7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Size

60KB
MD5

13f9a0a94e67d51f5cb576ecd70a3330
SHA1

d01e658c4ce97b89d71f95aeb56ba9e7a7a44a75
SHA256

7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf
SHA512

1a7e8996badebf786d1ae839daafc94746de8ad1fc0ac7f70ea90535d8b6de4cbac1ef133b33b82edf1f58f6dd1133f90bb8f4cc8ea6cbb16a10304c68134bbe
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrod4/CFsrdHWMZo:vvw9816vhKQLrod4/wQpWMZo

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61717503-22B4-4745-9B85-DF31000DF3DB}	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61717503-22B4-4745-9B85-DF31000DF3DB}\stubpath = "C:\\Windows\\{61717503-22B4-4745-9B85-DF31000DF3DB}.exe"	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2518A077-B4BB-437c-9B70-0CD092A178DF}	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2518A077-B4BB-437c-9B70-0CD092A178DF}\stubpath = "C:\\Windows\\{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe"	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A134DE76-36E4-4398-91B0-AE78BCC13268}	{4B074888-C716-4881-8FE6-9921723B23CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}\stubpath = "C:\\Windows\\{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe"	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}\stubpath = "C:\\Windows\\{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe"	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}\stubpath = "C:\\Windows\\{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}.exe"	{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}\stubpath = "C:\\Windows\\{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe"	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}	{951441A9-4806-496f-AD6D-72AAC3883898}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03A3F73-38EF-4eec-B665-979E5066669A}\stubpath = "C:\\Windows\\{D03A3F73-38EF-4eec-B665-979E5066669A}.exe"	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}	{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951441A9-4806-496f-AD6D-72AAC3883898}\stubpath = "C:\\Windows\\{951441A9-4806-496f-AD6D-72AAC3883898}.exe"	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951441A9-4806-496f-AD6D-72AAC3883898}	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}\stubpath = "C:\\Windows\\{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe"	{951441A9-4806-496f-AD6D-72AAC3883898}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03A3F73-38EF-4eec-B665-979E5066669A}	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}\stubpath = "C:\\Windows\\{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe"	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B074888-C716-4881-8FE6-9921723B23CE}	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B074888-C716-4881-8FE6-9921723B23CE}\stubpath = "C:\\Windows\\{4B074888-C716-4881-8FE6-9921723B23CE}.exe"	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A134DE76-36E4-4398-91B0-AE78BCC13268}\stubpath = "C:\\Windows\\{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe"	{4B074888-C716-4881-8FE6-9921723B23CE}.exe

Executes dropped EXE 12 IoCs

pid	Process
2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe
752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe
1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe
3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe
2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe
4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe
2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe
3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe
2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe
1128	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe
3856	{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe
4480	{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4B074888-C716-4881-8FE6-9921723B23CE}.exe	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe
File created	C:\Windows\{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe	{4B074888-C716-4881-8FE6-9921723B23CE}.exe
File created	C:\Windows\{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe
File created	C:\Windows\{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}.exe	{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe
File created	C:\Windows\{61717503-22B4-4745-9B85-DF31000DF3DB}.exe	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe
File created	C:\Windows\{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe	{951441A9-4806-496f-AD6D-72AAC3883898}.exe
File created	C:\Windows\{D03A3F73-38EF-4eec-B665-979E5066669A}.exe	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe
File created	C:\Windows\{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe
File created	C:\Windows\{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe
File created	C:\Windows\{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
File created	C:\Windows\{951441A9-4806-496f-AD6D-72AAC3883898}.exe	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe
File created	C:\Windows\{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2488	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe
Token: SeIncBasePriorityPrivilege	752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe
Token: SeIncBasePriorityPrivilege	1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe
Token: SeIncBasePriorityPrivilege	3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe
Token: SeIncBasePriorityPrivilege	2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe
Token: SeIncBasePriorityPrivilege	4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe
Token: SeIncBasePriorityPrivilege	2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe
Token: SeIncBasePriorityPrivilege	3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe
Token: SeIncBasePriorityPrivilege	2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe
Token: SeIncBasePriorityPrivilege	1128	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe
Token: SeIncBasePriorityPrivilege	3856	{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2136	2488	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	81
PID 2488 wrote to memory of 2136	2488	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	81
PID 2488 wrote to memory of 2136	2488	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	81
PID 2488 wrote to memory of 4424	2488	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	82
PID 2488 wrote to memory of 4424	2488	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	82
PID 2488 wrote to memory of 4424	2488	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	82
PID 2136 wrote to memory of 752	2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe	83
PID 2136 wrote to memory of 752	2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe	83
PID 2136 wrote to memory of 752	2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe	83
PID 2136 wrote to memory of 1000	2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe	84
PID 2136 wrote to memory of 1000	2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe	84
PID 2136 wrote to memory of 1000	2136	{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe	84
PID 752 wrote to memory of 1676	752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe	87
PID 752 wrote to memory of 1676	752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe	87
PID 752 wrote to memory of 1676	752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe	87
PID 752 wrote to memory of 3684	752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe	88
PID 752 wrote to memory of 3684	752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe	88
PID 752 wrote to memory of 3684	752	{61717503-22B4-4745-9B85-DF31000DF3DB}.exe	88
PID 1676 wrote to memory of 3708	1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe	93
PID 1676 wrote to memory of 3708	1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe	93
PID 1676 wrote to memory of 3708	1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe	93
PID 1676 wrote to memory of 5076	1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe	94
PID 1676 wrote to memory of 5076	1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe	94
PID 1676 wrote to memory of 5076	1676	{951441A9-4806-496f-AD6D-72AAC3883898}.exe	94
PID 3708 wrote to memory of 2476	3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe	96
PID 3708 wrote to memory of 2476	3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe	96
PID 3708 wrote to memory of 2476	3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe	96
PID 3708 wrote to memory of 316	3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe	97
PID 3708 wrote to memory of 316	3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe	97
PID 3708 wrote to memory of 316	3708	{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe	97
PID 2476 wrote to memory of 4164	2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe	98
PID 2476 wrote to memory of 4164	2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe	98
PID 2476 wrote to memory of 4164	2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe	98
PID 2476 wrote to memory of 4620	2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe	99
PID 2476 wrote to memory of 4620	2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe	99
PID 2476 wrote to memory of 4620	2476	{D03A3F73-38EF-4eec-B665-979E5066669A}.exe	99
PID 4164 wrote to memory of 2384	4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe	100
PID 4164 wrote to memory of 2384	4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe	100
PID 4164 wrote to memory of 2384	4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe	100
PID 4164 wrote to memory of 2268	4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe	101
PID 4164 wrote to memory of 2268	4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe	101
PID 4164 wrote to memory of 2268	4164	{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe	101
PID 2384 wrote to memory of 3304	2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe	102
PID 2384 wrote to memory of 3304	2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe	102
PID 2384 wrote to memory of 3304	2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe	102
PID 2384 wrote to memory of 3344	2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe	103
PID 2384 wrote to memory of 3344	2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe	103
PID 2384 wrote to memory of 3344	2384	{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe	103
PID 3304 wrote to memory of 2204	3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe	104
PID 3304 wrote to memory of 2204	3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe	104
PID 3304 wrote to memory of 2204	3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe	104
PID 3304 wrote to memory of 2908	3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe	105
PID 3304 wrote to memory of 2908	3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe	105
PID 3304 wrote to memory of 2908	3304	{4B074888-C716-4881-8FE6-9921723B23CE}.exe	105
PID 2204 wrote to memory of 1128	2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe	106
PID 2204 wrote to memory of 1128	2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe	106
PID 2204 wrote to memory of 1128	2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe	106
PID 2204 wrote to memory of 1940	2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe	107
PID 2204 wrote to memory of 1940	2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe	107
PID 2204 wrote to memory of 1940	2204	{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe	107
PID 1128 wrote to memory of 3856	1128	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe	108
PID 1128 wrote to memory of 3856	1128	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe	108
PID 1128 wrote to memory of 3856	1128	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe	108
PID 1128 wrote to memory of 1184	1128	{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe	109

C:\Users\Admin\AppData\Local\Temp\7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe
  C:\Windows\{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\{61717503-22B4-4745-9B85-DF31000DF3DB}.exe
    C:\Windows\{61717503-22B4-4745-9B85-DF31000DF3DB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\{951441A9-4806-496f-AD6D-72AAC3883898}.exe
      C:\Windows\{951441A9-4806-496f-AD6D-72AAC3883898}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe
        
        C:\Windows\{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Windows\{D03A3F73-38EF-4eec-B665-979E5066669A}.exe
        
        C:\Windows\{D03A3F73-38EF-4eec-B665-979E5066669A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe
        
        C:\Windows\{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe
        
        C:\Windows\{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{4B074888-C716-4881-8FE6-9921723B23CE}.exe
        
        C:\Windows\{4B074888-C716-4881-8FE6-9921723B23CE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe
        
        C:\Windows\{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe
        
        C:\Windows\{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe
        
        C:\Windows\{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
        
        C:\Windows\{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}.exe
        
        C:\Windows\{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAAA7~1.EXE > nul
        13⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57BCC~1.EXE > nul
        12⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A134D~1.EXE > nul
        11⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B074~1.EXE > nul
        10⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2518A~1.EXE > nul
        9⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E5D4~1.EXE > nul
        8⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D03A3~1.EXE > nul
        7⤵
        
        PID:4620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBD49~1.EXE > nul
        6⤵
        
        PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95144~1.EXE > nul
        5⤵
        
        PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{61717~1.EXE > nul
      4⤵
      PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2EC89~1.EXE > nul
    3⤵
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7A75B1~1.EXE > nul
  2⤵
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2518A077-B4BB-437c-9B70-0CD092A178DF}.exe

Filesize
60KB

MD5
e8e01dddaa04dad4602b5f8fc97442f3

SHA1
19c8c37c2f1bb09e037cf9245a53a9e2d9b81f44

SHA256
8ff2f0785ed180959043192fa181dec87fbb463244c653a16fa98a479b0d677b

SHA512
9b47fab472bae9c08874625293ce1bd7ab6ef3a082ae2be0150ddcdf81bbc07fb3f2cbee651d2bba7063c0ca79af9561e573d94347df284552eb71f92e848f30

Download Submit
C:\Windows\{2E5D46EC-5E29-44e6-AB1F-F2543332C35E}.exe

Filesize
60KB

MD5
1b363137230eddd96d2e7f5896a1c149

SHA1
7e823b4f5c789665b9f0bc64ca10bada69dfb643

SHA256
6423173e888e72bc42214d15fce0d13958f0776e9b922a0df8435f13efe35336

SHA512
e4a002a33ff06227e43cdfb0290b1ada791a14ba3c028b32f50e21ea3422278d5906823772c714d47996fc5435aa0f5ee032342d96fa2f039c8c91f43c51dc76

Download Submit
C:\Windows\{2EC891AB-D0F2-4ecb-A909-5AF79FFBE723}.exe

Filesize
60KB

MD5
6e78fce7c1cd1578e47e4d1c574913f6

SHA1
97d6db6a7820ec7001975aa3e038196ff045c818

SHA256
eb6d93cec7f0cfb6c6eb8124dc7b1ffbed70c1f9669aab069cd06c5ec1deebd4

SHA512
a2dd41b6ce0f174b4665125bc833b7afa49514b2490554efcd71b0118bc9e7d90dc423e6754788ae34c2d668a5568cd17acd9618be9e3071ba2c683753f55745

Download Submit
C:\Windows\{4B074888-C716-4881-8FE6-9921723B23CE}.exe

Filesize
60KB

MD5
4c1a1e75e93f5fea67252f9b9e655a54

SHA1
e9aecb493ae328ae7db8337a0b545e23bb383be5

SHA256
383b5e414356be4eb72aa138a72d57c8beeccf93c731c2b8ac4097d4a6566f70

SHA512
fa3d8ed3e459217d6bc7ab459edfbb713490e02b4b31a66e04b6ecb2e1657e5b92f3a58c68eb898a559c9b7fb69a8f648dfaca9c8f5136bbd9893fceab768990

Download Submit
C:\Windows\{57BCC0CA-36B1-45ea-A760-4BC17484D7F4}.exe

Filesize
60KB

MD5
f11c9adc673e875b733a3869f7dc1b4f

SHA1
5406f2c63533fd9676d1b1791311911edb45c52f

SHA256
2627c38a4e4c55be41278b10b807fb1a9908c88109a69060a360deb47cf6aab4

SHA512
1042bbeaad98db8f645f569ae0419e75609e2e3f8e60f119969a30a0435767888fb419d0d16f3d381626c87630bf211b2dce4bcbcab87988d0eb08e086915ce5

Download Submit
C:\Windows\{61717503-22B4-4745-9B85-DF31000DF3DB}.exe

Filesize
60KB

MD5
fb64fc8823963b184152852da8c14431

SHA1
34d7bab9d56610a92677cbf06e39486e004320e7

SHA256
0dcdfbec87e7518cf875259c6007b61ade4f8ced4dcd600cd58e20a8d3950276

SHA512
04052bf3cd5fd09b50e8521afdf461fb88748de908a552ffc0dc53f974a16848ad89fcdef34cfdf2f6e9fdea8bd6491d499c5600f5468cc86a5173c56def1dfa

Download Submit
C:\Windows\{951441A9-4806-496f-AD6D-72AAC3883898}.exe

Filesize
60KB

MD5
6df1a0055bc3f551cb4f1e07ff56ae83

SHA1
031a89cecc6fc3449d0669a5fb6948961473d836

SHA256
7f1382e01c4192225149f640f803c4efeb8dd4056efe1d9722546cd2018a66c3

SHA512
6f4a104f23bda2f1965816ab2b9724a5daecf4b8f966fbd7fc9c59996067fe9048364074cacbe13af601f37c198a5643833ab9c03720711b404d1b0f074fa205

Download Submit
C:\Windows\{A134DE76-36E4-4398-91B0-AE78BCC13268}.exe

Filesize
60KB

MD5
a332193f52b9104f9b8548cfeb5091be

SHA1
17ccd49fed5d0dc923c5415300a3ba55a9429518

SHA256
dff0087f911c7890182fdb099a8f60a74355619eacfb77ee54e3dca0f2ab9233

SHA512
78b8d9c54a53ea5374b243efb2d67af675376087b1970ac23829f69daca5524c0f13062ebf1028a7ef2e70369ed7c83f05517ac66f48a3735d47fa324d733d2c

Download Submit
C:\Windows\{CAAA724A-130D-4250-8FE5-1D5A61F2C3E1}.exe

Filesize
60KB

MD5
07126ee88d890b9ab4996563349899f9

SHA1
a083e2f398bf2311772e5233d2bb62ea8c82ce9c

SHA256
68cd9341ce5f8733c261d44c44fb84c097400113efdf73e32d70643a7ca6c00e

SHA512
ce725aa67c7e08aa00eb9b436dd659666c7f2a873a7973efa317a1b68162662e9547f2b6fd872057ad1d20b9255dd6a67a74c07bdb148073cda83846d5efb298

Download Submit
C:\Windows\{D03A3F73-38EF-4eec-B665-979E5066669A}.exe

Filesize
60KB

MD5
88c7c23f2f3accd3846a63ccd864c9f5

SHA1
d9fec62375eca8f6deab766aee94ceb45ad8914f

SHA256
88b6a8f02582af006f6bd030a2524203ed3e2bb18b0eeca7619e6649c1a7077b

SHA512
83a6612ca304f0d6646f0b4f5b3991332046cd9d00b5e4bdda80c0ed9c6c19530e375aad7e42fa677d2294735a2bac0bef45387912f9fb5431b9f82a886eb3c3

Download Submit
C:\Windows\{DBD494BD-7CFD-4f3d-8F3E-9D6FEEAB8093}.exe

Filesize
60KB

MD5
b3e86e391cf5b0a1cdfe4e7458996fe2

SHA1
af4e900b7a238b291960ca528ae1a1f3100c123a

SHA256
81dd191f49e2f60da1f667f44ad5d03b853e44193c77b3de6e62c6eb6a3b0fa9

SHA512
8ac07ccde39d786971588ccffc67c56f4ee224652a1b2aa4182ae16de6e89f3805583eed5e5d2ae2ac41f7a4c711a8fa43531d4fe1cf6b17f4040bc78ca1bd39

Download Submit
C:\Windows\{F2B22915-56F4-4cc7-8E00-5A3BF84C532A}.exe

Filesize
60KB

MD5
b1e0a6a88b5201e813fc2a24486ddee6

SHA1
22990d08e63eadb404036dee999cd663ab4992af

SHA256
f42cd933fae2588fec6c0e31feca411857b2e970a39dda5c8bd0b1e921889e21

SHA512
588fda12c7883ff101d2173d050d5dc94153ca8c022926cf720b211d630a6b75dcf7d44ee9d9a9652575dd8a02cdec6075971ed907105fc4ea5f27777ed175ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads