a3ee938fd50270ae98fce245d0f01293371481a4524aa1ab8c110689b26bdb3a

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Size

64KB
MD5

1dac16f56ee63b1b03619138ae17a3a0
SHA1

da64ac5abb26c717672ca27e455aaac690ff99ac
SHA256

a3ee938fd50270ae98fce245d0f01293371481a4524aa1ab8c110689b26bdb3a
SHA512

82e2cb5d4cba9d93b857870cabf2d94a423026b90129909d2e10f9b346084b19cbcedef4ad2055575a3f98c29a0cc7d871f82923c9da66dd738060fb6c798540
SSDEEP

768:Ovw9816ihKQLroCb4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdu:6EGU0oCblwWMZQcpmgDagIyS1loL7Wru

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB85C00D-8F30-45d2-9986-683CCDE78471}	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C463BFC4-9701-4720-9C41-38633461A57E}	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46206A09-B10C-4d36-A366-BDBF6B1D6167}	{C463BFC4-9701-4720-9C41-38633461A57E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46206A09-B10C-4d36-A366-BDBF6B1D6167}\stubpath = "C:\\Windows\\{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe"	{C463BFC4-9701-4720-9C41-38633461A57E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{985BD3EC-7F13-446a-BD07-9FC84B0671B6}	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5021EA34-9286-4140-8CFE-6C9ACF8C2777}\stubpath = "C:\\Windows\\{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe"	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D696EB11-E75A-4b48-B48E-502F4B06BDE4}	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B1B5E0-B131-49da-B4ED-320CB60E086B}	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C463BFC4-9701-4720-9C41-38633461A57E}\stubpath = "C:\\Windows\\{C463BFC4-9701-4720-9C41-38633461A57E}.exe"	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}\stubpath = "C:\\Windows\\{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe"	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB1B4ED7-50C5-4541-9D18-C1918427C199}	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB1B4ED7-50C5-4541-9D18-C1918427C199}\stubpath = "C:\\Windows\\{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe"	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{267A986E-E4A5-476f-8A9A-A60B4C87EB97}	{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{267A986E-E4A5-476f-8A9A-A60B4C87EB97}\stubpath = "C:\\Windows\\{267A986E-E4A5-476f-8A9A-A60B4C87EB97}.exe"	{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5021EA34-9286-4140-8CFE-6C9ACF8C2777}	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D696EB11-E75A-4b48-B48E-502F4B06BDE4}\stubpath = "C:\\Windows\\{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe"	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B1B5E0-B131-49da-B4ED-320CB60E086B}\stubpath = "C:\\Windows\\{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe"	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}\stubpath = "C:\\Windows\\{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe"	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB85C00D-8F30-45d2-9986-683CCDE78471}\stubpath = "C:\\Windows\\{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe"	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{985BD3EC-7F13-446a-BD07-9FC84B0671B6}\stubpath = "C:\\Windows\\{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe"	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E652ADB-F3A1-4658-9A84-90BA5D54134D}	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E652ADB-F3A1-4658-9A84-90BA5D54134D}\stubpath = "C:\\Windows\\{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe"	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe
3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe
2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe
2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe
4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe
2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe
3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe
2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe
4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe
4804	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe
5008	{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe
8	{267A986E-E4A5-476f-8A9A-A60B4C87EB97}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe
File created	C:\Windows\{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe
File created	C:\Windows\{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe
File created	C:\Windows\{C463BFC4-9701-4720-9C41-38633461A57E}.exe	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
File created	C:\Windows\{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe	{C463BFC4-9701-4720-9C41-38633461A57E}.exe
File created	C:\Windows\{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe
File created	C:\Windows\{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe
File created	C:\Windows\{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe
File created	C:\Windows\{267A986E-E4A5-476f-8A9A-A60B4C87EB97}.exe	{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe
File created	C:\Windows\{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe
File created	C:\Windows\{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe
File created	C:\Windows\{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1092	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe
Token: SeIncBasePriorityPrivilege	3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe
Token: SeIncBasePriorityPrivilege	2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe
Token: SeIncBasePriorityPrivilege	2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe
Token: SeIncBasePriorityPrivilege	4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe
Token: SeIncBasePriorityPrivilege	2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe
Token: SeIncBasePriorityPrivilege	3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe
Token: SeIncBasePriorityPrivilege	2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe
Token: SeIncBasePriorityPrivilege	4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe
Token: SeIncBasePriorityPrivilege	4804	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe
Token: SeIncBasePriorityPrivilege	5008	{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 4064	1092	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	93
PID 1092 wrote to memory of 4064	1092	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	93
PID 1092 wrote to memory of 4064	1092	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	93
PID 1092 wrote to memory of 4540	1092	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	94
PID 1092 wrote to memory of 4540	1092	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	94
PID 1092 wrote to memory of 4540	1092	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	94
PID 4064 wrote to memory of 3928	4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe	95
PID 4064 wrote to memory of 3928	4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe	95
PID 4064 wrote to memory of 3928	4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe	95
PID 4064 wrote to memory of 4684	4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe	96
PID 4064 wrote to memory of 4684	4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe	96
PID 4064 wrote to memory of 4684	4064	{C463BFC4-9701-4720-9C41-38633461A57E}.exe	96
PID 3928 wrote to memory of 2276	3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe	99
PID 3928 wrote to memory of 2276	3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe	99
PID 3928 wrote to memory of 2276	3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe	99
PID 3928 wrote to memory of 3644	3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe	100
PID 3928 wrote to memory of 3644	3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe	100
PID 3928 wrote to memory of 3644	3928	{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe	100
PID 2276 wrote to memory of 2428	2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe	101
PID 2276 wrote to memory of 2428	2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe	101
PID 2276 wrote to memory of 2428	2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe	101
PID 2276 wrote to memory of 1108	2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe	102
PID 2276 wrote to memory of 1108	2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe	102
PID 2276 wrote to memory of 1108	2276	{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe	102
PID 2428 wrote to memory of 4484	2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe	103
PID 2428 wrote to memory of 4484	2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe	103
PID 2428 wrote to memory of 4484	2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe	103
PID 2428 wrote to memory of 2424	2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe	104
PID 2428 wrote to memory of 2424	2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe	104
PID 2428 wrote to memory of 2424	2428	{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe	104
PID 4484 wrote to memory of 2072	4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe	106
PID 4484 wrote to memory of 2072	4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe	106
PID 4484 wrote to memory of 2072	4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe	106
PID 4484 wrote to memory of 3632	4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe	107
PID 4484 wrote to memory of 3632	4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe	107
PID 4484 wrote to memory of 3632	4484	{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe	107
PID 2072 wrote to memory of 3332	2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe	108
PID 2072 wrote to memory of 3332	2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe	108
PID 2072 wrote to memory of 3332	2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe	108
PID 2072 wrote to memory of 1304	2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe	109
PID 2072 wrote to memory of 1304	2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe	109
PID 2072 wrote to memory of 1304	2072	{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe	109
PID 3332 wrote to memory of 2556	3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe	114
PID 3332 wrote to memory of 2556	3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe	114
PID 3332 wrote to memory of 2556	3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe	114
PID 3332 wrote to memory of 3780	3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe	115
PID 3332 wrote to memory of 3780	3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe	115
PID 3332 wrote to memory of 3780	3332	{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe	115
PID 2556 wrote to memory of 4376	2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe	120
PID 2556 wrote to memory of 4376	2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe	120
PID 2556 wrote to memory of 4376	2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe	120
PID 2556 wrote to memory of 228	2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe	121
PID 2556 wrote to memory of 228	2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe	121
PID 2556 wrote to memory of 228	2556	{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe	121
PID 4376 wrote to memory of 4804	4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe	122
PID 4376 wrote to memory of 4804	4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe	122
PID 4376 wrote to memory of 4804	4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe	122
PID 4376 wrote to memory of 3640	4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe	123
PID 4376 wrote to memory of 3640	4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe	123
PID 4376 wrote to memory of 3640	4376	{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe	123
PID 4804 wrote to memory of 5008	4804	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe	127
PID 4804 wrote to memory of 5008	4804	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe	127
PID 4804 wrote to memory of 5008	4804	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe	127
PID 4804 wrote to memory of 5004	4804	{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe	128

C:\Users\Admin\AppData\Local\Temp\1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\{C463BFC4-9701-4720-9C41-38633461A57E}.exe
  C:\Windows\{C463BFC4-9701-4720-9C41-38633461A57E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe
    C:\Windows\{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe
      C:\Windows\{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe
        
        C:\Windows\{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe
        
        C:\Windows\{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe
        
        C:\Windows\{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe
        
        C:\Windows\{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe
        
        C:\Windows\{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe
        
        C:\Windows\{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe
        
        C:\Windows\{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe
        
        C:\Windows\{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\{267A986E-E4A5-476f-8A9A-A60B4C87EB97}.exe
        
        C:\Windows\{267A986E-E4A5-476f-8A9A-A60B4C87EB97}.exe
        13⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85B1B~1.EXE > nul
        13⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ABC0~1.EXE > nul
        12⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E652~1.EXE > nul
        11⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D696E~1.EXE > nul
        10⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5021E~1.EXE > nul
        9⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{985BD~1.EXE > nul
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB1B4~1.EXE > nul
        7⤵
        
        PID:3632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB85C~1.EXE > nul
        6⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F1C2~1.EXE > nul
        5⤵
        
        PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46206~1.EXE > nul
      4⤵
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C463B~1.EXE > nul
    3⤵
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1DAC16~1.EXE > nul
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{267A986E-E4A5-476f-8A9A-A60B4C87EB97}.exe

Filesize
64KB

MD5
ea84a3acb2de942eba1c1ffa7d895915

SHA1
62759ca71e35c7c7a0af3bf39c528a26d766140a

SHA256
87e4aeb2c44f9fcf9424b9ae6587887bf61bd3b69ef1bc3955908d7904f108de

SHA512
37dd7de803f5be80f553cc8c75b9fcd440f1f194a3cbd8bdda9341872af08d2cba6a50b515ea5698164478dcdfd24c24beea1c69927d6d4e6f7b4a56c89dfa2c

Download Submit
C:\Windows\{46206A09-B10C-4d36-A366-BDBF6B1D6167}.exe

Filesize
64KB

MD5
877d167eb4b52243b92dd3f7fd54f9a9

SHA1
70b90d4e31994088d97a9450a0e074724b41ac38

SHA256
cd53850e70f10318f3e923ef56cf59bacc4027135943b389016bb2a1b8e14a67

SHA512
46ac9fbd1b6a8fb1368dece463c53849bfd92a92a2d22ac8c3cefe03a6ef99534d10dd1b19a8463e45a73685fad0a0a03f259f2740296e3e24fa1897d061b26c

Download Submit
C:\Windows\{4ABC0DB6-15C9-4372-90A6-FCFC71C0397B}.exe

Filesize
64KB

MD5
930ce700e046e7d576e89962d17af4bf

SHA1
371218bc1e51c30a0f32fea1f9785306b2115cc4

SHA256
f6508d7c3695c6c9d867bc830ee7bc7afffcbe8f4740ec2d506ae3d3a128382d

SHA512
7f2fb4fe4540b7e0c047f4adf82205c4253163870865b9764ecf387a7921d1647dce520bf7b6ef05a05e086398094589e14f2a9983b7d7b2b45c8b3ff638a2f1

Download Submit
C:\Windows\{5021EA34-9286-4140-8CFE-6C9ACF8C2777}.exe

Filesize
64KB

MD5
8bc4e94961cbcd73a3aaeb6dfeae441a

SHA1
96c97f113b82ba508c9456e7effd6b3efa2752bc

SHA256
6cf4c8a41d23be5276c206901379c163f09f808810a55210873008ba39c01198

SHA512
59002681433685184237be903fc8aff416a18e8e2cbf0119091919c4dac5495c558514b19e85e73b0f40ac8f4eb50987a26d07e37ddd34a4e90da1ddfb4e1bff

Download Submit
C:\Windows\{5E652ADB-F3A1-4658-9A84-90BA5D54134D}.exe

Filesize
64KB

MD5
b1f2b8f84ce5231f9826af2f668abad8

SHA1
fa1ee0407818108b16eeef4fa2c50aeb183f6db2

SHA256
3fca5be4c4e651dec162f0869c2a87e6d2f4991be6376807a930c189b6bb1977

SHA512
0b41738e32993bcff9dd27c5ceeada929b69025d62797481b0b3d9aa794e66ffc7bfce4ca9f5b1afcad0bcbf8dc84dcdf9df1670021eecfa5cf48389df9cde26

Download Submit
C:\Windows\{7F1C2D5A-DBB4-4d14-9BF0-0F5B0A8949A8}.exe

Filesize
64KB

MD5
0c2378ce5340d9f11234f93bf5ded340

SHA1
aba1bdac83a55cd415ba6365ae88c21be4c4981d

SHA256
7ee6409695020e7f540f467a354cbf0aff369d3a1ffae8c30e30f6db2af22948

SHA512
65758832abcf2b2bca5843fff07d914d5678006562b0244653cbc6eef93ac248d74e9c340fbca61d4e1d99f88e6e57b8d5cc1b47116b3733eb8418ee8deea405

Download Submit
C:\Windows\{85B1B5E0-B131-49da-B4ED-320CB60E086B}.exe

Filesize
64KB

MD5
0ec250002486fc8b5eaff30caac4a4a6

SHA1
392e7a07cc847f05fa90c1af4cf80ecb85cb2985

SHA256
50c953bc67c2d50f45da7998b0a24fcdb653a97cc06067623f1746fe16c981fc

SHA512
6537e3e32e425062325fd7c9c52944f2b6e4c22e50d1c1ffbcd147cfac7505abe7386941f476a883a6da76209b03f4c373770f205d29e010f3041a68308ab3af

Download Submit
C:\Windows\{985BD3EC-7F13-446a-BD07-9FC84B0671B6}.exe

Filesize
64KB

MD5
486bc19260fc48753a5f85cb1dfd0a3d

SHA1
3c30f7ab7ba18b60844965a1bac983453a0102f3

SHA256
00890fcf87b6ea09e3219ffbf8a62f6265df06fce6e6ac0347a0b59c64a9e50e

SHA512
b94df93e7dc60b68d116b67991bd7c94f396da1080609a6ee998561c9533358faecd72d7ed5fb266582fc6ea05023bd1143653cb3cea3b011b16bb080b072d7e

Download Submit
C:\Windows\{C463BFC4-9701-4720-9C41-38633461A57E}.exe

Filesize
64KB

MD5
0c28fbce0c5459e19b6407b74ad7b594

SHA1
0bd24360c6eccf5e926317b4e7520369a730f791

SHA256
d5a02093b4ef648284dbb1d4dd5b4bf9daa4df181b94ef5c0d2a536e4b8f6954

SHA512
79579ed5ec529e33490cdd97411a4a59dc4106edbfae215d6726f4593387b1286f31bb8da0c28baca6535d5a4e346a8ba008ce13bd131c1aed55686d6ea984f6

Download Submit
C:\Windows\{CB1B4ED7-50C5-4541-9D18-C1918427C199}.exe

Filesize
64KB

MD5
d6d9b62b658861652475b0814d05a81b

SHA1
0cc7987f94a4891111b272cbc70ab6e35432eca9

SHA256
a6bf01396ebe430dcde249cd2b54a82803b1ddd27673e480cefe44f83dab8f4a

SHA512
be6854afaf7daf0f4bf22384078b4b5b9031f723b6dd556c57233082493c81381e8d0ba8a9bdccfd0d27cd11292d2574cd67cffacc9c4eba334f02b3cd460056

Download Submit
C:\Windows\{D696EB11-E75A-4b48-B48E-502F4B06BDE4}.exe

Filesize
64KB

MD5
39debf2c663c33667e08a8e7bfb016c5

SHA1
52256801a690c96a90cc3ef59b90b164d8f48c17

SHA256
00a00ecd85f95c2e91ca9bc4e07959517b1080f8735d6e6e914aad4115f9734a

SHA512
987729c2dd2831344d49f7b8d1046bcef5fa0dd084d52e61722f6f736a1d19a6e15eecbfa6d59155aeb985242d7bab25d0695562fb56af5e5cb94434150fefab

Download Submit
C:\Windows\{FB85C00D-8F30-45d2-9986-683CCDE78471}.exe

Filesize
64KB

MD5
24e2a68758639806476982c10dbade92

SHA1
cd0660a41a45d88d23de4a258e1e2c0d73e1a666

SHA256
4edb97638125766e33a2bba8c228bad794755f97ea1651eca77c852dc02292e3

SHA512
8403988993237aea0f3d6f7df38ff3d196e38f7cedd44d55f0281b31de6ea930377515dfaea5f96a9650761702fd383f97101dcacaf42eede031b80d6d19de7f

Download Submit
memory/8-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1092-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1092-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2072-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2072-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2276-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2276-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2428-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3332-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3332-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3928-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3928-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4064-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4064-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4376-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4376-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4484-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4484-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4804-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5008-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5008-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads