29cd46889c97ce06b400547815cfb5a9ce5b4b38123c55441370e9475153f07b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
Size

90KB
MD5

9ab6ffcf6854763f80664caf5fcda820
SHA1

84c7555020048d2c31c3919a1d8067777a234343
SHA256

29cd46889c97ce06b400547815cfb5a9ce5b4b38123c55441370e9475153f07b
SHA512

518500c1da26c0a588764eda181f57243dd6f753e368eb3b3d9a1fbe7bdc40263b72b8c20bcb3c224f9dbbf8d4de661a5b3bb42e3e4c18383afa5737d9bb8466
SSDEEP

768:Qvw9816vhKQLrow4/wQRNrfrunMxVFA3b7glws:YEGh0owl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}\stubpath = "C:\\Windows\\{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe"	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95CB17A-9321-4401-871D-8498BB2A9C18}	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95CB17A-9321-4401-871D-8498BB2A9C18}\stubpath = "C:\\Windows\\{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe"	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F381B8-C768-43f8-8F3E-C2F378CA5F31}\stubpath = "C:\\Windows\\{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe"	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B490F017-19B2-4c3f-B9F6-F663227F2186}	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0731942-FC12-41b7-8980-FDF09623BB0E}	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0731942-FC12-41b7-8980-FDF09623BB0E}\stubpath = "C:\\Windows\\{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe"	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55600829-788F-4ff0-BC8D-E40AE96457C4}\stubpath = "C:\\Windows\\{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe"	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}\stubpath = "C:\\Windows\\{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe"	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01C533D0-AD15-4815-99E2-9115103BF8FE}	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01C533D0-AD15-4815-99E2-9115103BF8FE}\stubpath = "C:\\Windows\\{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe"	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E83A694-20F8-4789-9E6B-91ED3A1439DB}	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E83A694-20F8-4789-9E6B-91ED3A1439DB}\stubpath = "C:\\Windows\\{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe"	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B490F017-19B2-4c3f-B9F6-F663227F2186}\stubpath = "C:\\Windows\\{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe"	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A54F1E8-801C-4b95-B951-C820D6C79764}\stubpath = "C:\\Windows\\{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe"	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFBF8441-987F-4dc9-A679-577C5B6D0F19}	{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFBF8441-987F-4dc9-A679-577C5B6D0F19}\stubpath = "C:\\Windows\\{AFBF8441-987F-4dc9-A679-577C5B6D0F19}.exe"	{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85F381B8-C768-43f8-8F3E-C2F378CA5F31}	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}\stubpath = "C:\\Windows\\{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe"	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A54F1E8-801C-4b95-B951-C820D6C79764}	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55600829-788F-4ff0-BC8D-E40AE96457C4}	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe

Executes dropped EXE 12 IoCs

pid	Process
3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe
4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe
3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe
4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe
4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe
3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe
4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe
1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe
4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe
1828	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe
2600	{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe
2704	{AFBF8441-987F-4dc9-A679-577C5B6D0F19}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
File created	C:\Windows\{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe
File created	C:\Windows\{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe
File created	C:\Windows\{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe
File created	C:\Windows\{AFBF8441-987F-4dc9-A679-577C5B6D0F19}.exe	{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe
File created	C:\Windows\{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe
File created	C:\Windows\{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe
File created	C:\Windows\{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe
File created	C:\Windows\{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe
File created	C:\Windows\{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe
File created	C:\Windows\{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe
File created	C:\Windows\{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5028	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe
Token: SeIncBasePriorityPrivilege	4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe
Token: SeIncBasePriorityPrivilege	3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe
Token: SeIncBasePriorityPrivilege	4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe
Token: SeIncBasePriorityPrivilege	4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe
Token: SeIncBasePriorityPrivilege	3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe
Token: SeIncBasePriorityPrivilege	4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe
Token: SeIncBasePriorityPrivilege	1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe
Token: SeIncBasePriorityPrivilege	4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe
Token: SeIncBasePriorityPrivilege	1828	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe
Token: SeIncBasePriorityPrivilege	2600	{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3396	5028	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	92
PID 5028 wrote to memory of 3396	5028	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	92
PID 5028 wrote to memory of 3396	5028	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	92
PID 5028 wrote to memory of 1932	5028	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	93
PID 5028 wrote to memory of 1932	5028	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	93
PID 5028 wrote to memory of 1932	5028	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	93
PID 3396 wrote to memory of 4268	3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe	94
PID 3396 wrote to memory of 4268	3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe	94
PID 3396 wrote to memory of 4268	3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe	94
PID 3396 wrote to memory of 4148	3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe	95
PID 3396 wrote to memory of 4148	3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe	95
PID 3396 wrote to memory of 4148	3396	{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe	95
PID 4268 wrote to memory of 3156	4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe	97
PID 4268 wrote to memory of 3156	4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe	97
PID 4268 wrote to memory of 3156	4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe	97
PID 4268 wrote to memory of 3432	4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe	98
PID 4268 wrote to memory of 3432	4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe	98
PID 4268 wrote to memory of 3432	4268	{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe	98
PID 3156 wrote to memory of 4360	3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe	99
PID 3156 wrote to memory of 4360	3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe	99
PID 3156 wrote to memory of 4360	3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe	99
PID 3156 wrote to memory of 3604	3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe	100
PID 3156 wrote to memory of 3604	3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe	100
PID 3156 wrote to memory of 3604	3156	{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe	100
PID 4360 wrote to memory of 4864	4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe	101
PID 4360 wrote to memory of 4864	4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe	101
PID 4360 wrote to memory of 4864	4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe	101
PID 4360 wrote to memory of 2576	4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe	102
PID 4360 wrote to memory of 2576	4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe	102
PID 4360 wrote to memory of 2576	4360	{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe	102
PID 4864 wrote to memory of 3024	4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe	103
PID 4864 wrote to memory of 3024	4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe	103
PID 4864 wrote to memory of 3024	4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe	103
PID 4864 wrote to memory of 1988	4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe	104
PID 4864 wrote to memory of 1988	4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe	104
PID 4864 wrote to memory of 1988	4864	{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe	104
PID 3024 wrote to memory of 4632	3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe	105
PID 3024 wrote to memory of 4632	3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe	105
PID 3024 wrote to memory of 4632	3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe	105
PID 3024 wrote to memory of 3420	3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe	106
PID 3024 wrote to memory of 3420	3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe	106
PID 3024 wrote to memory of 3420	3024	{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe	106
PID 4632 wrote to memory of 1240	4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe	107
PID 4632 wrote to memory of 1240	4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe	107
PID 4632 wrote to memory of 1240	4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe	107
PID 4632 wrote to memory of 3496	4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe	108
PID 4632 wrote to memory of 3496	4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe	108
PID 4632 wrote to memory of 3496	4632	{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe	108
PID 1240 wrote to memory of 4608	1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe	109
PID 1240 wrote to memory of 4608	1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe	109
PID 1240 wrote to memory of 4608	1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe	109
PID 1240 wrote to memory of 3060	1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe	110
PID 1240 wrote to memory of 3060	1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe	110
PID 1240 wrote to memory of 3060	1240	{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe	110
PID 4608 wrote to memory of 1828	4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe	111
PID 4608 wrote to memory of 1828	4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe	111
PID 4608 wrote to memory of 1828	4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe	111
PID 4608 wrote to memory of 2712	4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe	112
PID 4608 wrote to memory of 2712	4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe	112
PID 4608 wrote to memory of 2712	4608	{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe	112
PID 1828 wrote to memory of 2600	1828	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe	113
PID 1828 wrote to memory of 2600	1828	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe	113
PID 1828 wrote to memory of 2600	1828	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe	113
PID 1828 wrote to memory of 3444	1828	{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe	114

C:\Users\Admin\AppData\Local\Temp\9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe
  C:\Windows\{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe
    C:\Windows\{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe
      C:\Windows\{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Windows\{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe
        
        C:\Windows\{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe
        
        C:\Windows\{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe
        
        C:\Windows\{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe
        
        C:\Windows\{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe
        
        C:\Windows\{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe
        
        C:\Windows\{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe
        
        C:\Windows\{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe
        
        C:\Windows\{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{AFBF8441-987F-4dc9-A679-577C5B6D0F19}.exe
        
        C:\Windows\{AFBF8441-987F-4dc9-A679-577C5B6D0F19}.exe
        13⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55600~1.EXE > nul
        13⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D129~1.EXE > nul
        12⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A54F~1.EXE > nul
        11⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B490F~1.EXE > nul
        10⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F76DD~1.EXE > nul
        9⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85F38~1.EXE > nul
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0731~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E83A~1.EXE > nul
        6⤵
        
        PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01C53~1.EXE > nul
        5⤵
        
        PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E95CB~1.EXE > nul
      4⤵
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DE9E7~1.EXE > nul
    3⤵
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9AB6FF~1.EXE > nul
  2⤵
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01C533D0-AD15-4815-99E2-9115103BF8FE}.exe

Filesize
90KB

MD5
a7dc9c5f4afb56cd4c73ebdece53959c

SHA1
ff2d5d95e4217457b6d2adb29724abb04126aa0e

SHA256
d04a1a544f09673c1b112f481885411d75039ca11a9ab97be0b66445f936b81d

SHA512
f43597e72c6201b11261910b6058e743b1de76463a928b7a0b534ca6db8c5bff2b04276fbaaf47114b8914251a01ea78a8b266d965bae936f62606f347bf87c1

Download Submit
C:\Windows\{55600829-788F-4ff0-BC8D-E40AE96457C4}.exe

Filesize
90KB

MD5
d3cac04b81830c72e054f87d2ed4297b

SHA1
42c307ca1c3310b4aa5f9ad2e73b3af83a2f4527

SHA256
712a487df833582ba25002822375ef19effce243103c0949f9249cfa3e1b7501

SHA512
73380e1c4156f1efaff66b205d9686490dbdfecab6bb2a3440202bae150addaf0caaaeea3a019eeb195ed5c6e534006a8eb56c0a8b8bfdcc0222ae3347bf4017

Download Submit
C:\Windows\{6D129816-F9BF-4cc0-94FF-BEC8E71C3DD7}.exe

Filesize
90KB

MD5
95e1240fa094adc46faa4994d931a576

SHA1
7404e3eb95d7990c6cabc4ac8cebcc3200d69a45

SHA256
2791b1cb12d44818bf4b41383f965d8ab8c59dd736742d41ec04e29152579ead

SHA512
930f25529533419deffe95d3c14d8a80467ad9a2625a03f677f4a309da9795138a71cb012606e4714f2f0c1900abc9e863d9c6453c7369b8918e27955f185646

Download Submit
C:\Windows\{6E83A694-20F8-4789-9E6B-91ED3A1439DB}.exe

Filesize
90KB

MD5
c0b080d98f3739d71e3446f8f32e2e5d

SHA1
93ea5cb02a1a37b7a019654b276c4d87a0164e47

SHA256
c7f70d5300755008cc553411d820753b5d98af4d1c7a5ba4f500b718a3148e62

SHA512
34b2684e8ef2467b40cf285b085485c652f3d09a57ae5fbe2a480c29280097ebf7e1f38d7f64984b7e09e4c8e2bdec05e33c3ad0c553b3fb623c70373e650125

Download Submit
C:\Windows\{7A54F1E8-801C-4b95-B951-C820D6C79764}.exe

Filesize
90KB

MD5
4a173534d23feca503b0f3e60aab1b15

SHA1
adda65e352977e95209ddfed3e7b464c6b69b424

SHA256
36ae325d6c9c31e49181a48eb34d2568c6c005d58fc40a8c601d87093e3c055b

SHA512
8e788cdf84851b94195f72b4f9c4689c0229770529ac7fef082a3a35fe86aca2e040785d899d12a7a4d8be31d67f50f88c1e6f6f4e75d8c4de03fc8eab9d3ab5

Download Submit
C:\Windows\{85F381B8-C768-43f8-8F3E-C2F378CA5F31}.exe

Filesize
90KB

MD5
0221d2ab69f371238d153dcbe22517e7

SHA1
756f34542505b90e6f7931cccf76cc37616aaeb7

SHA256
a34902b5daf6e5a7f0e2d637a4e8a85c5e9b3ea09a093a7b9563de5792e0b080

SHA512
44657df01e94bc63b35aab3b93a1a38c9fbc3cc134bdfa7ac55f5a7901c1f929a9bc4ae0ebe1a72303383e334bc6de0fb2f5bef5f354bd461c35e6a3fd83e00c

Download Submit
C:\Windows\{AFBF8441-987F-4dc9-A679-577C5B6D0F19}.exe

Filesize
90KB

MD5
6378d67c88f8b81b219d5c380be5b31b

SHA1
9d146cc5af30ad4412634385bd16b721878fe742

SHA256
6bb0eafbb07d47a2f642057d342e9730f5c05ee098357bd56e63e6499353816e

SHA512
3df97b0a95bec74877fd85e2aa2d2e01cc5fa6c55f154b995b4f91486f209531be7f03a602b7372cfac98a2a548e4c2909b4295e336a5ee712931e4f215a0c18

Download Submit
C:\Windows\{B490F017-19B2-4c3f-B9F6-F663227F2186}.exe

Filesize
90KB

MD5
02834cb04073afec543dad930f020a15

SHA1
8d5b6e847eab363e77a6307a305dbd834038b2fa

SHA256
5297588f7f620881d9879a7961d6a403706f13e193cdd3da1105522f6ca251cf

SHA512
85a93f61f358524371a95204af68debb4ce2aed3928d187b86391bf51f6e00f7d5ea71ece5d5db22e57a24e5117d226433a371b13e185c5daea1c91e9751beac

Download Submit
C:\Windows\{C0731942-FC12-41b7-8980-FDF09623BB0E}.exe

Filesize
90KB

MD5
fa734d27c0d5cf7dc7edcb8d8672c598

SHA1
8c61243bdd4c734c2e485c80318d96a01323234e

SHA256
957b643807627bf5f38d9d629a113c06f12718440a7174a2978212e1244ecf23

SHA512
76ef38dced5bf4005be5bf00bb1dfbd258030ce6ec8df7335561c6defdcb0ad414da8afe46f3bcc98e7ddf68f73550f514fb0be81cd647e9fe9d20db449b8f66

Download Submit
C:\Windows\{DE9E7874-99A2-426b-8C12-3A9C5DA1BFCD}.exe

Filesize
90KB

MD5
3bcb8609e21322905ba0918a547edd24

SHA1
fab5dfa1625a265bd7765a3b6433fc21b7b5930f

SHA256
fea81b260b4d6ac4705f6d92f7b918407642e7c0545e893522713ee53a095667

SHA512
636500f3a91a4705de183f9880b8bf2d4864234914b2af25a06e920ebacafa054649f418d76f583fad520880d2d69eccda528afb48cfbfb7ccbfdc3161d3fdf5

Download Submit
C:\Windows\{E95CB17A-9321-4401-871D-8498BB2A9C18}.exe

Filesize
90KB

MD5
f6bed8e7d3324b18a8734e41d849586b

SHA1
54106b17757a69382e4935b6be2a38350eb98c09

SHA256
4eed6bd278864c06edc1aa7d0043b73d72b2dfeef3409e72fc5027a9b563b5e1

SHA512
08edc8d937214e75cce5fb48c0d28b948d8401c3aadbb0d24d2367e6edb3650a29a81a7c93079a5fab1647a2138e6237ef84527c4fce1976c934f339c75baf7c

Download Submit
C:\Windows\{F76DD0BC-C039-4f0c-AE12-C415BE6FF462}.exe

Filesize
90KB

MD5
4bd38c0a2cc95a66a24099915a2bb9c3

SHA1
8820700a8e6f773dbbb37d7d5162e609896fc806

SHA256
56e958289bcdb56c22c6f4afba492d811d755897a30f8784a92be316db93fc1a

SHA512
21b0f6f609c91249b6d8aede313ccbc9041a3ab150e4ed9becdefe277037af29730833d4f2b6c412fdad394209901af76739cda2c6dbdc150536a2a97a03d774

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads