2516 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 29 PID 2164 wrote to memory of 2516 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 29 PID 2164 wrote to memory of 2516 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 29 PID 2164 wrote to memory of 2516 2164 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 29 PID 2960 wrote to memory of 2660 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 30 PID 2960 wrote to memory of 2660 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 30 PID 2960 wrote to memory of 2660 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 30 PID 2960 wrote to memory of 2660 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 30 PID 2960 wrote to memory of 2912 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 31 PID 2960 wrote to memory of 2912 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 31 PID 2960 wrote to memory of 2912 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 31 PID 2960 wrote to memory of 2912 2960 {2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe 31 PID 2660 wrote to memory of 2504 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 32 PID 2660 wrote to memory of 2504 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 32 PID 2660 wrote to memory of 2504 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 32 PID 2660 wrote to memory of 2504 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 32 PID 2660 wrote to memory of 2420 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 33 PID 2660 wrote to memory of 2420 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 33 PID 2660 wrote to memory of 2420 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 33 PID 2660 wrote to memory of 2420 2660 {383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe 33 PID 2504 wrote to memory of 2248 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 36 PID 2504 wrote to memory of 2248 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 36 PID 2504 wrote to memory of 2248 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 36 PID 2504 wrote to memory of 2248 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 36 PID 2504 wrote to memory of 1756 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 37 PID 2504 wrote to memory of 1756 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 37 PID 2504 wrote to memory of 1756 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 37 PID 2504 wrote to memory of 1756 2504 {C46E71A3-8097-4903-A697-120E23F9A7CA}.exe 37 PID 2248 wrote to memory of 2436 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 38 PID 2248 wrote to memory of 2436 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 38 PID 2248 wrote to memory of 2436 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 38 PID 2248 wrote to memory of 2436 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 38 PID 2248 wrote to memory of 1980 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 39 PID 2248 wrote to memory of 1980 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 39 PID 2248 wrote to memory of 1980 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 39 PID 2248 wrote to memory of 1980 2248 {AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe 39 PID 2436 wrote to memory of 1744 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 40 PID 2436 wrote to memory of 1744 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 40 PID 2436 wrote to memory of 1744 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 40 PID 2436 wrote to memory of 1744 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 40 PID 2436 wrote to memory of 768 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 41 PID 2436 wrote to memory of 768 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 41 PID 2436 wrote to memory of 768 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 41 PID 2436 wrote to memory of 768 2436 {6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe 41 PID 1744 wrote to memory of 1636 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 42 PID 1744 wrote to memory of 1636 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 42 PID 1744 wrote to memory of 1636 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 42 PID 1744 wrote to memory of 1636 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 42 PID 1744 wrote to memory of 2256 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 43 PID 1744 wrote to memory of 2256 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 43 PID 1744 wrote to memory of 2256 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 43 PID 1744 wrote to memory of 2256 1744 {ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe 43 PID 1636 wrote to memory of 284 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 44 PID 1636 wrote to memory of 284 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 44 PID 1636 wrote to memory of 284 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 44 PID 1636 wrote to memory of 284 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 44 PID 1636 wrote to memory of 1696 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 45 PID 1636 wrote to memory of 1696 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 45 PID 1636 wrote to memory of 1696 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 45 PID 1636 wrote to memory of 1696 1636 {A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exeC:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exeC:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exeC:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exeC:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exeC:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exeC:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exeC:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exeC:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:284 -
C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exeC:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exeC:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:604 -
C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exeC:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe12⤵
- Executes dropped EXE
PID:1792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6ED18~1.EXE > nul12⤵PID:528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C41F3~1.EXE > nul11⤵PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C7F69~1.EXE > nul10⤵PID:864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A96F1~1.EXE > nul9⤵PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ACE2C~1.EXE > nul8⤵PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6B587~1.EXE > nul7⤵PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AD0F3~1.EXE > nul6⤵PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C46E7~1.EXE > nul5⤵PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{383F0~1.EXE > nul4⤵PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BC28~1.EXE > nul3⤵PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A5DA7~1.EXE > nul2⤵PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5bfa479a1e4b5af5845f49ffe9c8bd25c
SHA1ff2169f536df19c82eaef4e01bca27c2f502a3fb
SHA25682e4abcaf7c1d682b9f61d5d6c92b42de379228b9c0970bb2f12778078d40675
SHA5120ba7351263c43cd17ef00896d4b664bf5d38110e0553eb485a753232aba8d45875730556aac8977c114f58531dd282314738b01ba53281e7885eff2c1eab1e62
-
Filesize
90KB
MD57386a9b808865a7e6f63f84266a04db5
SHA1da3245f49ba2e4485b5fd89210ba5a4c699aa2c2
SHA256dd6a62dbd5f3a8a1a50fcbc8756e31dcc2f1769462ab93f0130ed64cb8f35bc5
SHA512ab383b5d210e69588a580018417069c98e3ce97995120aee2f009a452d77379a9770dbb218e590d671b1aeae4e9df6ffcb85617af094d4b78da5637b4add0a9b
-
Filesize
90KB
MD5b4e8f09016dc9fa1e1fd1a8bf3be7bd9
SHA159ac8dad00a23eba205dfd57d3cefa88bd0dceb0
SHA25622a74adfeb5c7117454a769d8e8b9f5841b1e143a79c8680ca591d01cf36e2ea
SHA512f62fbdcc9139b43e270ba3670a71f79d70d8943e11a05f70ab62e4eca418d579703b3c67e3ce66bf5de926ee457c8c01e689fc94ef0d457d1c4231014f8b419e
-
Filesize
90KB
MD5065e6a84bc7590caa76e8071c2646764
SHA13e33337b3f491f444863b1cecfb72aa245f0620d
SHA256110ca876cb8be6ee70ff902bdf9e9b71ffefea33d33272538ce0e61844f44310
SHA512f54023fbe78ce8b2e6512b94fdf24a65bdd78535379a8903372477e90841cf9bf0c7b902b8f7ca52d3ceabac52235f62dbed2dd6d956b95f1571793d534fcb21
-
Filesize
90KB
MD524b4a250e6564aaa8474b3db58c9a4b9
SHA17da274450b8e07e7a9d4a733f52a509ce0fffa96
SHA256c90003d7e17ac238a9ece9a2d594cb10a4d17e34a93b3fb05eaf10996efc8b48
SHA512ae9cfce4cf2321d39f1e22fff14de64242ec969de70effd7cd988caad1a03ee6adc33e64526491057622dbaf26d270e09d74cfe97a8c08cd75a28c99b350317d
-
Filesize
90KB
MD5be5c2d16248580920cdf9ec20177ced3
SHA1263bce1cf79be27c09961effa9a9b38c8b67f948
SHA256f0cc9e5e768df4d799064c0423293cdcfc2ee441179b4a5fd94681c831eeb9ea
SHA512ba3a422ebe6328e1325be39798e6740a7430dd217744a07ae71ad27d935126fe23e2fb3f9d97bb287ae71568306c4b6bac6e7837102d91232a42530d1de8f8bb
-
Filesize
90KB
MD5b1c1dfb516f782bd1b9f3a752b86f42d
SHA1f2b27b35968d9808bbbe073d4d0798dcada20082
SHA25676f9678046cfa8c63734d8ebf526101f249e16df6ba752e0179b7b91124f3702
SHA512d86f8646e481658b86be0341cb34af7de892d1a9a7c3810e6999245cbfc063b323a6e519c5e7f20eaa2812ea95a07a1918ce668829f3bdb545fa8dac136093b5
-
Filesize
90KB
MD56a1e31bb594714507d7b5dfb1a96f61d
SHA18b848cf24dd9986850c5a45cf82f84c507429688
SHA256b1ec55268f6539de6dd01fed12d390e2be7be36dab5df3e9b87c42b10bc9ee38
SHA512fbeaf70cb0d80f8fccc7b2394a28a784a04f884cbb76dacbb8a666ce449b30dc858008cefa514f40250f2fb498a755edc5358aca71a7f5a117887e0311845571
-
Filesize
90KB
MD53b62b6186cc484a248262788a246e4f6
SHA1818bdc5b392f8e7257855d26d7a573700535abaa
SHA25689826ac6e81a8c6d7ca6a0106ac4dee7a6dd2e1c05c7b4dc9b06717227d389d0
SHA512bde1185613daf154a84ffa65219e65cd21baf5b94c53a237a32e10d5171d5baf7543a4580a38b894bb2264d4e45bd95131123ba913ad450131a9e1849f018277
-
Filesize
90KB
MD59107faf8fd73b23ac23d96b0a48dab17
SHA16c2df5a30c37257fd29509cd3d8b5e0a93765f55
SHA256387419ea100a4413ef7b8aa34a53d321b965ec4da780f01ad00ea7557ba3b760
SHA51248be8157cf5f58d3471992ab8f681c28a108bf49819291867a4aa4f05ac8433a8fc63703856903aa881007ed76527a88d0cb0037bdb526f3e4f30a31595caa5d
-
Filesize
90KB
MD506bcd0b46ad35cc600b42ffc7a6b4b95
SHA14f23bc6905357348d4aa23fb0127d7c798c113f0
SHA256e61317251282fbffd9f20be31a674a4670c657736c5874bd48a2a0f1dde01d70
SHA51268faa0b1d1ce6caaa52b1f22718e22989d1f289707e8c846fdfbbe160981791408dce326453a8a3990e1f7fabe62c5c8e42999a035a112bad369179a30b8b2b5