Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
-
Size
90KB
-
MD5
3a5da7c21cb387512051c924cc484430
-
SHA1
9d952fdc523e88570edf71fb68f43ee6be13a86f
-
SHA256
af0def80b3c5accef3c73ee79df6f8026f125469a0037290efa229c1c6efc7db
-
SHA512
5e41ee35b4ff3862bb5eefb99c85defd33f42ea58fcfb0b314c9026d26956df5237e7e2f667119eedc3892e0539e1cabaa287d971f950ecb476182b380104c59
-
SSDEEP
768:Qvw9816vhKQLrog4/wQRNrfrunMxVFA3b7glws:YEGh0ogl2unMxVS3Hgz
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871} {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD515DC-BD46-45e1-BA9D-21522780795D}\stubpath = "C:\\Windows\\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe" {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11} {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BA9F34-AFA2-4e64-AB9A-84067A183D33} {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B} {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2F3D43F-78BF-458d-8039-B7E389BF7895} {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4415DFC-9F2A-48c2-AB78-B7762A852A68} 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50} {3B3192BA-2481-421e-AB81-8793772F906B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}\stubpath = "C:\\Windows\\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe" {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}\stubpath = "C:\\Windows\\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe" {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}\stubpath = "C:\\Windows\\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe" {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}\stubpath = "C:\\Windows\\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe" {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD515DC-BD46-45e1-BA9D-21522780795D} {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}\stubpath = "C:\\Windows\\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe" {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2F3D43F-78BF-458d-8039-B7E389BF7895}\stubpath = "C:\\Windows\\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe" {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26F1A63-FB01-430f-A386-54D846B3E3A6}\stubpath = "C:\\Windows\\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe" {D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C39884-5818-4b4a-A61A-A192FFEBF6CC} {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24} {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3192BA-2481-421e-AB81-8793772F906B} {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3192BA-2481-421e-AB81-8793772F906B}\stubpath = "C:\\Windows\\{3B3192BA-2481-421e-AB81-8793772F906B}.exe" {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}\stubpath = "C:\\Windows\\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe" {3B3192BA-2481-421e-AB81-8793772F906B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}\stubpath = "C:\\Windows\\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe" {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26F1A63-FB01-430f-A386-54D846B3E3A6} {D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}\stubpath = "C:\\Windows\\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe" 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe -
Executes dropped EXE 12 IoCs
pid Process 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe 5100 {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe 2004 {D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe 4744 {D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe File created C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe File created C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe File created C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe File created C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe File created C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe File created C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe File created C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe File created C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe {3B3192BA-2481-421e-AB81-8793772F906B}.exe File created C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe File created C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe File created C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe {D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4368 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe Token: SeIncBasePriorityPrivilege 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe Token: SeIncBasePriorityPrivilege 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe Token: SeIncBasePriorityPrivilege 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe Token: SeIncBasePriorityPrivilege 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe Token: SeIncBasePriorityPrivilege 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe Token: SeIncBasePriorityPrivilege 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe Token: SeIncBasePriorityPrivilege 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe Token: SeIncBasePriorityPrivilege 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe Token: SeIncBasePriorityPrivilege 5100 {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe Token: SeIncBasePriorityPrivilege 2004 {D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4368 wrote to memory of 2156 4368 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 94 PID 4368 wrote to memory of 2156 4368 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 94 PID 4368 wrote to memory of 2156 4368 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 94 PID 4368 wrote to memory of 5036 4368 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 95 PID 4368 wrote to memory of 5036 4368 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 95 PID 4368 wrote to memory of 5036 4368 3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe 95 PID 2156 wrote to memory of 1248 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 96 PID 2156 wrote to memory of 1248 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 96 PID 2156 wrote to memory of 1248 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 96 PID 2156 wrote to memory of 3568 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 97 PID 2156 wrote to memory of 3568 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 97 PID 2156 wrote to memory of 3568 2156 {E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe 97 PID 1248 wrote to memory of 3532 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe 99 PID 1248 wrote to memory of 3532 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe 99 PID 1248 wrote to memory of 3532 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe 99 PID 1248 wrote to memory of 3436 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe 100 PID 1248 wrote to memory of 3436 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe 100 PID 1248 wrote to memory of 3436 1248 {D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe 100 PID 3532 wrote to memory of 3632 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe 101 PID 3532 wrote to memory of 3632 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe 101 PID 3532 wrote to memory of 3632 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe 101 PID 3532 wrote to memory of 4832 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe 102 PID 3532 wrote to memory of 4832 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe 102 PID 3532 wrote to memory of 4832 3532 {3B3192BA-2481-421e-AB81-8793772F906B}.exe 102 PID 3632 wrote to memory of 1148 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe 103 PID 3632 wrote to memory of 1148 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe 103 PID 3632 wrote to memory of 1148 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe 103 PID 3632 wrote to memory of 4040 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe 104 PID 3632 wrote to memory of 4040 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe 104 PID 3632 wrote to memory of 4040 3632 {93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe 104 PID 1148 wrote to memory of 4220 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe 105 PID 1148 wrote to memory of 4220 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe 105 PID 1148 wrote to memory of 4220 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe 105 PID 1148 wrote to memory of 3248 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe 106 PID 1148 wrote to memory of 3248 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe 106 PID 1148 wrote to memory of 3248 1148 {CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe 106 PID 4220 wrote to memory of 1836 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe 107 PID 4220 wrote to memory of 1836 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe 107 PID 4220 wrote to memory of 1836 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe 107 PID 4220 wrote to memory of 3604 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe 108 PID 4220 wrote to memory of 3604 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe 108 PID 4220 wrote to memory of 3604 4220 {07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe 108 PID 1836 wrote to memory of 872 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe 109 PID 1836 wrote to memory of 872 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe 109 PID 1836 wrote to memory of 872 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe 109 PID 1836 wrote to memory of 3752 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe 110 PID 1836 wrote to memory of 3752 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe 110 PID 1836 wrote to memory of 3752 1836 {0AD515DC-BD46-45e1-BA9D-21522780795D}.exe 110 PID 872 wrote to memory of 5108 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe 111 PID 872 wrote to memory of 5108 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe 111 PID 872 wrote to memory of 5108 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe 111 PID 872 wrote to memory of 4284 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe 112 PID 872 wrote to memory of 4284 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe 112 PID 872 wrote to memory of 4284 872 {DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe 112 PID 5108 wrote to memory of 5100 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe 113 PID 5108 wrote to memory of 5100 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe 113 PID 5108 wrote to memory of 5100 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe 113 PID 5108 wrote to memory of 1796 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe 114 PID 5108 wrote to memory of 1796 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe 114 PID 5108 wrote to memory of 1796 5108 {06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe 114 PID 5100 wrote to memory of 2004 5100 {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe 115 PID 5100 wrote to memory of 2004 5100 {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe 115 PID 5100 wrote to memory of 2004 5100 {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe 115 PID 5100 wrote to memory of 4784 5100 {2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exeC:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exeC:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exeC:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exeC:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exeC:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exeC:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exeC:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exeC:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exeC:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exeC:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exeC:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exeC:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe13⤵
- Executes dropped EXE
PID:4744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D2F3D~1.EXE > nul13⤵PID:3628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2CDF4~1.EXE > nul12⤵PID:4784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{06BA9~1.EXE > nul11⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DD0DE~1.EXE > nul10⤵PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0AD51~1.EXE > nul9⤵PID:3752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07C39~1.EXE > nul8⤵PID:3604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CFBE7~1.EXE > nul7⤵PID:3248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{93B5B~1.EXE > nul6⤵PID:4040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B319~1.EXE > nul5⤵PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D72A4~1.EXE > nul4⤵PID:3436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E4415~1.EXE > nul3⤵PID:3568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A5DA7~1.EXE > nul2⤵PID:5036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5dadeeb584fa91b3c0a164d453793cb35
SHA1ec9962b7e5349f852554c43d94f6894987e84710
SHA2562da891493bea8558324354af66c5a82b2185701a0636c596d37476d4b2fbca92
SHA512cb4523dd6da1cca7e90a5ca142b0e5bb7f6c99dabb9383cd35a4a32c5cddde2e4ffbe9877869da827a97e2abf2784a189606ab798fe5c812fb0b9580d36a368f
-
Filesize
90KB
MD589ba777a410f16f8d9a4827b25eee736
SHA12fdcf40802e60b7165a1bc271bd298edece9d5e4
SHA2562a6a9a939146fc3d017c0c0b771717a14e52a5b29428d58059ea6da03028ce52
SHA5126a0d288032d0159e5a28a79e40d0122b21b167e5c0bff4c2bffa2a31a0815056e6340bb96df1fe4dda07d2c832072b172865ac7eb4cdb351374960081aad94bd
-
Filesize
90KB
MD557bc1788a836e6bcd7de5c4044e862cc
SHA1558b2ab7edf818a00f6f73c993be7db423fa4eb5
SHA256af306e09e770d84aff963714d383a8883d8d235c744235ca6d21074ee6e6f66d
SHA5126e156fd7570408aea2d6c1d0b1dcff066b888bf92fc985b0edf7f76fdbc62172f0ad52be8120ab785b5225a25067ef71a2f2c54768e646ef6c0ef6404f731495
-
Filesize
90KB
MD50cdb23966e16a6f5f83e859eefeb8b82
SHA1649f839f262ca01d3274fc9e5ed40340b8a8722a
SHA2562b65dbca88aa74209794fb32e1edcdfae55bae514eaf6ea953e2c47453838431
SHA5128936ee7a8cc3239863d0ce8be94b8d27d83f56dbbd22afc046207535ebfded930587500c2264b63948085258641782d14b6308d77e9daa4a5882d727640a88d3
-
Filesize
90KB
MD50fde042da58bcec02a9200367fd7269d
SHA10957a5c7ea09ecb1ce5de51a2272b765d4b4e3ed
SHA256496b751ff23f0feff2444ce3bba6a04cd5b75b7a9d0d704a774939f898c57af6
SHA512fbe57b1e00206dcd9824c17f73502d5fb8c5dfe2b0bfbb26503741a4ff27f85c04f07b097559a0c7b1439de26215d5aa4e780fee69e097de608d2cd98911906b
-
Filesize
90KB
MD5368dc405b43d5e76f22f510f9d3e44de
SHA1f3de03e30f568dfcb08190cbcb7346fff5835774
SHA256c11623fd4a5b5a76b1f3b37ba7f002ba084117587d9cb37bbd60fd137aee740b
SHA5127a95ad238b240029927b6175dbd117752d43797304be94063f0b9b740f132d1210f18812bcf030f6999ac3f6995d7152a062fdaeb54b10856b8598514a2c0ba5
-
Filesize
90KB
MD53c71b6352e90010bc13c9a68fc8f4262
SHA130909f19506b6348b876c9a56f1ca5e7eeb2d77e
SHA256f1b5b13364bbb0a78efe05c92a57e5ea3be259e1209d54313a4260e0829e977c
SHA512ac04afd77183db5e9939362ae6fe715f7b4e33b5cb3761dfe50412d309b8a1a9ebce27e9981a459870e4f035f20b30895b94c2e32393c01a9eb3927931ff5218
-
Filesize
90KB
MD5c88edf78a96516568fea6d3badf3ffd4
SHA1608b394df7920549f44fc713cb4b09b51c330acc
SHA25660ca5676e98e66a241ae2ec8894a622e8c9d58bc3fb6ba396b671a0645a43fc8
SHA5128f63e6a59196d7e064d841427e438511007d62a77941622e5100bcf5f3b0cad7aacd200017a1ea9f86a01a935861497d33c865b53f59ce40d696ccbd697762c1
-
Filesize
90KB
MD52bb85a8ef223d7ec3fbccd79194d3fe0
SHA114c9d1c46b9655baa0f28fba7701d36838823ad8
SHA256749c786c3d7753c6373cdb4f131fc15d1137b65874c64588d424fe5392c42d7e
SHA512c743430a29182211abe82609d32ae436562be5a49d6d7e34f2dcfde31b4f75aa9a39290a0a9bca1bd1646bc181ffed83655ebda9b8b2a6403255e67c16ed227d
-
Filesize
90KB
MD576d79a83acd404bd8a21f6f2a6764416
SHA16f38cca0437b6bbd5dd08949c473f295804c782e
SHA256f2a0958d103d1a07f3540da7449712256d7522f40fb907f27d527f4e7ea05367
SHA512b50c5949b65b07b0a931a5d5adfb8c66b431b581fb5ccdfb02439a97666a86086633af4296f493972b64806ee1459d26962bb0affb39219dc141cc6a56cd6f32
-
Filesize
90KB
MD5bf3f9ff7508be91a99a0d5c9067e59b5
SHA1e2157956a051ae1d6b2ac1e9a3c0d13e113afcc0
SHA256f902540b7129ec25b5a5950a5b22abd2f258bffa77dbb8dd05ffb4c306f83d6f
SHA51203270725a3eb4e22db9123a521b44100afa398ecbb9df17e0d40849c0e43b4dd43ac2ce04ccff8dd0daf3bbb1611d8371a5790d24641b38fecff1a01ebd223dd
-
Filesize
90KB
MD57171553a867362462befbbad9d27da76
SHA16f0a496d500a17022c66ec17bdbcfe4b593a8890
SHA256457c514bc7c60e37c66a00bfe892a1a99a4c1d9f65f7e787ac2343472cf730ca
SHA5124bd7163a8880eed603e09ac54c0e4696d8c4ed2fef762689cb9be5fc4e7771369c4ee2a3cd4e745e8724fe302aeea3eb037e7afa0d84a600523724279ad31ded