2c37c9d71d8e4e24698d966dfcc7c1142d43ae90eee4e225412554bf2ac02da3

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Size

88KB
MD5

3a6118f5fa133f6f44b507c61fb9c430
SHA1

ea24550c819b404c8d946b1a202de242b1059876
SHA256

2c37c9d71d8e4e24698d966dfcc7c1142d43ae90eee4e225412554bf2ac02da3
SHA512

72479348c654e2277c7010585b83fa328343f6a02f82df769ec4cda96323d85b0a2144a81d398b492434d390dafb49f40cd67ed93e43c4a6648c45c0efeb1804
SSDEEP

768:Qvw9816vhKQLroN4/wQRNrfrunMxVFA3b7gln:YEGh0oNl2unMxVS3Hg1

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FE38568-B8BC-4467-A410-2693B1A58E14}	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{471260DE-11AD-4ff7-9D2D-5A90B858F31C}\stubpath = "C:\\Windows\\{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe"	{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}\stubpath = "C:\\Windows\\{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe"	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}\stubpath = "C:\\Windows\\{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe"	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FE38568-B8BC-4467-A410-2693B1A58E14}\stubpath = "C:\\Windows\\{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe"	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC676C4F-4360-4925-8C6E-A333E1150B00}	{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC676C4F-4360-4925-8C6E-A333E1150B00}\stubpath = "C:\\Windows\\{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe"	{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{471260DE-11AD-4ff7-9D2D-5A90B858F31C}	{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73297B0A-E91C-46b8-93F7-6DBA210188F8}\stubpath = "C:\\Windows\\{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe"	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B90DCB-10D9-46bb-8C0E-A07C452BD561}\stubpath = "C:\\Windows\\{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe"	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259B7331-BA79-4cdb-9578-8E93B33A94FF}	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2403314F-D5C6-410b-846C-17595B0C5CEB}	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}\stubpath = "C:\\Windows\\{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}.exe"	{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B90DCB-10D9-46bb-8C0E-A07C452BD561}	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}\stubpath = "C:\\Windows\\{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe"	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}	{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73297B0A-E91C-46b8-93F7-6DBA210188F8}	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259B7331-BA79-4cdb-9578-8E93B33A94FF}\stubpath = "C:\\Windows\\{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe"	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2403314F-D5C6-410b-846C-17595B0C5CEB}\stubpath = "C:\\Windows\\{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe"	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe
2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe
2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe
1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe
2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe
2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe
1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe
2800	{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe
340	{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe
1584	{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe
1464	{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
File created	C:\Windows\{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe
File created	C:\Windows\{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe
File created	C:\Windows\{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe	{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe
File created	C:\Windows\{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}.exe	{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe
File created	C:\Windows\{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe
File created	C:\Windows\{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe
File created	C:\Windows\{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe
File created	C:\Windows\{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe
File created	C:\Windows\{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe
File created	C:\Windows\{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe	{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe
Token: SeIncBasePriorityPrivilege	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe
Token: SeIncBasePriorityPrivilege	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe
Token: SeIncBasePriorityPrivilege	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe
Token: SeIncBasePriorityPrivilege	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe
Token: SeIncBasePriorityPrivilege	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe
Token: SeIncBasePriorityPrivilege	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe
Token: SeIncBasePriorityPrivilege	2800	{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe
Token: SeIncBasePriorityPrivilege	340	{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe
Token: SeIncBasePriorityPrivilege	1584	{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2936	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2936	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2936	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2936	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2932	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	29
PID 2012 wrote to memory of 2932	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	29
PID 2012 wrote to memory of 2932	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	29
PID 2012 wrote to memory of 2932	2012	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	29
PID 2936 wrote to memory of 2676	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	30
PID 2936 wrote to memory of 2676	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	30
PID 2936 wrote to memory of 2676	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	30
PID 2936 wrote to memory of 2676	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	30
PID 2936 wrote to memory of 2744	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	31
PID 2936 wrote to memory of 2744	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	31
PID 2936 wrote to memory of 2744	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	31
PID 2936 wrote to memory of 2744	2936	{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe	31
PID 2676 wrote to memory of 2580	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	32
PID 2676 wrote to memory of 2580	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	32
PID 2676 wrote to memory of 2580	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	32
PID 2676 wrote to memory of 2580	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	32
PID 2676 wrote to memory of 2768	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	33
PID 2676 wrote to memory of 2768	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	33
PID 2676 wrote to memory of 2768	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	33
PID 2676 wrote to memory of 2768	2676	{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe	33
PID 2580 wrote to memory of 1192	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	36
PID 2580 wrote to memory of 1192	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	36
PID 2580 wrote to memory of 1192	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	36
PID 2580 wrote to memory of 1192	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	36
PID 2580 wrote to memory of 2216	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	37
PID 2580 wrote to memory of 2216	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	37
PID 2580 wrote to memory of 2216	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	37
PID 2580 wrote to memory of 2216	2580	{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe	37
PID 1192 wrote to memory of 2860	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	38
PID 1192 wrote to memory of 2860	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	38
PID 1192 wrote to memory of 2860	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	38
PID 1192 wrote to memory of 2860	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	38
PID 1192 wrote to memory of 2864	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	39
PID 1192 wrote to memory of 2864	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	39
PID 1192 wrote to memory of 2864	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	39
PID 1192 wrote to memory of 2864	1192	{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe	39
PID 2860 wrote to memory of 2716	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	40
PID 2860 wrote to memory of 2716	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	40
PID 2860 wrote to memory of 2716	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	40
PID 2860 wrote to memory of 2716	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	40
PID 2860 wrote to memory of 2028	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	41
PID 2860 wrote to memory of 2028	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	41
PID 2860 wrote to memory of 2028	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	41
PID 2860 wrote to memory of 2028	2860	{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe	41
PID 2716 wrote to memory of 1672	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	42
PID 2716 wrote to memory of 1672	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	42
PID 2716 wrote to memory of 1672	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	42
PID 2716 wrote to memory of 1672	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	42
PID 2716 wrote to memory of 1784	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	43
PID 2716 wrote to memory of 1784	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	43
PID 2716 wrote to memory of 1784	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	43
PID 2716 wrote to memory of 1784	2716	{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe	43
PID 1672 wrote to memory of 2800	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	44
PID 1672 wrote to memory of 2800	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	44
PID 1672 wrote to memory of 2800	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	44
PID 1672 wrote to memory of 2800	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	44
PID 1672 wrote to memory of 536	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	45
PID 1672 wrote to memory of 536	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	45
PID 1672 wrote to memory of 536	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	45
PID 1672 wrote to memory of 536	1672	{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe	45

C:\Users\Admin\AppData\Local\Temp\3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe
  C:\Windows\{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe
    C:\Windows\{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe
      C:\Windows\{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe
        
        C:\Windows\{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe
        
        C:\Windows\{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe
        
        C:\Windows\{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe
        
        C:\Windows\{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe
        
        C:\Windows\{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe
        
        C:\Windows\{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe
        
        C:\Windows\{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}.exe
        
        C:\Windows\{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47126~1.EXE > nul
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC676~1.EXE > nul
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24033~1.EXE > nul
        10⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B48C7~1.EXE > nul
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FE38~1.EXE > nul
        8⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5752~1.EXE > nul
        7⤵
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B576B~1.EXE > nul
        6⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{259B7~1.EXE > nul
        5⤵
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{32B90~1.EXE > nul
      4⤵
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73297~1.EXE > nul
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A6118~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2403314F-D5C6-410b-846C-17595B0C5CEB}.exe

Filesize
88KB

MD5
d24973d5e8607a7538c2066a8b9e532c

SHA1
2121d3d0d4c14093dd6bb545652eaeae574d6056

SHA256
597561873ee87b8c1203c129a28c0b5cab0441846ec0ac7fccf21b97eab3891d

SHA512
bcd852b40d3e81292729f90f889fc0c268919736df20b81b62bcd05eca7f33b162a1ebab4cd1102d5fdc791f86a882592cbe250a9081b9fa1af5ed35b2df4870

Download Submit
C:\Windows\{259B7331-BA79-4cdb-9578-8E93B33A94FF}.exe

Filesize
88KB

MD5
7c999e24a2279ca4f7adaa87513cde6d

SHA1
bb48f2c5ab741eb12e2437ac0e850c1af3c09517

SHA256
1dcb3a95e9984661071916e40ac986c018a31c1b696a101a01d33a037a71c94a

SHA512
d3a6e1b4e18706bd441d1627d463d10a3b22b4c632d3ac233176c587e42b38ed13bb27fe3ac85451d9406c242a88424e44fb59081b85a44b6cf8939a898135c1

Download Submit
C:\Windows\{32B90DCB-10D9-46bb-8C0E-A07C452BD561}.exe

Filesize
88KB

MD5
224cc1a315fea737835d5ba35e9e5ec4

SHA1
59acd64f7529f24dd71c2e887b37f3d257aab137

SHA256
2d96ce667235cac89cff65d59272b373052b927def2e4f041ef35848f9324f1f

SHA512
3dac2914bab7a051277a8ec76c34d4c37444638413ee2def7e8d8ba33e7b9a22e3b6d84e4beedb2ed4e36b667b36a1d296e9a811b052f1bf8e1e00bd219dda0e

Download Submit
C:\Windows\{471260DE-11AD-4ff7-9D2D-5A90B858F31C}.exe

Filesize
88KB

MD5
c74185e82a8982cab64fc2abffb66a33

SHA1
eb347b2561fa4303664b4432f22f0c3668532f51

SHA256
7aab9fe66fdd7bb3012b63c6674873d198e0a35d277ec63d5e44be2e33bbed10

SHA512
07b61cbc4ebd49cb8a7709dcb4bc6a32220588810c12490dcf8762ec28f931f75dacc3b3b57cca93ab20892905b174799761e684bdb8d8bdced934f02251b831

Download Submit
C:\Windows\{73297B0A-E91C-46b8-93F7-6DBA210188F8}.exe

Filesize
88KB

MD5
59704147e978f1ca2d4b16c24ee4d791

SHA1
c0c71e981f4840e61935bde53459e11fae1aa910

SHA256
66259fd0a4027b656b4b2394cba76f512762df438e86f287c623e62999e0a9f0

SHA512
2872f67aa76ab5a84ec454682e200220133663bc216113c017e56640b1c6f293289e42ac9263fc39aa061a7ae5a16e1ed74e16470d05b6eb3ed022ad4c9fc649

Download Submit
C:\Windows\{7FE38568-B8BC-4467-A410-2693B1A58E14}.exe

Filesize
88KB

MD5
e276246e239415c968df4a99392e1181

SHA1
16abd564ddbe40243658470ed29d9f7c6e0b5a34

SHA256
7c03d030ed977dc233df2d49c50b579ec61adbce9443f62299d34be1d8b7c502

SHA512
8bd9b64f3d76521cafece496cda910581efe448203bbbc4f10b97347a76d8c8bba43541b0edc4d65c95fc8b8d63f03a7e1e99efe79cca417e081686d84fae979

Download Submit
C:\Windows\{9AA9AE7C-8486-459f-9472-CFE11DF03D0F}.exe

Filesize
88KB

MD5
33a273e91931256f00e6f77e28ca8bb6

SHA1
1b7b072bd0e5f98f69c99c2552cb7963813afd1e

SHA256
8a969624bb6981f8641040d6313bc15eab10759ede9145f9835d3f3ad716c91c

SHA512
b281cd7a629b42ea6a5c0c17992ae6c90a5b2fe97be46fe6d2976f71d1a1f0cb92c7dde917546ca65f3d135219c901de96f860091c5b18dbe7b66ee8616da7b0

Download Submit
C:\Windows\{B48C7BBF-BCBE-4b66-BCE0-CD66B385BCFC}.exe

Filesize
88KB

MD5
3a085bccca4e67941318c6049691e44b

SHA1
4a32f8bf5859d42f8fcccf6874d5ed9039bd7bfa

SHA256
eb637681ffd6f51d83848a961783175d70a1eacbcad5d2f9c5680367a154c4fe

SHA512
9c3ce17b6e0f3d27e0fb593f21c1bda82d956b84d726d47da52b93323108e6fcc4872e53f513097d0dbac9364d6a9a42bbf355dad7ceff4b2dc13788b9b4cad4

Download Submit
C:\Windows\{B576BC3D-F02A-46ed-A5D8-51BD1DDA4FDB}.exe

Filesize
88KB

MD5
26dcb9917867e95e4b3477ee59df9d2d

SHA1
1a59d835d97487e2ffdca55bd0118b6042ed4379

SHA256
ee2170a139611aab3524a377ef25816df95ba487abbfbc973e147704cb0f2a6d

SHA512
7e775f485fe4aeffb3c4da3a1420bf1bcab9c4e69f4f18fea334c5f38ce2d310377ad16b15e5b0113bda62b30c085f597fbe81c4f40915693228859460a16b26

Download Submit
C:\Windows\{D5752679-C572-4a0b-B055-C7C6FE7DFCAF}.exe

Filesize
88KB

MD5
6cdbdfe8331a45d2c4add2d7e7a12cbf

SHA1
45b2b31e682525f60180bf03677222d0f599684b

SHA256
2b1e1798993ca46fcdf41f59318008c7cb7b51ffca4dfab102bc7cfda3b8db7f

SHA512
b250d9fb884378e000af49a572393eec11bbe5c40957a10ac38f7353f3a2c992ecc3ce9f7eecf96499c331c7eafd496185446f6f620c3fead06c98446397c763

Download Submit
C:\Windows\{DC676C4F-4360-4925-8C6E-A333E1150B00}.exe

Filesize
88KB

MD5
12ddf499a4934ed497e524358aea2f17

SHA1
bccec707b2ff30ce05807962d684ca102eb01b4b

SHA256
6459fb1859b80172c4c6bda84ad6aed4a2e5147d06412285cbca5b8ef8e58660

SHA512
79b951e50f245bb3a9dab1bbb020e2e4709c6a78cb189620da0e8c6c998e3d059d53d7e65dc57bf44147338090d3712dada9fc22a6b972d5c611d9b3e13f2b66

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads