a4489eab1bc9c0b1fe97569156da34613352a63a405b41d418712dc1ea47af3b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Size

90KB
MD5

f6261aafb1f7ffab4d9439e8d4f727d0
SHA1

c9ade454aa474033d94308e5c1637aa4d2acadc1
SHA256

a4489eab1bc9c0b1fe97569156da34613352a63a405b41d418712dc1ea47af3b
SHA512

4ebc7abaa38d6e2bfa70556971c06b8379b3b54679c797853f3f71d8ac2c70cf3f463b643142ad06bff2cdf3a1b852bba33206d9d7c99c4a2923a6c494ca5d20
SSDEEP

768:50w981IshKQLroxV4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzm:CEGI0oxVlVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E634DECF-1613-4462-BC56-2D883FC6793A}	{828C00CE-148C-435c-B678-F22CD0255F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}\stubpath = "C:\\Windows\\{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe"	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6932350-D937-4b1e-9D04-C9E556EEB374}	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{618D07DF-2DA7-4c0d-8426-923D345F160E}	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D75ED826-1735-437d-A17B-076343729D0A}\stubpath = "C:\\Windows\\{D75ED826-1735-437d-A17B-076343729D0A}.exe"	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}\stubpath = "C:\\Windows\\{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}.exe"	{54EB5172-9B66-4095-99EA-03EA83338110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}\stubpath = "C:\\Windows\\{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe"	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}	{D75ED826-1735-437d-A17B-076343729D0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{828C00CE-148C-435c-B678-F22CD0255F10}\stubpath = "C:\\Windows\\{828C00CE-148C-435c-B678-F22CD0255F10}.exe"	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E634DECF-1613-4462-BC56-2D883FC6793A}\stubpath = "C:\\Windows\\{E634DECF-1613-4462-BC56-2D883FC6793A}.exe"	{828C00CE-148C-435c-B678-F22CD0255F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}\stubpath = "C:\\Windows\\{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe"	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D75ED826-1735-437d-A17B-076343729D0A}	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}\stubpath = "C:\\Windows\\{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe"	{D75ED826-1735-437d-A17B-076343729D0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54EB5172-9B66-4095-99EA-03EA83338110}	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6932350-D937-4b1e-9D04-C9E556EEB374}\stubpath = "C:\\Windows\\{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe"	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{828C00CE-148C-435c-B678-F22CD0255F10}	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{618D07DF-2DA7-4c0d-8426-923D345F160E}\stubpath = "C:\\Windows\\{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe"	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54EB5172-9B66-4095-99EA-03EA83338110}\stubpath = "C:\\Windows\\{54EB5172-9B66-4095-99EA-03EA83338110}.exe"	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}	{54EB5172-9B66-4095-99EA-03EA83338110}.exe

Executes dropped EXE 11 IoCs

pid	Process
3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe
5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe
1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe
4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe
4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe
2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe
1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe
1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe
2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe
4052	{54EB5172-9B66-4095-99EA-03EA83338110}.exe
3580	{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe
File created	C:\Windows\{D75ED826-1735-437d-A17B-076343729D0A}.exe	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe
File created	C:\Windows\{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}.exe	{54EB5172-9B66-4095-99EA-03EA83338110}.exe
File created	C:\Windows\{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
File created	C:\Windows\{E634DECF-1613-4462-BC56-2D883FC6793A}.exe	{828C00CE-148C-435c-B678-F22CD0255F10}.exe
File created	C:\Windows\{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe
File created	C:\Windows\{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe	{D75ED826-1735-437d-A17B-076343729D0A}.exe
File created	C:\Windows\{54EB5172-9B66-4095-99EA-03EA83338110}.exe	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe
File created	C:\Windows\{828C00CE-148C-435c-B678-F22CD0255F10}.exe	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe
File created	C:\Windows\{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe
File created	C:\Windows\{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	8	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe
Token: SeIncBasePriorityPrivilege	5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe
Token: SeIncBasePriorityPrivilege	1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe
Token: SeIncBasePriorityPrivilege	4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe
Token: SeIncBasePriorityPrivilege	4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe
Token: SeIncBasePriorityPrivilege	2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe
Token: SeIncBasePriorityPrivilege	1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe
Token: SeIncBasePriorityPrivilege	1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe
Token: SeIncBasePriorityPrivilege	2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe
Token: SeIncBasePriorityPrivilege	4052	{54EB5172-9B66-4095-99EA-03EA83338110}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3968	8	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	91
PID 8 wrote to memory of 3968	8	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	91
PID 8 wrote to memory of 3968	8	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	91
PID 8 wrote to memory of 884	8	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	92
PID 8 wrote to memory of 884	8	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	92
PID 8 wrote to memory of 884	8	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	92
PID 3968 wrote to memory of 5044	3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe	99
PID 3968 wrote to memory of 5044	3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe	99
PID 3968 wrote to memory of 5044	3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe	99
PID 3968 wrote to memory of 3644	3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe	100
PID 3968 wrote to memory of 3644	3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe	100
PID 3968 wrote to memory of 3644	3968	{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe	100
PID 5044 wrote to memory of 1392	5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe	101
PID 5044 wrote to memory of 1392	5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe	101
PID 5044 wrote to memory of 1392	5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe	101
PID 5044 wrote to memory of 1616	5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe	102
PID 5044 wrote to memory of 1616	5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe	102
PID 5044 wrote to memory of 1616	5044	{828C00CE-148C-435c-B678-F22CD0255F10}.exe	102
PID 1392 wrote to memory of 4108	1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe	104
PID 1392 wrote to memory of 4108	1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe	104
PID 1392 wrote to memory of 4108	1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe	104
PID 1392 wrote to memory of 4740	1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe	105
PID 1392 wrote to memory of 4740	1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe	105
PID 1392 wrote to memory of 4740	1392	{E634DECF-1613-4462-BC56-2D883FC6793A}.exe	105
PID 4108 wrote to memory of 4424	4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe	106
PID 4108 wrote to memory of 4424	4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe	106
PID 4108 wrote to memory of 4424	4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe	106
PID 4108 wrote to memory of 4892	4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe	107
PID 4108 wrote to memory of 4892	4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe	107
PID 4108 wrote to memory of 4892	4108	{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe	107
PID 4424 wrote to memory of 2752	4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe	108
PID 4424 wrote to memory of 2752	4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe	108
PID 4424 wrote to memory of 2752	4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe	108
PID 4424 wrote to memory of 4332	4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe	109
PID 4424 wrote to memory of 4332	4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe	109
PID 4424 wrote to memory of 4332	4424	{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe	109
PID 2752 wrote to memory of 1432	2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe	110
PID 2752 wrote to memory of 1432	2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe	110
PID 2752 wrote to memory of 1432	2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe	110
PID 2752 wrote to memory of 1908	2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe	111
PID 2752 wrote to memory of 1908	2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe	111
PID 2752 wrote to memory of 1908	2752	{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe	111
PID 1432 wrote to memory of 1424	1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe	112
PID 1432 wrote to memory of 1424	1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe	112
PID 1432 wrote to memory of 1424	1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe	112
PID 1432 wrote to memory of 4216	1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe	113
PID 1432 wrote to memory of 4216	1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe	113
PID 1432 wrote to memory of 4216	1432	{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe	113
PID 1424 wrote to memory of 2232	1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe	114
PID 1424 wrote to memory of 2232	1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe	114
PID 1424 wrote to memory of 2232	1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe	114
PID 1424 wrote to memory of 4576	1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe	115
PID 1424 wrote to memory of 4576	1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe	115
PID 1424 wrote to memory of 4576	1424	{D75ED826-1735-437d-A17B-076343729D0A}.exe	115
PID 2232 wrote to memory of 4052	2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe	116
PID 2232 wrote to memory of 4052	2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe	116
PID 2232 wrote to memory of 4052	2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe	116
PID 2232 wrote to memory of 4200	2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe	117
PID 2232 wrote to memory of 4200	2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe	117
PID 2232 wrote to memory of 4200	2232	{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe	117
PID 4052 wrote to memory of 3580	4052	{54EB5172-9B66-4095-99EA-03EA83338110}.exe	118
PID 4052 wrote to memory of 3580	4052	{54EB5172-9B66-4095-99EA-03EA83338110}.exe	118
PID 4052 wrote to memory of 3580	4052	{54EB5172-9B66-4095-99EA-03EA83338110}.exe	118
PID 4052 wrote to memory of 3648	4052	{54EB5172-9B66-4095-99EA-03EA83338110}.exe	119

C:\Users\Admin\AppData\Local\Temp\f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe
  C:\Windows\{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\{828C00CE-148C-435c-B678-F22CD0255F10}.exe
    C:\Windows\{828C00CE-148C-435c-B678-F22CD0255F10}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\{E634DECF-1613-4462-BC56-2D883FC6793A}.exe
      C:\Windows\{E634DECF-1613-4462-BC56-2D883FC6793A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\Windows\{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe
        
        C:\Windows\{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Windows\{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe
        
        C:\Windows\{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe
        
        C:\Windows\{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe
        
        C:\Windows\{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{D75ED826-1735-437d-A17B-076343729D0A}.exe
        
        C:\Windows\{D75ED826-1735-437d-A17B-076343729D0A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe
        
        C:\Windows\{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{54EB5172-9B66-4095-99EA-03EA83338110}.exe
        
        C:\Windows\{54EB5172-9B66-4095-99EA-03EA83338110}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}.exe
        
        C:\Windows\{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}.exe
        12⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54EB5~1.EXE > nul
        12⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACD59~1.EXE > nul
        11⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D75ED~1.EXE > nul
        10⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3354A~1.EXE > nul
        9⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{618D0~1.EXE > nul
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{802C9~1.EXE > nul
        7⤵
        
        PID:4332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBE8B~1.EXE > nul
        6⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E634D~1.EXE > nul
        5⤵
        
        PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{828C0~1.EXE > nul
      4⤵
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D6932~1.EXE > nul
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F6261A~1.EXE > nul
  2⤵
  PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F3F5536-AFA8-46f1-8D68-94AA2C079E03}.exe

Filesize
90KB

MD5
f0e257572f45bfe0068f7681f0f0cf6a

SHA1
57d1f0e1ba9052297ba472e48f053428d97e8d25

SHA256
4bff022f7a7a575cba6ac377f50147034079bf30da95af2b788aebfed82fbf33

SHA512
7c71475b719370f68e0a066d9be7bccc46d14aaedb42e193e0479bb690cba77eb14e9a4c0c09e07053a5430d0f1192357ff8af18107609146cd5b4adfd65f327

Download Submit
C:\Windows\{3354A7A0-0373-4c1b-B9BC-EB34B2A83AA0}.exe

Filesize
90KB

MD5
3316101affa2c70acede3cd148201ec5

SHA1
89baf859f285ca6c2ec1ebbe3d5aace0a3669ebd

SHA256
905fbb9dda35c8bfbd1a776fb022558251936cacbd488d0f00afe4d6f5491986

SHA512
6273b8ef80e9e80a173addda6baee64e7ca2d1ce35c88ae6434b1c73bb00c664d6159cd8c7eead6553a4176bc5e0c76d7675a70a248dd60e6097fe55cddfc1bc

Download Submit
C:\Windows\{54EB5172-9B66-4095-99EA-03EA83338110}.exe

Filesize
90KB

MD5
aa9b8569e397f73b53c5902169a83f63

SHA1
215ee430d76c195232bc10ae827cdf36623d92b4

SHA256
eecd4f4619db7aacd21567ceb26fd3b0abd8f03134f91a9b927eb8cc89d6153c

SHA512
a451b6caa1e9fc3f2cb80b5f681ee489f0fed1eefedda5e4a8d6183b5d45c96c3682a66b1a7bbe6b5a2d8a95f8565f05bedbc0b5dd2736c634dced3501e76831

Download Submit
C:\Windows\{618D07DF-2DA7-4c0d-8426-923D345F160E}.exe

Filesize
90KB

MD5
cd19e9f7dc575a9afc5046bcf84504ed

SHA1
aadfb5bde4e649eb198471a1b182b198c1a13445

SHA256
286d6de4753616a7eabacad1718bbd9e271c17a8764792d3a0661de0aa74838f

SHA512
4dd4090bc8af41207490b06ebaf08f4fbe6a06308aa667a1484c1d413450d506d71bb12c894cc76317809b555d04f7436a3b0fcf0ba30d3a8b6f5844f8089966

Download Submit
C:\Windows\{802C9062-B699-44d3-BBBA-5ED3BFAF86DD}.exe

Filesize
90KB

MD5
727e914a80276c4f1256512bef329dac

SHA1
c20e876f7e8fd263c92177af1cf8e8a070f89390

SHA256
121c0df7791ed79652e17efcd56ea2aa443f158b8dba2e42cf50338a5ac72cf0

SHA512
1b6b66cc16f9106dc3ed5ec60608051073bd754a85607fa257e817940968a68759832de08e78d97d07ac3c15013e36489f34fcae5161adc9f78b4c88f205f980

Download Submit
C:\Windows\{828C00CE-148C-435c-B678-F22CD0255F10}.exe

Filesize
90KB

MD5
45ea67089f3363eff4fa5ba411a266b9

SHA1
429a64ee38cdf0567d4420db9cb96fe5a71d8c37

SHA256
36db285a1daa9f2fe039473a70246e9d60a9d47ee4f01b71c32591d1f892c9e3

SHA512
fbf8d229682c930292bec8a31349e9e8f4334af68de295c2dfc8bda7f8338ff2797b55b9b4ff45a5116c7b5f6111793d4bf9b0eb294a5888a58f3dc2479325a8

Download Submit
C:\Windows\{ACD59E55-88A9-4a58-8815-AF11FCEE7E6F}.exe

Filesize
90KB

MD5
a0d6dc52c5005f36885083a42a46ad49

SHA1
0cdbc53937cd5bb420e52dcd6a15e85c2bbb76fc

SHA256
a340cfe4dd0f87f5210161c7af931025b1dfd48e5566e3d86659f7c1e9449cf5

SHA512
46cf36211383a31c5fc85febf25ffa82dd83c9919a996027130fe80aa0946251d93f4dbf665fb1bcd3e79000b660f55dca9ba926a5ee27198ee49c18e1cdb953

Download Submit
C:\Windows\{CBE8BD5C-DD5F-46b7-9B50-D6AF85402CD8}.exe

Filesize
90KB

MD5
1e814e86a82d44189494d7b03db514ce

SHA1
5f5f748621d66673edbf5f67782b6659835dcf31

SHA256
1e3eee698a4f72f0dc8f3d7090cbcf0a27518e35973f762a350f83f2286db2be

SHA512
6e6143b630131e72027dd3f67a98455c65811e6dd6edb7cee62f8027a0dc6841f2eabaadaced48ff535f87fc45934288f5992340c1d94c031636371122c0c720

Download Submit
C:\Windows\{D6932350-D937-4b1e-9D04-C9E556EEB374}.exe

Filesize
90KB

MD5
db620f966fe64cdfb95eaf9c951e5f77

SHA1
cc6ad9bc353fb9f8abaf10be14546ba634c382e2

SHA256
006c347553055c1a02df8f91ce66f671a5d214a7934d7bd4f635de3387702d94

SHA512
7522d58b68d1291ed810715709193d287e85398e3862a6fade3d139cd2dc3f67b20fc8eaccceaf02ad845217a080bd3c5f3e5a5417b7a00aa4627c1dd70e0ae1

Download Submit
C:\Windows\{D75ED826-1735-437d-A17B-076343729D0A}.exe

Filesize
90KB

MD5
6bbd9f286fac2ab4794744ac24e36b72

SHA1
90a2a6818a0a68890ccd18d7130f90f7136eb32c

SHA256
e4d7d4f6cda2ef36d1d529f5b9ff39905c050fb9247881a12cf32300ff9933a5

SHA512
f302bbbb1e6fedf211ad90cd0927c32de8710e02b7e229201578aca58c906b498a040edefd7067bfc760a3177300916cc34e192f4550c1943c0fbed13f01492f

Download Submit
C:\Windows\{E634DECF-1613-4462-BC56-2D883FC6793A}.exe

Filesize
90KB

MD5
9184c74fc437ea4bd8e3eeb846b51bd8

SHA1
fb35c5beaf754951e463efd23d71655582570a88

SHA256
93fdedb7c1051bcaf8ded159c41652028b4b8b67b5d9cd0a8f2889b90ab2063d

SHA512
064023a6188fcdddac534adabb7e228bb8bdc92647be994788074886a3ca8493bd0222541b5e2a3f6dd1b90bad7111f0ffab8aedf72336a61279a67736f2f659

Download Submit
memory/8-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/8-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1392-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1392-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1424-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1424-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2232-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2232-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2752-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2752-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3580-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4052-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4052-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4108-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4108-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4424-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4424-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5044-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5044-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads