4833e727e9eb9d3707fbab7b540408f8275a58e710afe1b901bf0aa8cef10a98

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Size

64KB
MD5

aaf106d3cdb9a3210ce740577b0e5430
SHA1

e23f5271b98b91370db523e364ccadd2049d32b7
SHA256

4833e727e9eb9d3707fbab7b540408f8275a58e710afe1b901bf0aa8cef10a98
SHA512

22a5274a13214a2ff4da5f183a8ef2028016668e5823deb5b8c1a5c91365b04e7c8b51e05c8002b619f4213a576372daab7ce3bd111df549eec77a16dd956c69
SSDEEP

768:Ovw9816JhKQLroC+4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdA:6EG70oC+lwWMZQcpmgDagIyS1loL7WrA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91FCE61E-778E-4d3c-9481-90A502A0E0B2}\stubpath = "C:\\Windows\\{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe"	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22674B92-AA36-46c9-A062-27D6A721E5EC}	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36005EF9-6D6A-4451-8D5A-BBC8E2122924}	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F664BF05-936C-45b0-85F7-886D17FBCE2F}\stubpath = "C:\\Windows\\{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe"	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C8045C-F9E6-47a1-ACC8-13852634C9DD}	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22674B92-AA36-46c9-A062-27D6A721E5EC}\stubpath = "C:\\Windows\\{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe"	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}\stubpath = "C:\\Windows\\{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe"	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}\stubpath = "C:\\Windows\\{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe"	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A15B8DF8-2928-451e-9026-27B515C37B47}	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F664BF05-936C-45b0-85F7-886D17FBCE2F}	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91FCE61E-778E-4d3c-9481-90A502A0E0B2}	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B87E5D3-6438-4927-8BCC-C5F91D10D181}	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}\stubpath = "C:\\Windows\\{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe"	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}\stubpath = "C:\\Windows\\{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe"	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41742D4E-847A-499b-AFA8-6A0FA095EB6A}	{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C8045C-F9E6-47a1-ACC8-13852634C9DD}\stubpath = "C:\\Windows\\{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe"	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36005EF9-6D6A-4451-8D5A-BBC8E2122924}\stubpath = "C:\\Windows\\{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe"	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B87E5D3-6438-4927-8BCC-C5F91D10D181}\stubpath = "C:\\Windows\\{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe"	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41742D4E-847A-499b-AFA8-6A0FA095EB6A}\stubpath = "C:\\Windows\\{41742D4E-847A-499b-AFA8-6A0FA095EB6A}.exe"	{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A15B8DF8-2928-451e-9026-27B515C37B47}\stubpath = "C:\\Windows\\{A15B8DF8-2928-451e-9026-27B515C37B47}.exe"	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe
4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe
1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe
1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe
1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe
1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe
3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe
3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe
2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe
2832	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe
3220	{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe
4688	{41742D4E-847A-499b-AFA8-6A0FA095EB6A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe
File created	C:\Windows\{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
File created	C:\Windows\{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe
File created	C:\Windows\{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe
File created	C:\Windows\{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe
File created	C:\Windows\{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe
File created	C:\Windows\{41742D4E-847A-499b-AFA8-6A0FA095EB6A}.exe	{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe
File created	C:\Windows\{A15B8DF8-2928-451e-9026-27B515C37B47}.exe	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe
File created	C:\Windows\{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe
File created	C:\Windows\{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe
File created	C:\Windows\{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe
File created	C:\Windows\{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4884	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe
Token: SeIncBasePriorityPrivilege	4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe
Token: SeIncBasePriorityPrivilege	1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe
Token: SeIncBasePriorityPrivilege	1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe
Token: SeIncBasePriorityPrivilege	1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe
Token: SeIncBasePriorityPrivilege	1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe
Token: SeIncBasePriorityPrivilege	3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe
Token: SeIncBasePriorityPrivilege	3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe
Token: SeIncBasePriorityPrivilege	2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe
Token: SeIncBasePriorityPrivilege	2832	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe
Token: SeIncBasePriorityPrivilege	3220	{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2356	4884	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	88
PID 4884 wrote to memory of 2356	4884	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	88
PID 4884 wrote to memory of 2356	4884	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	88
PID 4884 wrote to memory of 3200	4884	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	89
PID 4884 wrote to memory of 3200	4884	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	89
PID 4884 wrote to memory of 3200	4884	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	89
PID 2356 wrote to memory of 4924	2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe	90
PID 2356 wrote to memory of 4924	2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe	90
PID 2356 wrote to memory of 4924	2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe	90
PID 2356 wrote to memory of 4948	2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe	91
PID 2356 wrote to memory of 4948	2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe	91
PID 2356 wrote to memory of 4948	2356	{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe	91
PID 4924 wrote to memory of 1396	4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe	93
PID 4924 wrote to memory of 1396	4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe	93
PID 4924 wrote to memory of 1396	4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe	93
PID 4924 wrote to memory of 2140	4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe	94
PID 4924 wrote to memory of 2140	4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe	94
PID 4924 wrote to memory of 2140	4924	{A15B8DF8-2928-451e-9026-27B515C37B47}.exe	94
PID 1396 wrote to memory of 1488	1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe	95
PID 1396 wrote to memory of 1488	1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe	95
PID 1396 wrote to memory of 1488	1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe	95
PID 1396 wrote to memory of 1888	1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe	96
PID 1396 wrote to memory of 1888	1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe	96
PID 1396 wrote to memory of 1888	1396	{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe	96
PID 1488 wrote to memory of 1904	1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe	97
PID 1488 wrote to memory of 1904	1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe	97
PID 1488 wrote to memory of 1904	1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe	97
PID 1488 wrote to memory of 2152	1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe	98
PID 1488 wrote to memory of 2152	1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe	98
PID 1488 wrote to memory of 2152	1488	{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe	98
PID 1904 wrote to memory of 1824	1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe	99
PID 1904 wrote to memory of 1824	1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe	99
PID 1904 wrote to memory of 1824	1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe	99
PID 1904 wrote to memory of 3104	1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe	100
PID 1904 wrote to memory of 3104	1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe	100
PID 1904 wrote to memory of 3104	1904	{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe	100
PID 1824 wrote to memory of 3520	1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe	101
PID 1824 wrote to memory of 3520	1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe	101
PID 1824 wrote to memory of 3520	1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe	101
PID 1824 wrote to memory of 4316	1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe	102
PID 1824 wrote to memory of 4316	1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe	102
PID 1824 wrote to memory of 4316	1824	{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe	102
PID 3520 wrote to memory of 3668	3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe	103
PID 3520 wrote to memory of 3668	3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe	103
PID 3520 wrote to memory of 3668	3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe	103
PID 3520 wrote to memory of 2144	3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe	104
PID 3520 wrote to memory of 2144	3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe	104
PID 3520 wrote to memory of 2144	3520	{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe	104
PID 3668 wrote to memory of 2988	3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe	105
PID 3668 wrote to memory of 2988	3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe	105
PID 3668 wrote to memory of 2988	3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe	105
PID 3668 wrote to memory of 2980	3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe	106
PID 3668 wrote to memory of 2980	3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe	106
PID 3668 wrote to memory of 2980	3668	{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe	106
PID 2988 wrote to memory of 2832	2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe	107
PID 2988 wrote to memory of 2832	2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe	107
PID 2988 wrote to memory of 2832	2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe	107
PID 2988 wrote to memory of 4512	2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe	108
PID 2988 wrote to memory of 4512	2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe	108
PID 2988 wrote to memory of 4512	2988	{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe	108
PID 2832 wrote to memory of 3220	2832	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe	109
PID 2832 wrote to memory of 3220	2832	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe	109
PID 2832 wrote to memory of 3220	2832	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe	109
PID 2832 wrote to memory of 1412	2832	{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe	110

C:\Users\Admin\AppData\Local\Temp\aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe
  C:\Windows\{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{A15B8DF8-2928-451e-9026-27B515C37B47}.exe
    C:\Windows\{A15B8DF8-2928-451e-9026-27B515C37B47}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe
      C:\Windows\{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe
        
        C:\Windows\{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe
        
        C:\Windows\{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe
        
        C:\Windows\{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe
        
        C:\Windows\{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe
        
        C:\Windows\{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe
        
        C:\Windows\{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe
        
        C:\Windows\{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe
        
        C:\Windows\{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\{41742D4E-847A-499b-AFA8-6A0FA095EB6A}.exe
        
        C:\Windows\{41742D4E-847A-499b-AFA8-6A0FA095EB6A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBDEE~1.EXE > nul
        13⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B05A~1.EXE > nul
        12⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FAC4~1.EXE > nul
        11⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B87E~1.EXE > nul
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22674~1.EXE > nul
        9⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91FCE~1.EXE > nul
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36005~1.EXE > nul
        7⤵
        
        PID:3104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C80~1.EXE > nul
        6⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F664B~1.EXE > nul
        5⤵
        
        PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A15B8~1.EXE > nul
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8D0AE~1.EXE > nul
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAF106~1.EXE > nul
  2⤵
  PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15C8045C-F9E6-47a1-ACC8-13852634C9DD}.exe

Filesize
64KB

MD5
b3fdaee32ee41f2e54dda4e40a412f58

SHA1
7beeb3be3d5eeb58da60cce8973255e3c62acae0

SHA256
296def3eec7c7f7885e190c48789b16e5796a052bc522d5b93b22bb1948cf52b

SHA512
f59881fb0dfafdbfa682f3d472f39698653462cf446051b7504192d77d94adf7b4de1ae0d656b56069f82c2fe582184df181a9523b16739b03d2e595996300a0

Download Submit
C:\Windows\{22674B92-AA36-46c9-A062-27D6A721E5EC}.exe

Filesize
64KB

MD5
d858c27f52de23485ed7068437bc0215

SHA1
535ebe0f656bffe770719883eea75370121b8d59

SHA256
a7e547d739cae8555f9160e586096770bb5974e58dcc3f4b249532508597c9c6

SHA512
48f4b644d8731f9451ddd7507a5f3168deaf79394368720a17fa57c8dcb077de18d62ec75f9b913fdbc4228eda9e7f0d5354b9ba74a1f765365aaf2e6beae80c

Download Submit
C:\Windows\{36005EF9-6D6A-4451-8D5A-BBC8E2122924}.exe

Filesize
64KB

MD5
6c49d88c107aec2ebc23a32189013862

SHA1
75be47c7dd1e93c025498bc8312fc8ca2be27eee

SHA256
510a640083e5d6a78e36b99e9f72a086d98f2ea23e1b00a8ef42f84140e60efc

SHA512
f6d1a570e4afaa57075588e73a0ecefff92afb8776f0116688e958a481c85e9dba2dc375a1a8b00009bac57d87b4f8a12aed577d76a9c240b66f82ba665f8410

Download Submit
C:\Windows\{41742D4E-847A-499b-AFA8-6A0FA095EB6A}.exe

Filesize
64KB

MD5
873842070be16c7ae5dd7e7246a78744

SHA1
3bce6214aee265e24ccf88ce7b39164dff9b56e0

SHA256
3b4c5ca74b561d5e8d7f734af7c925539d93928d5e3d1c65321766fb71c50d84

SHA512
973c3b937bdccff249113ee435b3e6cbdd62abed80419c1390b50579e68decbdacf67006671a678fc7199c0783c709aa4438a19712bbc04c6e7a3d6f821f9a6e

Download Submit
C:\Windows\{5B05A3D4-4F89-41ec-AE7C-B96AA2F96A7F}.exe

Filesize
64KB

MD5
c28d3ddfab491af67f702772d33c94f4

SHA1
963e4ae80f98c7aff761bd984772fa5e6ecbc893

SHA256
d997706f177b1a53185965175b1d45d522f4014e56879913fe255e580ff78b98

SHA512
12b50ec1ed9db0e7a6f14dcc2c37a68adc785e8606883060c179677796e9672cea0b6771299ba43798a009724c3a6299828d38abc01d06d5ed2ffbfbdcbe987e

Download Submit
C:\Windows\{6FAC4C01-8EAF-4dff-9642-3D3D6DF51A51}.exe

Filesize
64KB

MD5
dfc5307e9e570af791643ddebcd629f6

SHA1
7bc7c918870bfa1fa40153f9aace76307c42e476

SHA256
bcaf5d93509840aa1cf0d98f6382754c40c198a9090ac991f583f55c6ad5a656

SHA512
be602557183ec6107f9311b14f061faac5d55d25009f3c01ff95d291e8ab2f65a74c894173bd0b4b9021de5a87992451ac341bb2c21be6fdfa72ece7355de56e

Download Submit
C:\Windows\{8D0AEF2C-B5C7-4320-8E2D-A35C32E78C8C}.exe

Filesize
64KB

MD5
1dba89750c7eb4c9fcbb0ee63ad25951

SHA1
3ec965df47509627333dd7d2b101c5adc9e00052

SHA256
8078ec697edaa7676b40170d8afa14718f216f231192bb689cf6afe408b95b1b

SHA512
c57bce551f594ad173e51f25e196e4910f15bd3c9019558824b34da2e5868674fa940a09fc8869eb48b335b80448c13d97cf7a0a82eae98201d5fcea2304befa

Download Submit
C:\Windows\{91FCE61E-778E-4d3c-9481-90A502A0E0B2}.exe

Filesize
64KB

MD5
480845ff9725d522bea0ab4e4f5c0706

SHA1
c250c22fb2b6fabc0f8c41c963e495284e78707c

SHA256
c457f2e189d8a40e621e9dca842b95304dc4e6d762e877e4752939e156f4f5f6

SHA512
2865fc73a4c165778529f13a376b8943d9b5a39c9a729085a3eea0768986f32b6af31fd04b952478428f2c392591bbb1202b9cdd84e83740dbbbd474f2410797

Download Submit
C:\Windows\{9B87E5D3-6438-4927-8BCC-C5F91D10D181}.exe

Filesize
64KB

MD5
da18683098af878ff3f4055c2dd16360

SHA1
57f5101e67398c17814e517b5dd2fe99218c79f0

SHA256
2ce4018942cd1d75dc793ff5ec073ceb88f64b514c82b24685083db62dbe81db

SHA512
2c7cb322e70f64aae0db7c1cc4bf37e88fc49746d01ec37c18e140ce2d63f266c94dd3410c96bf7a15f787d24654901d41701e3a09c98850e856366157e77644

Download Submit
C:\Windows\{A15B8DF8-2928-451e-9026-27B515C37B47}.exe

Filesize
64KB

MD5
4b208e7674af21872818350aa0156c74

SHA1
f82a4c91ae6f551ed835fbeda8c237c3a50ed749

SHA256
e966c0542a6d08043fb053e553b83a6d2db87c221f5875900b006d2f7e20c336

SHA512
797358cb08e249b2dc82dc63075c56e872a8fc168e517f2f7bda56293383e166632e94ea28efdc252df6738a61825cfd7ad0ca1c515f10d38515844a24c4257b

Download Submit
C:\Windows\{EBDEEF8A-9E98-4b12-A2C2-910B3FD443A1}.exe

Filesize
64KB

MD5
c1331b76a0eec82bd7c9cf2bef7525af

SHA1
1a196a48c1ff832b40c7ceedd3b7499771ca9ff2

SHA256
e37800ba1ed8ea1764744bf30ed91de69d585029efeb867f9ad2ff00dd0f7b88

SHA512
6b5d3d375e2aef51666a2c9c61ab5218c92f64b81c79dd636907e78c2d9b58b15640c50e54df732176d39d303d48455284f0aab1ad23df5d915b4d55dbf1ac26

Download Submit
C:\Windows\{F664BF05-936C-45b0-85F7-886D17FBCE2F}.exe

Filesize
64KB

MD5
4ed14b79cbb9f2389257590d5ed48a91

SHA1
65c0dbc375396e8a2c6832b6d99baf4d493898c4

SHA256
c47063269103264f02d19a5f729b0904a3122760d9d492454780510e8517a87b

SHA512
6fe40545325ada4c35793ba82ac4998c2b957c463d8d4f78bea1da9a12cceba7e80d0c3451321d64c7a7e52e537d1a5a83885eb2cfc3efc1fb3c06d32db6b892

Download Submit
memory/1396-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1396-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1488-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1488-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1824-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1824-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1904-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1904-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2356-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2356-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2832-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2832-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2988-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2988-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3220-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3220-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3520-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3520-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3668-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3668-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4688-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4884-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4884-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4924-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4924-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads