2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 02:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe
Size

76KB
MD5

81c86438b31b877d65d4e4b24a7b2dd0
SHA1

8a040dd742fe8571a7b04de9be48f10c4ed9876c
SHA256

2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d
SHA512

77d5b445b8c2e0ce0e6311a8d80462f44014b0715c8012f8fb72890227a397cd499d142e4ff35ec1c6d1edef493e5f0f5b7834456de019f5c9147f9a396e0ac3
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroE4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroE4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3AB4B6-9C9E-42f3-A383-64E84798D177}	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3AB4B6-9C9E-42f3-A383-64E84798D177}\stubpath = "C:\\Windows\\{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe"	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{898C62A1-F458-4d1f-8F12-058D45E3695F}	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}\stubpath = "C:\\Windows\\{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe"	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A512A65-BE34-495e-A7EF-FD28CF546F97}	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A512A65-BE34-495e-A7EF-FD28CF546F97}\stubpath = "C:\\Windows\\{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe"	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B1AFCA-8A17-4bce-AA7C-6A24831538F0}	{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}\stubpath = "C:\\Windows\\{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe"	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E3F609-CE42-45a6-A8D3-746502FEC30F}	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E3F609-CE42-45a6-A8D3-746502FEC30F}\stubpath = "C:\\Windows\\{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe"	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}\stubpath = "C:\\Windows\\{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe"	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F93C50E7-71A3-49af-B915-0AA2BD971A9E}\stubpath = "C:\\Windows\\{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe"	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{898C62A1-F458-4d1f-8F12-058D45E3695F}\stubpath = "C:\\Windows\\{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe"	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2EA86BE-F0CA-4603-95AF-6704EE603124}\stubpath = "C:\\Windows\\{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe"	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}\stubpath = "C:\\Windows\\{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe"	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B1AFCA-8A17-4bce-AA7C-6A24831538F0}\stubpath = "C:\\Windows\\{43B1AFCA-8A17-4bce-AA7C-6A24831538F0}.exe"	{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F93C50E7-71A3-49af-B915-0AA2BD971A9E}	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}\stubpath = "C:\\Windows\\{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe"	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2EA86BE-F0CA-4603-95AF-6704EE603124}	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe

Executes dropped EXE 11 IoCs

pid	Process
1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe
432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe
4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe
4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe
4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe
4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe
1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe
3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe
2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe
732	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe
1796	{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe
File created	C:\Windows\{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe
File created	C:\Windows\{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe
File created	C:\Windows\{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe
File created	C:\Windows\{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe
File created	C:\Windows\{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe
File created	C:\Windows\{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe
File created	C:\Windows\{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe
File created	C:\Windows\{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe
File created	C:\Windows\{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe
File created	C:\Windows\{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe
File created	C:\Windows\{43B1AFCA-8A17-4bce-AA7C-6A24831538F0}.exe	{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4476	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe
Token: SeIncBasePriorityPrivilege	432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe
Token: SeIncBasePriorityPrivilege	4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe
Token: SeIncBasePriorityPrivilege	4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe
Token: SeIncBasePriorityPrivilege	4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe
Token: SeIncBasePriorityPrivilege	4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe
Token: SeIncBasePriorityPrivilege	1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe
Token: SeIncBasePriorityPrivilege	3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe
Token: SeIncBasePriorityPrivilege	2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe
Token: SeIncBasePriorityPrivilege	732	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 1096	4476	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe	93
PID 4476 wrote to memory of 1096	4476	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe	93
PID 4476 wrote to memory of 1096	4476	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe	93
PID 4476 wrote to memory of 5108	4476	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe	94
PID 4476 wrote to memory of 5108	4476	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe	94
PID 4476 wrote to memory of 5108	4476	2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe	94
PID 1096 wrote to memory of 432	1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe	98
PID 1096 wrote to memory of 432	1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe	98
PID 1096 wrote to memory of 432	1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe	98
PID 1096 wrote to memory of 1296	1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe	99
PID 1096 wrote to memory of 1296	1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe	99
PID 1096 wrote to memory of 1296	1096	{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe	99
PID 432 wrote to memory of 4904	432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe	102
PID 432 wrote to memory of 4904	432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe	102
PID 432 wrote to memory of 4904	432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe	102
PID 432 wrote to memory of 2876	432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe	103
PID 432 wrote to memory of 2876	432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe	103
PID 432 wrote to memory of 2876	432	{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe	103
PID 4904 wrote to memory of 4604	4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe	105
PID 4904 wrote to memory of 4604	4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe	105
PID 4904 wrote to memory of 4604	4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe	105
PID 4904 wrote to memory of 4980	4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe	106
PID 4904 wrote to memory of 4980	4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe	106
PID 4904 wrote to memory of 4980	4904	{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe	106
PID 4604 wrote to memory of 4372	4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe	107
PID 4604 wrote to memory of 4372	4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe	107
PID 4604 wrote to memory of 4372	4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe	107
PID 4604 wrote to memory of 1168	4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe	108
PID 4604 wrote to memory of 1168	4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe	108
PID 4604 wrote to memory of 1168	4604	{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe	108
PID 4372 wrote to memory of 4244	4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe	109
PID 4372 wrote to memory of 4244	4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe	109
PID 4372 wrote to memory of 4244	4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe	109
PID 4372 wrote to memory of 4364	4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe	110
PID 4372 wrote to memory of 4364	4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe	110
PID 4372 wrote to memory of 4364	4372	{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe	110
PID 4244 wrote to memory of 1708	4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe	111
PID 4244 wrote to memory of 1708	4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe	111
PID 4244 wrote to memory of 1708	4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe	111
PID 4244 wrote to memory of 1072	4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe	112
PID 4244 wrote to memory of 1072	4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe	112
PID 4244 wrote to memory of 1072	4244	{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe	112
PID 1708 wrote to memory of 3196	1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe	113
PID 1708 wrote to memory of 3196	1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe	113
PID 1708 wrote to memory of 3196	1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe	113
PID 1708 wrote to memory of 2076	1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe	114
PID 1708 wrote to memory of 2076	1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe	114
PID 1708 wrote to memory of 2076	1708	{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe	114
PID 3196 wrote to memory of 2236	3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe	115
PID 3196 wrote to memory of 2236	3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe	115
PID 3196 wrote to memory of 2236	3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe	115
PID 3196 wrote to memory of 936	3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe	116
PID 3196 wrote to memory of 936	3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe	116
PID 3196 wrote to memory of 936	3196	{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe	116
PID 2236 wrote to memory of 732	2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe	117
PID 2236 wrote to memory of 732	2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe	117
PID 2236 wrote to memory of 732	2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe	117
PID 2236 wrote to memory of 2240	2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe	118
PID 2236 wrote to memory of 2240	2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe	118
PID 2236 wrote to memory of 2240	2236	{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe	118
PID 732 wrote to memory of 1796	732	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe	119
PID 732 wrote to memory of 1796	732	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe	119
PID 732 wrote to memory of 1796	732	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe	119
PID 732 wrote to memory of 3648	732	{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe	120

C:\Users\Admin\AppData\Local\Temp\2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f58b5f16659da34ad6b46d57ae3a2a83f2b2a45c0760d6437222e79a45cb95d_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe
  C:\Windows\{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe
    C:\Windows\{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe
      C:\Windows\{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe
        
        C:\Windows\{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe
        
        C:\Windows\{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe
        
        C:\Windows\{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe
        
        C:\Windows\{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe
        
        C:\Windows\{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe
        
        C:\Windows\{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe
        
        C:\Windows\{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe
        
        C:\Windows\{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75E3F~1.EXE > nul
        12⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40C9F~1.EXE > nul
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3AB~1.EXE > nul
        10⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A512~1.EXE > nul
        9⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2162~1.EXE > nul
        8⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2EA8~1.EXE > nul
        7⤵
        
        PID:4364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{898C6~1.EXE > nul
        6⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{838B6~1.EXE > nul
        5⤵
        
        PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F93C5~1.EXE > nul
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B578C~1.EXE > nul
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2F58B5~1.EXE > nul
  2⤵
  PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{40C9FB6A-C989-433f-8943-EF8CAF92B5F1}.exe

Filesize
76KB

MD5
22705db1b2453302b0ec8963e47f960d

SHA1
8c322bdeb935d49dde274b7e117311dc6912e9ac

SHA256
d3b3cb6335f05612e861e6743befc843e9e62484b6261e6db8efba7af776158c

SHA512
2a1640445d069a2c3500e7bb96d394e2b4318129e17d5ecfe4bb65611dcd4ddc152e2f15a391bfb01bc58d865138bbdea7aafc1e8e7515acfdfb74221bb23576

Download Submit
C:\Windows\{75E3F609-CE42-45a6-A8D3-746502FEC30F}.exe

Filesize
76KB

MD5
7046f5ecd0eb5209e00ee7803e9339ec

SHA1
029327a1e47bbf2e6d565e7bdb17414029e1b4dc

SHA256
6aa539f48f9ba2e97452bbe84a43de282ebfc71af72d5f10ac881a9378579019

SHA512
0cd89fafe1ab8cf7f492cfcabec1d321825bd6fc5db688e54b48177c53610713747773d335c644fb1d955a709ccc698bb90f6bda048f5c4e631591d8b602c11e

Download Submit
C:\Windows\{7F3AB4B6-9C9E-42f3-A383-64E84798D177}.exe

Filesize
76KB

MD5
c8be4025772680c72f973a6ab750023f

SHA1
b45db786e4a401fa2beb3f7d12a6bd7863639a96

SHA256
11d4593428ede40229a061835688264ba0a99276e1274eb616440c1dabae2193

SHA512
85e84305d7921266ff7a0908a6c0a7eb175d5cf3f6f9c7b74bb600416d1a2c2b8e65881bfe43d51934c38c7ab4081f54cd3c79b5a082fbe814ad74e22637d1a3

Download Submit
C:\Windows\{838B6B59-6FE1-4d1e-B12F-2DF4DB2F93BB}.exe

Filesize
76KB

MD5
d41f3bff49e7d232b5a6fa70dd995db3

SHA1
b4b94fb7fe401f9534b00fd1d0f7fce95c42baa8

SHA256
da221c898845fb637f1a64672c8686f544cb228c4a538cd8701f048f95b45ae3

SHA512
5e3e9671c5bb94e421fdc4068f9e18e04e5932a8d38482bd87603cba34a715f5e3626e0c5c64de7dcdbd0f62f424f5be0da094b159f78b5dd0bdcb17c03ca815

Download Submit
C:\Windows\{898C62A1-F458-4d1f-8F12-058D45E3695F}.exe

Filesize
76KB

MD5
b96e816b0ceb250fc95f7d4c24a5edd5

SHA1
10e70562fd86634a2892abdcd56fa2da49c460a5

SHA256
58a10d05ba92c0502e09e740182793ff1e46d648b048c638f67bf746d080fcf7

SHA512
e4505ed61732693b9902705ce20e5dc284ee2d3796aa1d8fd7023dafa57385431f13d8153a7883b841306a5afd6cc1bfa90beac5f759d9b098a28f589979934f

Download Submit
C:\Windows\{9A512A65-BE34-495e-A7EF-FD28CF546F97}.exe

Filesize
76KB

MD5
54c8acc1d380e3d425da417209b40eb7

SHA1
387fe26dffd8dca8542f57af880f8e40ec79f259

SHA256
8d34822e5b402af6b368af2bb92c05b0c2ba45987d4c6bda5001be81a39d3c4b

SHA512
25e4945ea8b3006e05b08b0d39deccd6ea9ce3822b9e2b8588c6d47785d2275acbaaa289e82d5447bc39278731753cd6fe75c248099b7a668e1521f85c57d850

Download Submit
C:\Windows\{B578C94B-3305-4933-9DDE-D35EA4C0BFB9}.exe

Filesize
76KB

MD5
ad7b22640bc2e76e94d629869113d610

SHA1
abbb440436d7e2500087119c87d9dab27f64027d

SHA256
272aed060046241ba2c29f8c24b7ce720f3f8b4f6465fd95b66c085034dcb401

SHA512
2b2ee30c86fe2cc96533d0f1158a74ae3fa503d3f8f746c95d85c424211602851fd79b90b71ebb17af99b4e8c6a0a0bf7ec7a17e4abc8c07322464ff3b51b487

Download Submit
C:\Windows\{C23FAD88-8D80-4734-9A2C-5D6D8A2FA82B}.exe

Filesize
76KB

MD5
45792707ce7cff696eb6e5247df0b454

SHA1
d795a74b99080617c521157a2b24e757d23fdafb

SHA256
7871b3f284a4a3d0b19aecbb6ba7f5f4b988dc9dc4f70cb47b4164a50b86f9a1

SHA512
20b6fe3dd7a896139cca0b47355830994e99d5d7a6b8741546cbf093b730027639cb90f3525505bc74ae691b9dc8beac85080b25274500290a44b23bcf5a610a

Download Submit
C:\Windows\{C2EA86BE-F0CA-4603-95AF-6704EE603124}.exe

Filesize
76KB

MD5
85a29a23b8bffac57d40c0e853483294

SHA1
0c35a86c75fd2c419ff0608e42fdc46c91edbc83

SHA256
462ba926a432d93bf68c3c37d060a218476e10cc545bad53d607650a9316fdb1

SHA512
c7431f43a50252518f9cadb3a4b9142be311589ba7f41de592136a0830cea49d886f6b209f1a280c6708d95d45fcdf75b933ca21d890adf543027e9595296169

Download Submit
C:\Windows\{E2162409-2E8C-42a8-85C5-9BEA9D8D958D}.exe

Filesize
76KB

MD5
bc692caa41e0cfdbc517610eb77fdd15

SHA1
3265de0e24882056a60a13f26af6eb5d4c3df6b4

SHA256
9c785e7ad5aaa077156a14ff6030c9a690cf5bbcbdb8ba3cbf69414d3c0666fc

SHA512
78f6cdc72ce3d7adde82c3d5c7e454df87f6020724025f54c18769349dcce85189bbf4eb13ab07ba581dd501df94eb81e588cf707e866932fa2b4511ad407dcf

Download Submit
C:\Windows\{F93C50E7-71A3-49af-B915-0AA2BD971A9E}.exe

Filesize
76KB

MD5
9a7f7abf719859d6b1a32147b0f1f2dc

SHA1
6a0d4f8ee3f39457b6a8d46cad24f4c76a68af2f

SHA256
587b60a488aa31b38a36f9b3805f68e5f5f8601df9c7930299189252225e06ef

SHA512
713398e4f959e945e790a4b0165fcd63fb3f318da01536cf6b73b3ac3a9bfaf0de24859bc34c570537489009917de042f16f74c0ebf4b6733b44be60d56fdadd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads