8682fafa0d5544f9823692672ea1374626deaade5abf4d1bd73f90f97bfbc893

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe
Size

89KB
MD5

14c70c1c5afde897eec7d88121922e40
SHA1

46f82e682d4f40ca3c072e74be37f9bb3c096b80
SHA256

8682fafa0d5544f9823692672ea1374626deaade5abf4d1bd73f90f97bfbc893
SHA512

a9fc8feb8b178f2103cbb093057cdf180f9cfe9dcd33b974125e1b78f1613551b5f05778b295a18ff3bd7d7ba76e164741f393edd276888f40b6b4dd58a1a1e5
SSDEEP

768:Qvw9816vhKQLroE4/wQRNrfrunMxVFA3b7gl5:YEGh0oEl2unMxVS3HgX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2281A985-E55B-4813-9F5E-3CBC028A1183}	{E54B7E67-EC86-46be-8532-31CA49724948}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFCCA5B-98F3-44cb-B49E-812895D7906A}	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB4B961E-1442-4ded-82B8-7C63DC769495}\stubpath = "C:\\Windows\\{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe"	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A0261C-260E-49c0-A131-39437F573CE1}	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}\stubpath = "C:\\Windows\\{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe"	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A240C43-800B-40b9-8310-F8C13C677031}\stubpath = "C:\\Windows\\{5A240C43-800B-40b9-8310-F8C13C677031}.exe"	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{742D78A4-8216-4cbd-B9F4-82F300B4E338}\stubpath = "C:\\Windows\\{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe"	{5A240C43-800B-40b9-8310-F8C13C677031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54B7E67-EC86-46be-8532-31CA49724948}\stubpath = "C:\\Windows\\{E54B7E67-EC86-46be-8532-31CA49724948}.exe"	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}\stubpath = "C:\\Windows\\{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}.exe"	{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB4B961E-1442-4ded-82B8-7C63DC769495}	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}	{56A0261C-260E-49c0-A131-39437F573CE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}\stubpath = "C:\\Windows\\{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe"	{56A0261C-260E-49c0-A131-39437F573CE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54B7E67-EC86-46be-8532-31CA49724948}	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{742D78A4-8216-4cbd-B9F4-82F300B4E338}	{5A240C43-800B-40b9-8310-F8C13C677031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C78F60-52CD-4843-91AD-2627420DCA0D}	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C78F60-52CD-4843-91AD-2627420DCA0D}\stubpath = "C:\\Windows\\{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe"	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFCCA5B-98F3-44cb-B49E-812895D7906A}\stubpath = "C:\\Windows\\{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe"	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}\stubpath = "C:\\Windows\\{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe"	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}	{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A0261C-260E-49c0-A131-39437F573CE1}\stubpath = "C:\\Windows\\{56A0261C-260E-49c0-A131-39437F573CE1}.exe"	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A240C43-800B-40b9-8310-F8C13C677031}	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2281A985-E55B-4813-9F5E-3CBC028A1183}\stubpath = "C:\\Windows\\{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe"	{E54B7E67-EC86-46be-8532-31CA49724948}.exe

Executes dropped EXE 12 IoCs

pid	Process
3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe
2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe
4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe
4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe
3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe
3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe
4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe
4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe
3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe
4480	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe
4672	{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe
4340	{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe	{56A0261C-260E-49c0-A131-39437F573CE1}.exe
File created	C:\Windows\{5A240C43-800B-40b9-8310-F8C13C677031}.exe	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe
File created	C:\Windows\{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe
File created	C:\Windows\{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe	{E54B7E67-EC86-46be-8532-31CA49724948}.exe
File created	C:\Windows\{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe
File created	C:\Windows\{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}.exe	{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe
File created	C:\Windows\{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe
File created	C:\Windows\{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe	{5A240C43-800B-40b9-8310-F8C13C677031}.exe
File created	C:\Windows\{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe
File created	C:\Windows\{E54B7E67-EC86-46be-8532-31CA49724948}.exe	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe
File created	C:\Windows\{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe
File created	C:\Windows\{56A0261C-260E-49c0-A131-39437F573CE1}.exe	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe
Token: SeIncBasePriorityPrivilege	2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe
Token: SeIncBasePriorityPrivilege	4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe
Token: SeIncBasePriorityPrivilege	4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe
Token: SeIncBasePriorityPrivilege	3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe
Token: SeIncBasePriorityPrivilege	3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe
Token: SeIncBasePriorityPrivilege	4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe
Token: SeIncBasePriorityPrivilege	4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe
Token: SeIncBasePriorityPrivilege	3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe
Token: SeIncBasePriorityPrivilege	4480	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe
Token: SeIncBasePriorityPrivilege	4672	{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3264	2372	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe	88
PID 2372 wrote to memory of 3264	2372	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe	88
PID 2372 wrote to memory of 3264	2372	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe	88
PID 2372 wrote to memory of 1416	2372	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe	89
PID 2372 wrote to memory of 1416	2372	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe	89
PID 2372 wrote to memory of 1416	2372	14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe	89
PID 3264 wrote to memory of 2476	3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe	90
PID 3264 wrote to memory of 2476	3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe	90
PID 3264 wrote to memory of 2476	3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe	90
PID 3264 wrote to memory of 3376	3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe	91
PID 3264 wrote to memory of 3376	3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe	91
PID 3264 wrote to memory of 3376	3264	{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe	91
PID 2476 wrote to memory of 4244	2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe	93
PID 2476 wrote to memory of 4244	2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe	93
PID 2476 wrote to memory of 4244	2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe	93
PID 2476 wrote to memory of 3980	2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe	94
PID 2476 wrote to memory of 3980	2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe	94
PID 2476 wrote to memory of 3980	2476	{56A0261C-260E-49c0-A131-39437F573CE1}.exe	94
PID 4244 wrote to memory of 4676	4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe	95
PID 4244 wrote to memory of 4676	4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe	95
PID 4244 wrote to memory of 4676	4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe	95
PID 4244 wrote to memory of 4572	4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe	96
PID 4244 wrote to memory of 4572	4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe	96
PID 4244 wrote to memory of 4572	4244	{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe	96
PID 4676 wrote to memory of 3104	4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe	97
PID 4676 wrote to memory of 3104	4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe	97
PID 4676 wrote to memory of 3104	4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe	97
PID 4676 wrote to memory of 2932	4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe	98
PID 4676 wrote to memory of 2932	4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe	98
PID 4676 wrote to memory of 2932	4676	{5A240C43-800B-40b9-8310-F8C13C677031}.exe	98
PID 3104 wrote to memory of 3804	3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe	99
PID 3104 wrote to memory of 3804	3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe	99
PID 3104 wrote to memory of 3804	3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe	99
PID 3104 wrote to memory of 1376	3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe	100
PID 3104 wrote to memory of 1376	3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe	100
PID 3104 wrote to memory of 1376	3104	{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe	100
PID 3804 wrote to memory of 4496	3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe	101
PID 3804 wrote to memory of 4496	3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe	101
PID 3804 wrote to memory of 4496	3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe	101
PID 3804 wrote to memory of 4692	3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe	102
PID 3804 wrote to memory of 4692	3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe	102
PID 3804 wrote to memory of 4692	3804	{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe	102
PID 4496 wrote to memory of 4500	4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe	103
PID 4496 wrote to memory of 4500	4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe	103
PID 4496 wrote to memory of 4500	4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe	103
PID 4496 wrote to memory of 4508	4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe	104
PID 4496 wrote to memory of 4508	4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe	104
PID 4496 wrote to memory of 4508	4496	{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe	104
PID 4500 wrote to memory of 3060	4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe	105
PID 4500 wrote to memory of 3060	4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe	105
PID 4500 wrote to memory of 3060	4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe	105
PID 4500 wrote to memory of 3552	4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe	106
PID 4500 wrote to memory of 3552	4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe	106
PID 4500 wrote to memory of 3552	4500	{E54B7E67-EC86-46be-8532-31CA49724948}.exe	106
PID 3060 wrote to memory of 4480	3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe	107
PID 3060 wrote to memory of 4480	3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe	107
PID 3060 wrote to memory of 4480	3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe	107
PID 3060 wrote to memory of 4452	3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe	108
PID 3060 wrote to memory of 4452	3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe	108
PID 3060 wrote to memory of 4452	3060	{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe	108
PID 4480 wrote to memory of 4672	4480	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe	109
PID 4480 wrote to memory of 4672	4480	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe	109
PID 4480 wrote to memory of 4672	4480	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe	109
PID 4480 wrote to memory of 1468	4480	{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe	110

C:\Users\Admin\AppData\Local\Temp\14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14c70c1c5afde897eec7d88121922e40_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe
  C:\Windows\{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\{56A0261C-260E-49c0-A131-39437F573CE1}.exe
    C:\Windows\{56A0261C-260E-49c0-A131-39437F573CE1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe
      C:\Windows\{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Windows\{5A240C43-800B-40b9-8310-F8C13C677031}.exe
        
        C:\Windows\{5A240C43-800B-40b9-8310-F8C13C677031}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe
        
        C:\Windows\{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe
        
        C:\Windows\{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe
        
        C:\Windows\{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\{E54B7E67-EC86-46be-8532-31CA49724948}.exe
        
        C:\Windows\{E54B7E67-EC86-46be-8532-31CA49724948}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe
        
        C:\Windows\{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe
        
        C:\Windows\{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe
        
        C:\Windows\{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}.exe
        
        C:\Windows\{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E262~1.EXE > nul
        13⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFCC~1.EXE > nul
        12⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2281A~1.EXE > nul
        11⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E54B7~1.EXE > nul
        10⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88C78~1.EXE > nul
        9⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32794~1.EXE > nul
        8⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{742D7~1.EXE > nul
        7⤵
        
        PID:1376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A240~1.EXE > nul
        6⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE09~1.EXE > nul
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56A02~1.EXE > nul
      4⤵
      PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EB4B9~1.EXE > nul
    3⤵
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\14C70C~1.EXE > nul
  2⤵
  PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{040EC71E-A0A7-42f5-8AC1-373CEEB06A1A}.exe

Filesize
89KB

MD5
cecb77df4389d82d87dcc3cac941501e

SHA1
ba7a8a0724988ac2fa8de094ce2893f943fbf1d4

SHA256
cdbf3cae7d37d683b8bdb1f03a558fe9131977ac9dc38785e9ba9132ce96ec2a

SHA512
6e2df2d21424ca8104bea6a76c4bd55c56a98fe3db84251f416db27d59817561ab1d746d66b0b1c77f89b4772937d4c0f90cf9d1216da6f344787649a34c5a81

Download Submit
C:\Windows\{0E262371-3A25-4fa1-8BE9-A30C5C5CCBCF}.exe

Filesize
89KB

MD5
c1179a0a918b8c1558242a19e1602246

SHA1
3c8e987fa1eedcabe3439761067bd924bf6c91c7

SHA256
9424a57a8b6a145cc1aadffd02441f35067b6591064ebf2716db8cf3980150cd

SHA512
f5f3a706033bd6b1790359f4f91f87d0a02ec673cd1894a682f42f0630b7c3a6db87558566645033283f9f984b4d106c2e8cff447a36ccd0f7b1dea9fa18c159

Download Submit
C:\Windows\{2281A985-E55B-4813-9F5E-3CBC028A1183}.exe

Filesize
89KB

MD5
9829fbd19950a39f2e5a0cbf0ed69d82

SHA1
8afee259e73e9bc5f7752622d2e48415f5b11ea8

SHA256
2a5538d72d71d35e803e1c28c731da5240c07d87cff3e0fe4633562c3598e70b

SHA512
95d43e29e7637c71f14e1366bd2154f1eb415076ed32920b90bb9002d93bf0d22b00deda0f1023cdb6e5a9b11b4939af332d3ae7166eba2ca88c88fb2c2e6f46

Download Submit
C:\Windows\{2BE099E5-0BD8-4e11-B8A7-20CB9C64D3FB}.exe

Filesize
89KB

MD5
52e7d83f6fa3c1cf3c8a66831fc5accd

SHA1
269b839e781e1a66a1dbfa7efb709a54aac685fe

SHA256
b7ab4add47f7d6db7474115ea5d70914fa83599f4366432615a2397225b67180

SHA512
66b6fb02c85f0f565404828777d965b429f456063a5c25e23d054d5573a13fe0b793a3ef3c2022ed61c49d3b76bb21290b438387d4933361818e04fef48b9cbc

Download Submit
C:\Windows\{327949C5-F3FD-4ffc-9B2B-6FF793689BF5}.exe

Filesize
89KB

MD5
b94488283c7eaa0d57b8f8dd924cb7e5

SHA1
5019dca68eb1e63afaef826450f9bca5486afc9a

SHA256
48c05f4b3a9ba5c1de4b1819e9886c7532eff77cec1188e98fb4cfa636bbb012

SHA512
9d20dfcae0340e840a3e02dd87c0c8b0960d34dd02a3e8ba7d99e9fd3a8014529782f39a8def334f8386447f0cc7b3248f8f8c5040399df81a84c2253f573c45

Download Submit
C:\Windows\{56A0261C-260E-49c0-A131-39437F573CE1}.exe

Filesize
89KB

MD5
b88e25f0e27b39f9687a11660819a728

SHA1
c7a764a4d6277bb89165f4c24d32f85c88e8f43d

SHA256
2745a19e2b3d2d1ffe8c758f638bdb86fb31d188dbfde752d307f5d04905f813

SHA512
c867cc0d5b0b2eee24ccfee3547d950ed5596126c4a4eab85309c20996778851b079bc8c34a3f461503cadc0e45fd3aa4f43e14acabc367a7216285530d4bf15

Download Submit
C:\Windows\{5A240C43-800B-40b9-8310-F8C13C677031}.exe

Filesize
89KB

MD5
0ef7855aeee2409308a9424eacfe72ab

SHA1
7ab7a493c0f4fde1ef101db48eab6a8960ec86f4

SHA256
4fcb6cadc67cc832179dee5905cbf5c5a90b64fa55f1823725985117e0f7345e

SHA512
f9cef0d84a9be1302e112f2436db9566f77078eee2ac8e521368dad52e5d834b9d37866efc861fbdd407afb3891b14aeeb06151719708f427278663b3b74e867

Download Submit
C:\Windows\{742D78A4-8216-4cbd-B9F4-82F300B4E338}.exe

Filesize
89KB

MD5
cdf289bd3d2788a36999d53f821a0c01

SHA1
e9a5822a7e3bd200ea59ec8274a310abcdc8f702

SHA256
46cc2ca176a8e7d37103d4869e6bdf7fb9477df069820e45909e50435f145b35

SHA512
7ca0f46cabf0e6ea5e08ecf507e51ac18a34da68b74f570aea93d2e5963ebe3f60b322064af7e4cbb0698be84ba399dca56ab7733f93a1e61f2187e892876f4e

Download Submit
C:\Windows\{88C78F60-52CD-4843-91AD-2627420DCA0D}.exe

Filesize
89KB

MD5
af16fa2d3842107327f55c7aa12d7a98

SHA1
680275da84e90fb765e277d1cf79ef2e8255042a

SHA256
75ff427e6389f42c4867c1851b97ef0693fe469fbad24347db58e685043a2aa8

SHA512
bf1363593edfa2a76de6303509b4227fd19ca444a57f0fa3edf538a93e433767e85bcd8c5ff6d6cc08651527dfd089f2893cffa7e6f08c3e15f2e40c9c3a493e

Download Submit
C:\Windows\{9DFCCA5B-98F3-44cb-B49E-812895D7906A}.exe

Filesize
89KB

MD5
6da8e5afe61a4eaf300b791bc505a68d

SHA1
5e7c93718c42a7e613d198443f22232d9f2c5e5e

SHA256
9a344ee3ef34f47bc0bae35700cc46386acfb2c1a1bfc54fd00d4cf42829d015

SHA512
ae23585a6417b4f3d456fda9b08b49627194c959b44890a6958dd315f24e2e4f4a4f7d040669365713d3bb862915028fcb44970d01ee38fb7a2ea0fdf68ab5ff

Download Submit
C:\Windows\{E54B7E67-EC86-46be-8532-31CA49724948}.exe

Filesize
89KB

MD5
d515fb95374d7e248c9ffd156287bb8b

SHA1
cafd492a92fa38db9317a2f7f97e37af1175d604

SHA256
e93e2126f8713ecc56311a2279197b73c6922845e8c1a9695d2e381744d95137

SHA512
2d52f2e65b1ee41bebd5f57551e8bbda49d771e3dca3422fca1c1c87abf43e1173bde1bed2d5bb722c3634cf225d8b15d077b15be9f1e79a162b78e5d08a9d70

Download Submit
C:\Windows\{EB4B961E-1442-4ded-82B8-7C63DC769495}.exe

Filesize
89KB

MD5
a67f636b7fb999e5ac46c69a12ab730c

SHA1
a623750da8205de5ea03b805a31e2dea1bbbec10

SHA256
5b30befb37b273ca59c9efbcf6cfb9a68a69509ea0dca1e7e5099293d52b814f

SHA512
6020f81ee984e19b294fa341f574d14e9e296f33222a364ef2b9b39e00e32b0b7004f07576c2e6e02959611c63c121c1ff51212b74e158eb66d1e81942bff1a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads