118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe
Size

96KB
MD5

4beb82936cee054af3eb822e13ea0590
SHA1

0eec61b70f482ab500dd9744ef5ef3d5f118bfe3
SHA256

118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6
SHA512

b41b5758f0f9e63108249443150c191a533cd22661695cc18166e929ecae4b2f0fa5e579528ed6260c9d09828526dbad3a5e867a6374080cbb761c17b270673c
SSDEEP

768:vvw9816vhKQLro/4/wQRNrfrunMxVFA3b7glwRjMlfw:nEGh0o/l2unMxVS3Hgdo

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D228AA-0429-44e1-888C-2CBDAEE21661}\stubpath = "C:\\Windows\\{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe"	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06EA2DAE-3945-4191-B940-5C864EBDB109}	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001A7243-C759-423d-AD4B-9D47776E0D69}	{7D254944-1266-408d-BC83-682F02CEC810}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F82B94E-2936-4f12-B567-DB4EB46AF160}\stubpath = "C:\\Windows\\{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe"	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD61C476-79B9-49ff-B8BA-23852F4C55D7}\stubpath = "C:\\Windows\\{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe"	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{827EFC99-B2EA-43c5-B1DD-665B3D760168}\stubpath = "C:\\Windows\\{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe"	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D254944-1266-408d-BC83-682F02CEC810}	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F82B94E-2936-4f12-B567-DB4EB46AF160}	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}\stubpath = "C:\\Windows\\{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}.exe"	{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD61C476-79B9-49ff-B8BA-23852F4C55D7}	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06EA2DAE-3945-4191-B940-5C864EBDB109}\stubpath = "C:\\Windows\\{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe"	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}\stubpath = "C:\\Windows\\{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe"	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001A7243-C759-423d-AD4B-9D47776E0D69}\stubpath = "C:\\Windows\\{001A7243-C759-423d-AD4B-9D47776E0D69}.exe"	{7D254944-1266-408d-BC83-682F02CEC810}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A33B24-7EA5-4114-A92D-4FDF17586137}\stubpath = "C:\\Windows\\{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe"	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}\stubpath = "C:\\Windows\\{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe"	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A33B24-7EA5-4114-A92D-4FDF17586137}	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}	{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}\stubpath = "C:\\Windows\\{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe"	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D228AA-0429-44e1-888C-2CBDAEE21661}	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{827EFC99-B2EA-43c5-B1DD-665B3D760168}	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D254944-1266-408d-BC83-682F02CEC810}\stubpath = "C:\\Windows\\{7D254944-1266-408d-BC83-682F02CEC810}.exe"	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe

Executes dropped EXE 12 IoCs

pid	Process
756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe
2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe
3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe
5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe
5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe
3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe
4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe
1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe
4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe
3876	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe
2508	{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe
4244	{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe
File created	C:\Windows\{7D254944-1266-408d-BC83-682F02CEC810}.exe	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe
File created	C:\Windows\{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe
File created	C:\Windows\{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe
File created	C:\Windows\{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe
File created	C:\Windows\{001A7243-C759-423d-AD4B-9D47776E0D69}.exe	{7D254944-1266-408d-BC83-682F02CEC810}.exe
File created	C:\Windows\{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe
File created	C:\Windows\{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe
File created	C:\Windows\{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe
File created	C:\Windows\{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}.exe	{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe
File created	C:\Windows\{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe
File created	C:\Windows\{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1584	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe
Token: SeIncBasePriorityPrivilege	2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe
Token: SeIncBasePriorityPrivilege	3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe
Token: SeIncBasePriorityPrivilege	5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe
Token: SeIncBasePriorityPrivilege	5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe
Token: SeIncBasePriorityPrivilege	3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe
Token: SeIncBasePriorityPrivilege	4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe
Token: SeIncBasePriorityPrivilege	1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe
Token: SeIncBasePriorityPrivilege	4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe
Token: SeIncBasePriorityPrivilege	3876	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe
Token: SeIncBasePriorityPrivilege	2508	{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 756	1584	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe	96
PID 1584 wrote to memory of 756	1584	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe	96
PID 1584 wrote to memory of 756	1584	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe	96
PID 1584 wrote to memory of 2344	1584	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe	97
PID 1584 wrote to memory of 2344	1584	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe	97
PID 1584 wrote to memory of 2344	1584	118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe	97
PID 756 wrote to memory of 2324	756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe	98
PID 756 wrote to memory of 2324	756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe	98
PID 756 wrote to memory of 2324	756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe	98
PID 756 wrote to memory of 3736	756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe	99
PID 756 wrote to memory of 3736	756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe	99
PID 756 wrote to memory of 3736	756	{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe	99
PID 2324 wrote to memory of 3368	2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe	102
PID 2324 wrote to memory of 3368	2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe	102
PID 2324 wrote to memory of 3368	2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe	102
PID 2324 wrote to memory of 1128	2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe	103
PID 2324 wrote to memory of 1128	2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe	103
PID 2324 wrote to memory of 1128	2324	{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe	103
PID 3368 wrote to memory of 5064	3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe	104
PID 3368 wrote to memory of 5064	3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe	104
PID 3368 wrote to memory of 5064	3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe	104
PID 3368 wrote to memory of 2468	3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe	105
PID 3368 wrote to memory of 2468	3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe	105
PID 3368 wrote to memory of 2468	3368	{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe	105
PID 5064 wrote to memory of 5004	5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe	106
PID 5064 wrote to memory of 5004	5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe	106
PID 5064 wrote to memory of 5004	5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe	106
PID 5064 wrote to memory of 3084	5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe	107
PID 5064 wrote to memory of 3084	5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe	107
PID 5064 wrote to memory of 3084	5064	{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe	107
PID 5004 wrote to memory of 3728	5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe	108
PID 5004 wrote to memory of 3728	5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe	108
PID 5004 wrote to memory of 3728	5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe	108
PID 5004 wrote to memory of 4500	5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe	109
PID 5004 wrote to memory of 4500	5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe	109
PID 5004 wrote to memory of 4500	5004	{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe	109
PID 3728 wrote to memory of 4440	3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe	110
PID 3728 wrote to memory of 4440	3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe	110
PID 3728 wrote to memory of 4440	3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe	110
PID 3728 wrote to memory of 4304	3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe	111
PID 3728 wrote to memory of 4304	3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe	111
PID 3728 wrote to memory of 4304	3728	{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe	111
PID 4440 wrote to memory of 1332	4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe	112
PID 4440 wrote to memory of 1332	4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe	112
PID 4440 wrote to memory of 1332	4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe	112
PID 4440 wrote to memory of 2120	4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe	113
PID 4440 wrote to memory of 2120	4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe	113
PID 4440 wrote to memory of 2120	4440	{7D254944-1266-408d-BC83-682F02CEC810}.exe	113
PID 1332 wrote to memory of 4228	1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe	114
PID 1332 wrote to memory of 4228	1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe	114
PID 1332 wrote to memory of 4228	1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe	114
PID 1332 wrote to memory of 2228	1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe	115
PID 1332 wrote to memory of 2228	1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe	115
PID 1332 wrote to memory of 2228	1332	{001A7243-C759-423d-AD4B-9D47776E0D69}.exe	115
PID 4228 wrote to memory of 3876	4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe	116
PID 4228 wrote to memory of 3876	4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe	116
PID 4228 wrote to memory of 3876	4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe	116
PID 4228 wrote to memory of 1580	4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe	117
PID 4228 wrote to memory of 1580	4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe	117
PID 4228 wrote to memory of 1580	4228	{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe	117
PID 3876 wrote to memory of 2508	3876	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe	118
PID 3876 wrote to memory of 2508	3876	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe	118
PID 3876 wrote to memory of 2508	3876	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe	118
PID 3876 wrote to memory of 3948	3876	{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe	119

C:\Users\Admin\AppData\Local\Temp\118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\118b12be7eb506bb687ded1c4834e9cf3031f8024c61fc85b1cd921b994437c6_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe
  C:\Windows\{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe
    C:\Windows\{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe
      C:\Windows\{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Windows\{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe
        
        C:\Windows\{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe
        
        C:\Windows\{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe
        
        C:\Windows\{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{7D254944-1266-408d-BC83-682F02CEC810}.exe
        
        C:\Windows\{7D254944-1266-408d-BC83-682F02CEC810}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{001A7243-C759-423d-AD4B-9D47776E0D69}.exe
        
        C:\Windows\{001A7243-C759-423d-AD4B-9D47776E0D69}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe
        
        C:\Windows\{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe
        
        C:\Windows\{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe
        
        C:\Windows\{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}.exe
        
        C:\Windows\{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55A33~1.EXE > nul
        13⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B082E~1.EXE > nul
        12⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F82B~1.EXE > nul
        11⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{001A7~1.EXE > nul
        10⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D254~1.EXE > nul
        9⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C70DF~1.EXE > nul
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06EA2~1.EXE > nul
        7⤵
        
        PID:4500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{827EF~1.EXE > nul
        6⤵
        
        PID:3084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13D22~1.EXE > nul
        5⤵
        
        PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD61C~1.EXE > nul
      4⤵
      PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DDEC4~1.EXE > nul
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\118B12~1.EXE > nul
  2⤵
  PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{001A7243-C759-423d-AD4B-9D47776E0D69}.exe

Filesize
96KB

MD5
ae93f7280ef795aaa6e37e9bb95eb38c

SHA1
183d9e613c0b56535f7f1fa6cabf8a16ea8af0a8

SHA256
8cd0b515ac8cbd7b14356b5bab04225abc1d4ee5f96b7d129299d74f2db6e0e8

SHA512
49776241e35750c9d73dfeee365f03f58458cbf08f164949e2de7866137bafde3a62fd3dc9cd4ad5525f719408ece66e94a3846e5bbdbf4cb3be31a6ef0d3049

Download Submit
C:\Windows\{06EA2DAE-3945-4191-B940-5C864EBDB109}.exe

Filesize
96KB

MD5
040bb1bd9e7d943070f75f7be37d587d

SHA1
88ac136c203092bf0fe41ee86057aca2d0b44a13

SHA256
346ecb255d724d52428e4d8833d70d7bbd4cb193520c0259bb976f90ea1507f6

SHA512
494ada50e0a017e207a832aefd71f6de592b41bc1cb6471f05c4922ec8d99e752697cefdb0554814662677a6730077cb1adf08043f426e72d7f6b8f1aa43727a

Download Submit
C:\Windows\{13D228AA-0429-44e1-888C-2CBDAEE21661}.exe

Filesize
96KB

MD5
a746006c1e69f34f3746be7752ee405a

SHA1
358c2b13fc988359dfbda8ecdceb7c2d2e76ed27

SHA256
fbc0b7b20ba9a931e3c1c4b33fd0c57998c1f9453e5a238a05576a79187cb9f4

SHA512
40cc8a2cfb706237b7411cfe5d0a55ab12cea811bcaa392039c42830e3357f46b83d3ceb7b600d47757a195a7c8971e6f8216449a5856268e1fd3518f0a0c515

Download Submit
C:\Windows\{1F82B94E-2936-4f12-B567-DB4EB46AF160}.exe

Filesize
96KB

MD5
a25e3b6f8dfd32a3227e2ec8b542dfa3

SHA1
8ec461a15a8897e92b816295d10264dca9b4a84d

SHA256
b9237ef5a93f637afe2ce3fe5b02f8ec49d624a469605781c5badbb07c9b0bbe

SHA512
8a46b89f95eb64abf5736c261ae4f3b47d159537d12e10a820cebf5ebb262a39998889ca7f0652c5f470d4e4f3d54f1f22bd97a7bcbb21e033d5c8eb1135ac4d

Download Submit
C:\Windows\{55A33B24-7EA5-4114-A92D-4FDF17586137}.exe

Filesize
96KB

MD5
9d0d7ab90a68dea4b212886bad0c25aa

SHA1
45c44e60aacdc05ee5ad6c98ab358f02752dca51

SHA256
ab3d72d5a7ba8aafbb820d6bd1520307c18c6423a3431bd2a44fb599ffd64320

SHA512
333787835f79e7db197fb24e1965b9ab8f9de95b19f0c726a74ae69af286b3d67063028d94e0d9fd920e1a63ed7e8e15deb07cd6621bc1c9c40abee95e09ae5f

Download Submit
C:\Windows\{71F2B4B2-2D53-4c0e-8B40-E94BFE11B67A}.exe

Filesize
96KB

MD5
fd8d3c2f89be1d02e20b76ec7e199fa9

SHA1
dc66c8bfcef15b038195cbeb4e0e1cedf171a070

SHA256
be3f56ed705b85b4d1524e1de837280be3ba8f9abeb499d6dd25412a6933ed4a

SHA512
001d6bbdd5671b43581acb18e4cb4872c3f418f6fa702173dd9e2a651d95ef7efeae3a67efd61baab8997740a49709ad1f4872959f1b53ad3117b9d8bcc882c1

Download Submit
C:\Windows\{7D254944-1266-408d-BC83-682F02CEC810}.exe

Filesize
96KB

MD5
abbcf2c2c0e648ef05915c57c0a8d7ba

SHA1
253362d4ff83b98d6249d9762a9c7a3f7ae4d930

SHA256
d2224c1f5ca3ad6661fd0f5cfed856bad9a9802ac62aef69daeba628a1b22fb5

SHA512
e7e14f106746eb23210aae5606f8ee0ad5c939939df498cad2400255f4df2a6154884db3f7695958fed53ce82336da5f77f12eaf427abc3492fc7ce03b3b94fa

Download Submit
C:\Windows\{827EFC99-B2EA-43c5-B1DD-665B3D760168}.exe

Filesize
96KB

MD5
49aa2b4f38b4a5802caefde8bf254adc

SHA1
c0579ee45b38ca1ad2e1424ef73014453f39b283

SHA256
6114c324c27577da65f5cf8bfaff20931cee9a3ffafde2b634f221e0e2e0c241

SHA512
7371f1465d918a66733b52157fe612a03323cc89629d61747cf9c04d7a3e1da6fd7c8f516b0fb6a770d7695f6240d3c61abc53c50cc1f8f919cc03d78a2d82c9

Download Submit
C:\Windows\{AD61C476-79B9-49ff-B8BA-23852F4C55D7}.exe

Filesize
96KB

MD5
23c9d5a2bdb01a2e49d0d0d4b859de22

SHA1
31c6f7d2b935ccb468b8f895f151e9504110eb22

SHA256
a03db637b3ae7740ef1b7c24a0c2dcbe5f7ebc539ca3b925c3624a2cfa11b7ab

SHA512
7743d3ba2652c0afd26d5f43dde4da88ecaeddd9c1cd980bf504e0209c7f449c113f231f5eef3b6d4b383bbc9a4d535d5d56e062e6682102214a79e0335a67aa

Download Submit
C:\Windows\{B082E9AC-E5CC-4e9a-8680-2D1144DF8553}.exe

Filesize
96KB

MD5
ed94f85cfdbb0c74b6a36f6792452733

SHA1
195eab9826319bde756e9978e4fae138b401ba90

SHA256
687935a63d02d89426da4650e9360a8d5595b3d866cb2e92f6f37942ac7eeaae

SHA512
21ac507707293d73de940a29b4d0d17e978d0cd32e155b14a9db8976d5655948f49781f9f2c08c555d63a3562fa5570555db74528da9ad55cea4df11bfbbe300

Download Submit
C:\Windows\{C70DF87A-A9A7-47dd-A01D-91B5D2A1A9A0}.exe

Filesize
96KB

MD5
ce07b7ccc9364a972eb1087b4e3939f1

SHA1
9f4b6437b97676b75dd069a7cc1bd2a997865173

SHA256
be87343050cc973a4942e5d0bedad4bb98355ba37506bfb7e61b682b04f0e5a5

SHA512
55a66853422ea1eaa063d3d74cf1d712289b55e7989fc54f5e42bd728367b3c5ab93763daba6b29afbaa3e2bac2536969a5a26d31f975d5e0f7b958e0cbe9946

Download Submit
C:\Windows\{DDEC408E-FAD7-45d3-98D8-22250AFCEADA}.exe

Filesize
96KB

MD5
9f7051ff58d49b50778e7a775e35c0e2

SHA1
56245f4768e92bb70ffc1a23119557cc63147eb0

SHA256
73060c6315a2ec61e5ed8b81fac063595424e8d51dcc04f51967bb271578ac2a

SHA512
62a0fb3ec9dd56301019baa0d9613713e91df67d4f5286fd009cb2e88249d9c290c581cbeeac1f0fb298cee08c2cb80069931274eb560de5c4d2914a1276e0ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads