408ea9970bd865b054d71182a86ee64eb13417776e1238e415db8bc9af86bbe3

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
Size

64KB
MD5

1da93f00adc213e137e8125eb649b1e0
SHA1

e0d9e1cb58b88bdd80d10d06dede287ff90089be
SHA256

408ea9970bd865b054d71182a86ee64eb13417776e1238e415db8bc9af86bbe3
SHA512

1935bdccffa0d103f5c9c3571f3e570e6734940aceafa461dab1d9194e8c228b91df4ea7af03e86a104ebf21b5353be8b607d39f19e4c7699637c6264297591c
SSDEEP

768:O0w9816vhKQLroCU4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdM:pEGh0oCUlwWMZQcpmgDagIyS1loL7WrM

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C1D7DF-5763-4332-BD61-EC65A90E6949}\stubpath = "C:\\Windows\\{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe"	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}\stubpath = "C:\\Windows\\{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe"	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3C2B12-4B92-4304-804A-C47069BCC1AB}	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6508D860-1D35-4c8d-9409-2584D0D5381C}	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EAADD22-0D73-476b-90FF-4483274EEA79}\stubpath = "C:\\Windows\\{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe"	{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1330256-5DBF-439f-A30F-BE54E7F52F3F}	{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C1D7DF-5763-4332-BD61-EC65A90E6949}	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A645C1B1-D0A0-491b-8F75-C5B52460198B}	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A645C1B1-D0A0-491b-8F75-C5B52460198B}\stubpath = "C:\\Windows\\{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe"	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3C2B12-4B92-4304-804A-C47069BCC1AB}\stubpath = "C:\\Windows\\{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe"	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0571A786-BECA-459a-9CCD-582A4D4187DE}	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62597256-A4E3-43e5-829A-2542EEF66E5F}\stubpath = "C:\\Windows\\{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe"	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EAADD22-0D73-476b-90FF-4483274EEA79}	{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1330256-5DBF-439f-A30F-BE54E7F52F3F}\stubpath = "C:\\Windows\\{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe"	{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{448E5BB1-71D6-47fa-B405-7171AD1F23AA}\stubpath = "C:\\Windows\\{448E5BB1-71D6-47fa-B405-7171AD1F23AA}.exe"	{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0571A786-BECA-459a-9CCD-582A4D4187DE}\stubpath = "C:\\Windows\\{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe"	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62597256-A4E3-43e5-829A-2542EEF66E5F}	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6508D860-1D35-4c8d-9409-2584D0D5381C}\stubpath = "C:\\Windows\\{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe"	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{448E5BB1-71D6-47fa-B405-7171AD1F23AA}	{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}\stubpath = "C:\\Windows\\{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe"	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe
2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe
2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe
1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe
2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe
2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe
1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe
1620	{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe
1516	{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe
1140	{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe
648	{448E5BB1-71D6-47fa-B405-7171AD1F23AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe
File created	C:\Windows\{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe
File created	C:\Windows\{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe	{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe
File created	C:\Windows\{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
File created	C:\Windows\{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe
File created	C:\Windows\{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe
File created	C:\Windows\{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe
File created	C:\Windows\{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe
File created	C:\Windows\{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe
File created	C:\Windows\{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe	{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe
File created	C:\Windows\{448E5BB1-71D6-47fa-B405-7171AD1F23AA}.exe	{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe
Token: SeIncBasePriorityPrivilege	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe
Token: SeIncBasePriorityPrivilege	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe
Token: SeIncBasePriorityPrivilege	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe
Token: SeIncBasePriorityPrivilege	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe
Token: SeIncBasePriorityPrivilege	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe
Token: SeIncBasePriorityPrivilege	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe
Token: SeIncBasePriorityPrivilege	1620	{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe
Token: SeIncBasePriorityPrivilege	1516	{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe
Token: SeIncBasePriorityPrivilege	1140	{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2052	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	28
PID 2740 wrote to memory of 2052	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	28
PID 2740 wrote to memory of 2052	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	28
PID 2740 wrote to memory of 2052	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	28
PID 2740 wrote to memory of 2604	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	29
PID 2740 wrote to memory of 2604	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	29
PID 2740 wrote to memory of 2604	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	29
PID 2740 wrote to memory of 2604	2740	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	29
PID 2052 wrote to memory of 2592	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	30
PID 2052 wrote to memory of 2592	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	30
PID 2052 wrote to memory of 2592	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	30
PID 2052 wrote to memory of 2592	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	30
PID 2052 wrote to memory of 2472	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	31
PID 2052 wrote to memory of 2472	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	31
PID 2052 wrote to memory of 2472	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	31
PID 2052 wrote to memory of 2472	2052	{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe	31
PID 2592 wrote to memory of 2676	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	32
PID 2592 wrote to memory of 2676	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	32
PID 2592 wrote to memory of 2676	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	32
PID 2592 wrote to memory of 2676	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	32
PID 2592 wrote to memory of 2636	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	33
PID 2592 wrote to memory of 2636	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	33
PID 2592 wrote to memory of 2636	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	33
PID 2592 wrote to memory of 2636	2592	{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe	33
PID 2676 wrote to memory of 1868	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	36
PID 2676 wrote to memory of 1868	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	36
PID 2676 wrote to memory of 1868	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	36
PID 2676 wrote to memory of 1868	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	36
PID 2676 wrote to memory of 284	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	37
PID 2676 wrote to memory of 284	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	37
PID 2676 wrote to memory of 284	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	37
PID 2676 wrote to memory of 284	2676	{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe	37
PID 1868 wrote to memory of 2696	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	38
PID 1868 wrote to memory of 2696	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	38
PID 1868 wrote to memory of 2696	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	38
PID 1868 wrote to memory of 2696	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	38
PID 1868 wrote to memory of 2824	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	39
PID 1868 wrote to memory of 2824	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	39
PID 1868 wrote to memory of 2824	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	39
PID 1868 wrote to memory of 2824	1868	{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe	39
PID 2696 wrote to memory of 2156	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	40
PID 2696 wrote to memory of 2156	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	40
PID 2696 wrote to memory of 2156	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	40
PID 2696 wrote to memory of 2156	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	40
PID 2696 wrote to memory of 1860	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	41
PID 2696 wrote to memory of 1860	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	41
PID 2696 wrote to memory of 1860	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	41
PID 2696 wrote to memory of 1860	2696	{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe	41
PID 2156 wrote to memory of 1784	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	42
PID 2156 wrote to memory of 1784	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	42
PID 2156 wrote to memory of 1784	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	42
PID 2156 wrote to memory of 1784	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	42
PID 2156 wrote to memory of 2352	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	43
PID 2156 wrote to memory of 2352	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	43
PID 2156 wrote to memory of 2352	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	43
PID 2156 wrote to memory of 2352	2156	{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe	43
PID 1784 wrote to memory of 1620	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	44
PID 1784 wrote to memory of 1620	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	44
PID 1784 wrote to memory of 1620	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	44
PID 1784 wrote to memory of 1620	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	44
PID 1784 wrote to memory of 2176	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	45
PID 1784 wrote to memory of 2176	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	45
PID 1784 wrote to memory of 2176	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	45
PID 1784 wrote to memory of 2176	1784	{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe	45

C:\Users\Admin\AppData\Local\Temp\1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe
  C:\Windows\{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe
    C:\Windows\{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe
      C:\Windows\{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe
        
        C:\Windows\{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe
        
        C:\Windows\{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe
        
        C:\Windows\{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe
        
        C:\Windows\{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe
        
        C:\Windows\{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe
        
        C:\Windows\{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe
        
        C:\Windows\{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\{448E5BB1-71D6-47fa-B405-7171AD1F23AA}.exe
        
        C:\Windows\{448E5BB1-71D6-47fa-B405-7171AD1F23AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1330~1.EXE > nul
        12⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EAAD~1.EXE > nul
        11⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6508D~1.EXE > nul
        10⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC3C2~1.EXE > nul
        9⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A645C~1.EXE > nul
        8⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92932~1.EXE > nul
        7⤵
        
        PID:1860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C1D~1.EXE > nul
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62597~1.EXE > nul
        5⤵
        
        PID:284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0571A~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C53~1.EXE > nul
    3⤵
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1DA93F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0571A786-BECA-459a-9CCD-582A4D4187DE}.exe

Filesize
64KB

MD5
01b8c19369bf889566a3093fe291c88d

SHA1
5282176d1f859bb3fa050e6aaaa53bcb263f6b93

SHA256
660d3b125e7f38a023a1129571c3d95b434247e7290a59650b6ae488b671dc44

SHA512
4e8dd2928f871995fcade7d980cf94ec38e81de601b836ffb3efb36f1c37838d28e8dfef93f16ff908738955d7b55aa41f4472e3d7aa25899e79d50d7ce9e7e6

Download Submit
C:\Windows\{448E5BB1-71D6-47fa-B405-7171AD1F23AA}.exe

Filesize
64KB

MD5
57b50fefadb03b00948e93b335d1a0c4

SHA1
e122f5588f2177c9cfd1f534948d71b66fbd9c75

SHA256
6e45d894e67f34925c10ea23b75ff048b879024e0d3fa37d7df8825c51923bd3

SHA512
09e3cc6c37a7ce52c699a73b9d013c1c189f9c2928a9e73098cb29adc6d5694cd35d8a798a9226ab61f37a8d17cf0c9bfbb80270b7da55d1a981f5911f216cf5

Download Submit
C:\Windows\{62597256-A4E3-43e5-829A-2542EEF66E5F}.exe

Filesize
64KB

MD5
1e9f45457b670ec756a8efa466d3b2a1

SHA1
4591d1ab56651a9cdb5a4c35316a2018220334d2

SHA256
e680438e63e285defd3af1df1fe791e47d1198a91c7ea8f58dc97ef562a1f6d3

SHA512
9b7cdf28cc3e8fdaa4a8f6e753c0cf28411bb4942bf59a24cf192506c40f6a702903ca109f0a8d86521cfbd679b436cd60f347063be2138cf829747d8bfd1139

Download Submit
C:\Windows\{6508D860-1D35-4c8d-9409-2584D0D5381C}.exe

Filesize
64KB

MD5
f644f8d31b2b0247c4541c853a91f37c

SHA1
78bf561f510b1937a359b673a0fd07741fa7efb5

SHA256
1a825aa727c9bb520d49a4fbffea606ec3bc2d06f37cfcb5f8f144a513abe7a4

SHA512
3bda00bdd60c74471fefdb98afebb7d848625e33dcf04f0e5868d9b53214f0e648321116f105b41f6b1456d43aa93c08348759b2ecdf1e84447c419d3b91e1ea

Download Submit
C:\Windows\{9293263F-F6A8-4e1b-ACEB-81CE6EE643AE}.exe

Filesize
64KB

MD5
757c6ba65833db69ebdf880e99a2eb5d

SHA1
b770a347a48b449cd4b2154ad74e909cf1067ec0

SHA256
442b589f1f74994a478b1e18190655afd070ab02873d83e91088de6d20301dbb

SHA512
e60be36ac985c820a1f0bc3504740cb539b983b2e55cee722b5ca7ca59bb1035c3075c22013f45da001d774c6132f87e4c8dc053b6e9f1acdb9d9f0c2d1ace00

Download Submit
C:\Windows\{9EAADD22-0D73-476b-90FF-4483274EEA79}.exe

Filesize
64KB

MD5
a94cca9458aaf2f7465a9f3ba22de932

SHA1
5e5d3274d42f8d17ec306590d9f867b558ebed78

SHA256
d3e0df6924436256f668e5292c4c5ef92a877131e6d052c85bf6f2fa89599668

SHA512
3b6afac5fd036d011aedd3ddff2e7240aaacb8bdd9b552f5249b7c661d3775c43e2b81e51527202c1b5c16138e26a8ff62f0316c42f88d1cb2e72f490e5770c5

Download Submit
C:\Windows\{A645C1B1-D0A0-491b-8F75-C5B52460198B}.exe

Filesize
64KB

MD5
009fc17632a4eaa9efbd692d19902029

SHA1
1a20021da8723bd281ed14944b35710ed3c8ac96

SHA256
86edc088d0b1cc5803a494119f710ba26365c94f88ef54002315a43e8e6f6e2f

SHA512
1d336a5a1d07b12f8f0d70e87b3670c6c781027fe3256b2a019ac81feb60ea2df93895a1c2a187f663885669b4fee3f8c1e97ead8c615a531cf1f8cfd5baf382

Download Submit
C:\Windows\{B9C53600-ADA1-4bc9-8F57-0C30B37BD11E}.exe

Filesize
64KB

MD5
8c295349c38dfc783446e8a19c284e19

SHA1
4ee84337b795185b2efbd830c1b55bc142a6bc8a

SHA256
6aeaebdca36992670dc7613c1ccd2ed6e1d5301c0be4bdbe316fb47ef1027668

SHA512
7deb9e1b00512d4f034225729a898f9eb12f5bda783abaaf8fdf5a6edbd63c751e57a09c54d1e9ac197555d5ddc6eeb86cf8a459991460dccc379719748939c6

Download Submit
C:\Windows\{C1330256-5DBF-439f-A30F-BE54E7F52F3F}.exe

Filesize
64KB

MD5
b35c1d606108131543f797c2d27bf01c

SHA1
b41657e33a84e793a2a826215ba79bcea90e0beb

SHA256
d40dd052bdd4473bc9ed89889d500aa5ae25b4683d776f69e19beab0ae4dca2d

SHA512
6fed5b25489c897a105df9be61b7f05e2eb4f1275011b426b882e5f7576228bdf8b7ca66d0f147beb328dc7ff8303780935db79f173c6baa904cd0f215551ff9

Download Submit
C:\Windows\{C3C1D7DF-5763-4332-BD61-EC65A90E6949}.exe

Filesize
64KB

MD5
cd0ec14e6603cc807091eb4ff8bbd6c5

SHA1
4484b44e5f35880698efd215154c54d8510ab912

SHA256
576b4027674463f5babe7f90df096820364ad1f66d73e60f091ed87671a34636

SHA512
96d1c57299e28b677aa32052b425ce0de04d54da1826de5244e173271dcbedd7f6a2d17c38700f6169ff63bf599da47f0161918be60f0d42203da22857f0f7b1

Download Submit
C:\Windows\{FC3C2B12-4B92-4304-804A-C47069BCC1AB}.exe

Filesize
64KB

MD5
83299b174f13e21171512886b3990316

SHA1
f840e1812d8b3cff31d2d662a5611744cea51caf

SHA256
85df034d89ef13832e5880e3fc9f5ab1d49eeaf87dbd5f5aa55de5fe67aa8203

SHA512
0255e341387478d0161ef9c5dc98393d1fc8194c4340971ee58c9afda9f99c5eca91fcbc5d79befd812d1e9c1abcde774b9b73d6468fdc3498f5e9e6b796231e

Download Submit
memory/648-101-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1140-99-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1140-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1516-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1516-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1620-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1620-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1784-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1784-68-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1784-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1868-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1868-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2156-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2156-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2592-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2592-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2676-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2676-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2696-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2696-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2740-7-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2740-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2740-8-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2740-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads