90aef27116ee7f08b3794c4810af1f4493acb149e5e1c1e79e4adfbbaaeede77

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe
Size

88KB
MD5

0f19f4d6e23a6b4fdf046fe64bd89aa0
SHA1

0ae37504cd1dfd17f5fef8cb8ec4f48c0b6b20a0
SHA256

90aef27116ee7f08b3794c4810af1f4493acb149e5e1c1e79e4adfbbaaeede77
SHA512

c0d35c050f39c9bc1865e8b579752f7cd19f63294bed59b0ac520550fa5f20b3cdb779696a4ba36951c6ae4d6f20a8b2d849e6245609cad9850dcd1f04a3d371
SSDEEP

768:uvw981E9hKQLroj4/wQDNrfrunMxVFA3r:aEGJ0ojlYunMxVS3r

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53697777-C727-462a-94D6-4A170E4940BD}\stubpath = "C:\\Windows\\{53697777-C727-462a-94D6-4A170E4940BD}.exe"	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC6BC484-FF1D-40be-AF35-699C1C351FE8}	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC6BC484-FF1D-40be-AF35-699C1C351FE8}\stubpath = "C:\\Windows\\{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe"	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F14511-2907-4b0d-A9AA-99B0AB0CC117}	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABBF9100-B1CE-447f-A18A-5140A51DC25B}	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53697777-C727-462a-94D6-4A170E4940BD}	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}\stubpath = "C:\\Windows\\{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe"	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3361585E-564C-46b3-BAA0-68D2CC6165BB}\stubpath = "C:\\Windows\\{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe"	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD62EA6B-12A5-4486-BA87-008F60A6DD44}	{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD62EA6B-12A5-4486-BA87-008F60A6DD44}\stubpath = "C:\\Windows\\{CD62EA6B-12A5-4486-BA87-008F60A6DD44}.exe"	{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B405D0B-3167-4e7c-A476-A456D47F1578}\stubpath = "C:\\Windows\\{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe"	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABBF9100-B1CE-447f-A18A-5140A51DC25B}\stubpath = "C:\\Windows\\{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe"	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A372967-5127-4013-8FD8-A4DFC0E1B91F}	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F14511-2907-4b0d-A9AA-99B0AB0CC117}\stubpath = "C:\\Windows\\{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe"	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}\stubpath = "C:\\Windows\\{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe"	{53697777-C727-462a-94D6-4A170E4940BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A372967-5127-4013-8FD8-A4DFC0E1B91F}\stubpath = "C:\\Windows\\{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe"	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B405D0B-3167-4e7c-A476-A456D47F1578}	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3718B26D-7ED7-4aba-AC9E-6A547B020184}	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3718B26D-7ED7-4aba-AC9E-6A547B020184}\stubpath = "C:\\Windows\\{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe"	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}\stubpath = "C:\\Windows\\{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe"	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}	{53697777-C727-462a-94D6-4A170E4940BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3361585E-564C-46b3-BAA0-68D2CC6165BB}	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe

Executes dropped EXE 12 IoCs

pid	Process
2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe
2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe
1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe
4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe
2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe
1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe
5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe
4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe
1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe
4564	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe
1596	{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe
224	{CD62EA6B-12A5-4486-BA87-008F60A6DD44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe
File created	C:\Windows\{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe
File created	C:\Windows\{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe	{53697777-C727-462a-94D6-4A170E4940BD}.exe
File created	C:\Windows\{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe
File created	C:\Windows\{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe
File created	C:\Windows\{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe
File created	C:\Windows\{53697777-C727-462a-94D6-4A170E4940BD}.exe	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe
File created	C:\Windows\{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe
File created	C:\Windows\{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe
File created	C:\Windows\{CD62EA6B-12A5-4486-BA87-008F60A6DD44}.exe	{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe
File created	C:\Windows\{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe
File created	C:\Windows\{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2008	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe
Token: SeIncBasePriorityPrivilege	2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe
Token: SeIncBasePriorityPrivilege	1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe
Token: SeIncBasePriorityPrivilege	4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe
Token: SeIncBasePriorityPrivilege	2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe
Token: SeIncBasePriorityPrivilege	1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe
Token: SeIncBasePriorityPrivilege	5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe
Token: SeIncBasePriorityPrivilege	4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe
Token: SeIncBasePriorityPrivilege	1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe
Token: SeIncBasePriorityPrivilege	4564	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe
Token: SeIncBasePriorityPrivilege	1596	{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2216	2008	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe	92
PID 2008 wrote to memory of 2216	2008	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe	92
PID 2008 wrote to memory of 2216	2008	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe	92
PID 2008 wrote to memory of 3964	2008	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe	93
PID 2008 wrote to memory of 3964	2008	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe	93
PID 2008 wrote to memory of 3964	2008	0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe	93
PID 2216 wrote to memory of 2820	2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe	94
PID 2216 wrote to memory of 2820	2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe	94
PID 2216 wrote to memory of 2820	2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe	94
PID 2216 wrote to memory of 3044	2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe	95
PID 2216 wrote to memory of 3044	2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe	95
PID 2216 wrote to memory of 3044	2216	{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe	95
PID 2820 wrote to memory of 1448	2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe	97
PID 2820 wrote to memory of 1448	2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe	97
PID 2820 wrote to memory of 1448	2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe	97
PID 2820 wrote to memory of 1664	2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe	98
PID 2820 wrote to memory of 1664	2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe	98
PID 2820 wrote to memory of 1664	2820	{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe	98
PID 1448 wrote to memory of 4044	1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe	99
PID 1448 wrote to memory of 4044	1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe	99
PID 1448 wrote to memory of 4044	1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe	99
PID 1448 wrote to memory of 3516	1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe	100
PID 1448 wrote to memory of 3516	1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe	100
PID 1448 wrote to memory of 3516	1448	{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe	100
PID 4044 wrote to memory of 2708	4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe	101
PID 4044 wrote to memory of 2708	4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe	101
PID 4044 wrote to memory of 2708	4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe	101
PID 4044 wrote to memory of 2328	4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe	102
PID 4044 wrote to memory of 2328	4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe	102
PID 4044 wrote to memory of 2328	4044	{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe	102
PID 2708 wrote to memory of 1420	2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe	103
PID 2708 wrote to memory of 1420	2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe	103
PID 2708 wrote to memory of 1420	2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe	103
PID 2708 wrote to memory of 1604	2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe	104
PID 2708 wrote to memory of 1604	2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe	104
PID 2708 wrote to memory of 1604	2708	{53697777-C727-462a-94D6-4A170E4940BD}.exe	104
PID 1420 wrote to memory of 5044	1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe	105
PID 1420 wrote to memory of 5044	1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe	105
PID 1420 wrote to memory of 5044	1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe	105
PID 1420 wrote to memory of 1652	1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe	106
PID 1420 wrote to memory of 1652	1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe	106
PID 1420 wrote to memory of 1652	1420	{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe	106
PID 5044 wrote to memory of 4420	5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe	107
PID 5044 wrote to memory of 4420	5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe	107
PID 5044 wrote to memory of 4420	5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe	107
PID 5044 wrote to memory of 2672	5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe	108
PID 5044 wrote to memory of 2672	5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe	108
PID 5044 wrote to memory of 2672	5044	{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe	108
PID 4420 wrote to memory of 1052	4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe	109
PID 4420 wrote to memory of 1052	4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe	109
PID 4420 wrote to memory of 1052	4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe	109
PID 4420 wrote to memory of 3764	4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe	110
PID 4420 wrote to memory of 3764	4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe	110
PID 4420 wrote to memory of 3764	4420	{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe	110
PID 1052 wrote to memory of 4564	1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe	111
PID 1052 wrote to memory of 4564	1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe	111
PID 1052 wrote to memory of 4564	1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe	111
PID 1052 wrote to memory of 3464	1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe	112
PID 1052 wrote to memory of 3464	1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe	112
PID 1052 wrote to memory of 3464	1052	{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe	112
PID 4564 wrote to memory of 1596	4564	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe	113
PID 4564 wrote to memory of 1596	4564	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe	113
PID 4564 wrote to memory of 1596	4564	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe	113
PID 4564 wrote to memory of 4472	4564	{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe	114

C:\Users\Admin\AppData\Local\Temp\0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f19f4d6e23a6b4fdf046fe64bd89aa0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe
  C:\Windows\{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe
    C:\Windows\{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe
      C:\Windows\{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe
        
        C:\Windows\{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\{53697777-C727-462a-94D6-4A170E4940BD}.exe
        
        C:\Windows\{53697777-C727-462a-94D6-4A170E4940BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe
        
        C:\Windows\{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe
        
        C:\Windows\{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe
        
        C:\Windows\{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe
        
        C:\Windows\{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe
        
        C:\Windows\{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe
        
        C:\Windows\{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\{CD62EA6B-12A5-4486-BA87-008F60A6DD44}.exe
        
        C:\Windows\{CD62EA6B-12A5-4486-BA87-008F60A6DD44}.exe
        13⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94F14~1.EXE > nul
        13⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33615~1.EXE > nul
        12⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A372~1.EXE > nul
        11⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ADFC~1.EXE > nul
        10⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC6BC~1.EXE > nul
        9⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC652~1.EXE > nul
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53697~1.EXE > nul
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABBF9~1.EXE > nul
        6⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58BA0~1.EXE > nul
        5⤵
        
        PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3718B~1.EXE > nul
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B405~1.EXE > nul
    3⤵
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0F19F4~1.EXE > nul
  2⤵
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ADFCC28-2F3A-47ab-9D47-0107459D73B4}.exe

Filesize
88KB

MD5
212848081e60fdaf04665dfbf7c8aa75

SHA1
16b22dd9967980aba9e78acc01d78d4f936f7254

SHA256
a3e7a1b238fdd8eb4f8c3d6b3259a37d345944d2eb57ef6d20345b914888b30b

SHA512
38b1978aeec12ccb8e0cf9daf277fb4672dc74c435691f5176f141f28cf33047db374896ccdc923ade33d10184fac6401fcf92291e160cc4621c9ce634233cf1

Download Submit
C:\Windows\{2A372967-5127-4013-8FD8-A4DFC0E1B91F}.exe

Filesize
88KB

MD5
bde3378215aff3ae55d3c1ef9dd28652

SHA1
8df98206bb2a92343e92b68e3c074958849504cd

SHA256
cace487526aab301e26ee36b2e52426f3a511c7f9e30e0254118c002354c701b

SHA512
665631cbd16e2196e961c9a4b3ee3e00db083e8eefb477ad81a8a293ab4b082708dabad922a1762b529a05062c5a2bd84d7a7d2927065745ad4fbe64a8e33b42

Download Submit
C:\Windows\{3361585E-564C-46b3-BAA0-68D2CC6165BB}.exe

Filesize
88KB

MD5
c9dfb733b2743763eb5d8a208bb84187

SHA1
75a07c9e48abf70853d2b3d9c745b5d0b245d6e3

SHA256
698f59f7da0b023916dcb41f139feb1e814a8a5ca4475ce0427177cf37a97026

SHA512
7e701c8634b8868ca07c86153552a31cab18d4083ab668e7d67eccb14fbbc32d10ecbc206b500039f2b72268a080faf1ecdb10d67fe195f808d59b724d8be0f3

Download Submit
C:\Windows\{3718B26D-7ED7-4aba-AC9E-6A547B020184}.exe

Filesize
88KB

MD5
c9003d28ce79bd3f473cbbc5c3d53ba7

SHA1
eff989e0c6f6893ec1cc50add352f808c2782d0e

SHA256
b34f28cdc8b5f81473547ff016842c263e337008874496900639ac079a4a0e1a

SHA512
7d54306cf30c2368694d71486de5f01924314c6ad9586a25feeb5998b53e56b3c753b64dbbfb2b2c45bc97bd5b0295d24b75c6fcbf3ea8dbe18d360a8552836d

Download Submit
C:\Windows\{53697777-C727-462a-94D6-4A170E4940BD}.exe

Filesize
88KB

MD5
a68337ff127bc5ca1716484bc44a385f

SHA1
7aa4028625d667f33883efa9f4be499318c05b6a

SHA256
c38432a9c95ff7223534599d7e8392d0b34c4a5fe4a74339a8140e0100df4095

SHA512
f7826b2580513f82a1ba99512a57d0b6994588789944321fc6212feaf13b57d2da88254a30621ac66d3ffb38e97a0cc6d964b34895063fdd251c2f4b27982ac9

Download Submit
C:\Windows\{58BA0AAC-3282-4d12-94BD-05DE65F6E8E6}.exe

Filesize
88KB

MD5
df424b46f2f71c59fba14b0816a0fa74

SHA1
3460c5d10f5e61054c0353f4819d260b54749d6c

SHA256
2fc9bb77d773c667088a59fda6c3c8a0bae708faad45bcc6e238f2c4d6de737c

SHA512
e4db48cbb8ea4be6766ec332f284d23b0931e7cd0c316cc5be7e0023ee79b10dcaf316a5520e2e70b516daae9d283f4709cc2ba07fb88d048ccaa2699ef6a3f0

Download Submit
C:\Windows\{7B405D0B-3167-4e7c-A476-A456D47F1578}.exe

Filesize
88KB

MD5
12dd470ce44c050cfeaa41a50c79984f

SHA1
0b29b7ab7715a1c1e87876c9b03e6429c5a627f8

SHA256
27f7bf2212109726cad79c044d9b2874bb777fb8ac4958d7273d492f81121fee

SHA512
fa157637cf44cc9ff4b043d8cf42ed149288b18d97e23f017d2263caa3a0b2777bd846dc5d8cf0995974559878ad2f72488ba6622a3c30fff0c81d7d0c2cc87b

Download Submit
C:\Windows\{94F14511-2907-4b0d-A9AA-99B0AB0CC117}.exe

Filesize
88KB

MD5
72186118060b7bba7c53ac10ba0ea072

SHA1
97b3e3fc7f47cb45f6a88cd4226674b7e50e6b89

SHA256
fdac2f284851787678267fb7df02baf0f832701572dcd64cd35427ada99bcbb1

SHA512
a84d1eee5e0d98406415cb532137cd0e5493e1d14963abfa4a4210cf28aff041b634af90570da3a91f42de20867d180c77428efe7d0541f5d9da32040df6e6ca

Download Submit
C:\Windows\{ABBF9100-B1CE-447f-A18A-5140A51DC25B}.exe

Filesize
88KB

MD5
d0778db3ae5ebc1f178675a469f6a53d

SHA1
63e63fd699025858cbf7a754911068b54f0ec90b

SHA256
5a271bc0961313409e3a0fd664251fa7f14063d67fb98ee4799faa72dd9040f7

SHA512
79e858b957d6f44c2ea409afd5340e029649d8b42cfba77db7b64811f2b2fa971957f7f51534b390ebf25f54c0985a93974ce9a5dd57c3410f1c49d0fc424fd3

Download Submit
C:\Windows\{AC6BC484-FF1D-40be-AF35-699C1C351FE8}.exe

Filesize
88KB

MD5
f5476721946154d6f5971a140a51b7fc

SHA1
96f772c02262d21ad7b406b3c6d84d90ec7967ae

SHA256
7a71301092e133bf757f1581cb5ae5875b3c2b575782785d2bca0e953940609b

SHA512
428c8c930018a55ff581fbb9c1b5f74fb7be7ee55bdbfb6806afbff145a864abc7be32902127d92780fe80d5ca4e0510038122e11ffe2429ada17e3fd0fec6ca

Download Submit
C:\Windows\{CD62EA6B-12A5-4486-BA87-008F60A6DD44}.exe

Filesize
88KB

MD5
fc396a29fd9076006603267fe13f6eb2

SHA1
5515da683e0e3136a936726ad9f2927e5e497ac3

SHA256
8514fb1764facd440c8c707e3c9434483f4f6a9e2df9e2d93d7843350fffaa32

SHA512
991613140f82711b1aa64156fe597b962866add17798b49e2e6a06d0b9173e76e83b8005fc24670997fd7d4e3d2660bfe607f5e9bae0a5b7ee53b39bf3d040be

Download Submit
C:\Windows\{EC6523C1-3F27-4613-8F92-8D3AA37A6C9C}.exe

Filesize
88KB

MD5
d09b6b4d69ad976ae82d0fbc4f883a6a

SHA1
7683ba06f1a8f2d6ce2a4ecbaf55d11b3d3ddc72

SHA256
c08b26b9f0198b3b917bf55629a77fbef535448027b0c2b5adb011945410fbc1

SHA512
8e087b247f202eb160c4653d79d92b126138e06c58870f96c08f08600deef24b7eae3f0a5d21d229ab0297b340be8937408d84d877ffabec537a70c5170c65d4

Download Submit
memory/224-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1052-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1052-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1420-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1596-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1596-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2008-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2008-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2216-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2216-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2708-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2820-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4044-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4420-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4420-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4564-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4564-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5044-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads