167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
Size

89KB
MD5

dc77f4ccefded2d2e7771de494519790
SHA1

3da039048c6039c3731fb6ecda08d3403b7873a8
SHA256

167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b
SHA512

d847673ad2d2c228245a53f7d41867e9ebbc80663c6a2000aa0674b3525e740bbe5cc9e1555499c5bc25e385acbe3781931b818be055c34265e7d64dd115ec1e
SSDEEP

768:5vw9816thKQLroy4/wQkNrfrunMxVFA3k:lEG/0oylbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F547C647-B781-4a23-8763-A6AACE051135}\stubpath = "C:\\Windows\\{F547C647-B781-4a23-8763-A6AACE051135}.exe"	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13B8745B-37FC-479d-A362-B58869C308EC}	{7015E89A-B825-4444-AD65-683A232022BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22281E46-A1C3-4d97-B3B3-5F395C530DC6}	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{176112C4-1833-4f8f-A794-765BD21AC493}	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}\stubpath = "C:\\Windows\\{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe"	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}	{F547C647-B781-4a23-8763-A6AACE051135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}\stubpath = "C:\\Windows\\{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe"	{F547C647-B781-4a23-8763-A6AACE051135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}\stubpath = "C:\\Windows\\{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe"	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}\stubpath = "C:\\Windows\\{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe"	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7015E89A-B825-4444-AD65-683A232022BA}	{176112C4-1833-4f8f-A794-765BD21AC493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13B8745B-37FC-479d-A362-B58869C308EC}\stubpath = "C:\\Windows\\{13B8745B-37FC-479d-A362-B58869C308EC}.exe"	{7015E89A-B825-4444-AD65-683A232022BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}\stubpath = "C:\\Windows\\{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe"	{13B8745B-37FC-479d-A362-B58869C308EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F547C647-B781-4a23-8763-A6AACE051135}	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741F3E15-491C-43e1-A728-EA93A5B8B031}\stubpath = "C:\\Windows\\{741F3E15-491C-43e1-A728-EA93A5B8B031}.exe"	{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5631C343-AB4F-4c59-95F1-39820C47EEF4}\stubpath = "C:\\Windows\\{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe"	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22281E46-A1C3-4d97-B3B3-5F395C530DC6}\stubpath = "C:\\Windows\\{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe"	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{176112C4-1833-4f8f-A794-765BD21AC493}\stubpath = "C:\\Windows\\{176112C4-1833-4f8f-A794-765BD21AC493}.exe"	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7015E89A-B825-4444-AD65-683A232022BA}\stubpath = "C:\\Windows\\{7015E89A-B825-4444-AD65-683A232022BA}.exe"	{176112C4-1833-4f8f-A794-765BD21AC493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}	{13B8745B-37FC-479d-A362-B58869C308EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741F3E15-491C-43e1-A728-EA93A5B8B031}	{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5631C343-AB4F-4c59-95F1-39820C47EEF4}	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe

Executes dropped EXE 11 IoCs

pid	Process
4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe
3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe
4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe
1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe
1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe
2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe
4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe
4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe
4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe
4368	{13B8745B-37FC-479d-A362-B58869C308EC}.exe
3436	{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe
File created	C:\Windows\{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe
File created	C:\Windows\{F547C647-B781-4a23-8763-A6AACE051135}.exe	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe
File created	C:\Windows\{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe	{F547C647-B781-4a23-8763-A6AACE051135}.exe
File created	C:\Windows\{176112C4-1833-4f8f-A794-765BD21AC493}.exe	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe
File created	C:\Windows\{13B8745B-37FC-479d-A362-B58869C308EC}.exe	{7015E89A-B825-4444-AD65-683A232022BA}.exe
File created	C:\Windows\{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
File created	C:\Windows\{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe
File created	C:\Windows\{7015E89A-B825-4444-AD65-683A232022BA}.exe	{176112C4-1833-4f8f-A794-765BD21AC493}.exe
File created	C:\Windows\{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe	{13B8745B-37FC-479d-A362-B58869C308EC}.exe
File created	C:\Windows\{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4948	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe
Token: SeIncBasePriorityPrivilege	3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe
Token: SeIncBasePriorityPrivilege	4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe
Token: SeIncBasePriorityPrivilege	1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe
Token: SeIncBasePriorityPrivilege	1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe
Token: SeIncBasePriorityPrivilege	2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe
Token: SeIncBasePriorityPrivilege	4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe
Token: SeIncBasePriorityPrivilege	4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe
Token: SeIncBasePriorityPrivilege	4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe
Token: SeIncBasePriorityPrivilege	4368	{13B8745B-37FC-479d-A362-B58869C308EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4824	4948	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	86
PID 4948 wrote to memory of 4824	4948	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	86
PID 4948 wrote to memory of 4824	4948	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	86
PID 4948 wrote to memory of 548	4948	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	87
PID 4948 wrote to memory of 548	4948	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	87
PID 4948 wrote to memory of 548	4948	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	87
PID 4824 wrote to memory of 3552	4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe	90
PID 4824 wrote to memory of 3552	4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe	90
PID 4824 wrote to memory of 3552	4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe	90
PID 4824 wrote to memory of 4640	4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe	91
PID 4824 wrote to memory of 4640	4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe	91
PID 4824 wrote to memory of 4640	4824	{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe	91
PID 3552 wrote to memory of 4400	3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe	94
PID 3552 wrote to memory of 4400	3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe	94
PID 3552 wrote to memory of 4400	3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe	94
PID 3552 wrote to memory of 4288	3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe	95
PID 3552 wrote to memory of 4288	3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe	95
PID 3552 wrote to memory of 4288	3552	{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe	95
PID 4400 wrote to memory of 1416	4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe	96
PID 4400 wrote to memory of 1416	4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe	96
PID 4400 wrote to memory of 1416	4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe	96
PID 4400 wrote to memory of 2912	4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe	97
PID 4400 wrote to memory of 2912	4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe	97
PID 4400 wrote to memory of 2912	4400	{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe	97
PID 1416 wrote to memory of 1184	1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe	98
PID 1416 wrote to memory of 1184	1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe	98
PID 1416 wrote to memory of 1184	1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe	98
PID 1416 wrote to memory of 4348	1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe	99
PID 1416 wrote to memory of 4348	1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe	99
PID 1416 wrote to memory of 4348	1416	{F547C647-B781-4a23-8763-A6AACE051135}.exe	99
PID 1184 wrote to memory of 2508	1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe	100
PID 1184 wrote to memory of 2508	1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe	100
PID 1184 wrote to memory of 2508	1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe	100
PID 1184 wrote to memory of 948	1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe	101
PID 1184 wrote to memory of 948	1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe	101
PID 1184 wrote to memory of 948	1184	{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe	101
PID 2508 wrote to memory of 4528	2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe	102
PID 2508 wrote to memory of 4528	2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe	102
PID 2508 wrote to memory of 4528	2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe	102
PID 2508 wrote to memory of 4656	2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe	103
PID 2508 wrote to memory of 4656	2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe	103
PID 2508 wrote to memory of 4656	2508	{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe	103
PID 4528 wrote to memory of 4660	4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe	104
PID 4528 wrote to memory of 4660	4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe	104
PID 4528 wrote to memory of 4660	4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe	104
PID 4528 wrote to memory of 1772	4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe	105
PID 4528 wrote to memory of 1772	4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe	105
PID 4528 wrote to memory of 1772	4528	{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe	105
PID 4660 wrote to memory of 4116	4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe	106
PID 4660 wrote to memory of 4116	4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe	106
PID 4660 wrote to memory of 4116	4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe	106
PID 4660 wrote to memory of 4844	4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe	107
PID 4660 wrote to memory of 4844	4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe	107
PID 4660 wrote to memory of 4844	4660	{176112C4-1833-4f8f-A794-765BD21AC493}.exe	107
PID 4116 wrote to memory of 4368	4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe	108
PID 4116 wrote to memory of 4368	4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe	108
PID 4116 wrote to memory of 4368	4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe	108
PID 4116 wrote to memory of 4408	4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe	109
PID 4116 wrote to memory of 4408	4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe	109
PID 4116 wrote to memory of 4408	4116	{7015E89A-B825-4444-AD65-683A232022BA}.exe	109
PID 4368 wrote to memory of 3436	4368	{13B8745B-37FC-479d-A362-B58869C308EC}.exe	110
PID 4368 wrote to memory of 3436	4368	{13B8745B-37FC-479d-A362-B58869C308EC}.exe	110
PID 4368 wrote to memory of 3436	4368	{13B8745B-37FC-479d-A362-B58869C308EC}.exe	110
PID 4368 wrote to memory of 4336	4368	{13B8745B-37FC-479d-A362-B58869C308EC}.exe	111

C:\Users\Admin\AppData\Local\Temp\167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe
  C:\Windows\{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe
    C:\Windows\{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe
      C:\Windows\{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\{F547C647-B781-4a23-8763-A6AACE051135}.exe
        
        C:\Windows\{F547C647-B781-4a23-8763-A6AACE051135}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe
        
        C:\Windows\{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe
        
        C:\Windows\{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe
        
        C:\Windows\{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{176112C4-1833-4f8f-A794-765BD21AC493}.exe
        
        C:\Windows\{176112C4-1833-4f8f-A794-765BD21AC493}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{7015E89A-B825-4444-AD65-683A232022BA}.exe
        
        C:\Windows\{7015E89A-B825-4444-AD65-683A232022BA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{13B8745B-37FC-479d-A362-B58869C308EC}.exe
        
        C:\Windows\{13B8745B-37FC-479d-A362-B58869C308EC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe
        
        C:\Windows\{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\{741F3E15-491C-43e1-A728-EA93A5B8B031}.exe
        
        C:\Windows\{741F3E15-491C-43e1-A728-EA93A5B8B031}.exe
        13⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33716~1.EXE > nul
        13⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13B87~1.EXE > nul
        12⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7015E~1.EXE > nul
        11⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17611~1.EXE > nul
        10⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F6C~1.EXE > nul
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B783~1.EXE > nul
        8⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F141E~1.EXE > nul
        7⤵
        
        PID:948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F547C~1.EXE > nul
        6⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22281~1.EXE > nul
        5⤵
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B88B~1.EXE > nul
      4⤵
      PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5631C~1.EXE > nul
    3⤵
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\167B8E~1.EXE > nul
  2⤵
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13B8745B-37FC-479d-A362-B58869C308EC}.exe

Filesize
89KB

MD5
5e307172c2d1a42738d84031ed8716b0

SHA1
efd4af52fae984fad5a1dfa5ee04cdeb133ac3c8

SHA256
1d16634004531b6778b9d85aedae37c8a5485e3269e9071282af3c93729e97dc

SHA512
f9d7c5f9f9e9cfc39bd244d76cdbc9ad06af73a355dbce5cdf18e77828b189442951f39b47fe55ad9504ebed11d5ef06e5e9ee4738ef1af153d2ee61bcf992b4

Download Submit
C:\Windows\{176112C4-1833-4f8f-A794-765BD21AC493}.exe

Filesize
89KB

MD5
b0d32c5d0eaba7cfe374d0ef88d09162

SHA1
630feab5632ba2e0b2fe70a99cdf7f5957eaab59

SHA256
9f46265d953c5c7ffed3b8b12be0fb75b72b1a2e05de0282ff0612cf1b103708

SHA512
86f86561ba600ed95b1a05525b53f737473aee6fa53a2ce9b2f8317b033b9e3dc50df13cd4626265549cf882c50ab7af5591cd2297a3e40d3143581959eda72a

Download Submit
C:\Windows\{1B783A4A-1EF9-4dc4-9BDF-1D8911CFA265}.exe

Filesize
89KB

MD5
05bc05ee1e1c1c95afc0ae66003d9776

SHA1
3ade6d5adc08f7744fc02b7ffc0e7f3cebb199fe

SHA256
eeca5118bbb575731e6933518738bbd1332f1329b6269ccff0d17042bd35724d

SHA512
e9b30e229e11ea5a29dc1a1024f68ccee49417bb6c0ad87144424d0fefdbe257a57ce7b7b88a5de152fa175b8704ba4eca7bba0561b532115c54a7d93649130e

Download Submit
C:\Windows\{1B88BB6A-173E-4fcd-91C1-56ECB8DA87B6}.exe

Filesize
89KB

MD5
db5d2fca3380ccd49581352dd2387324

SHA1
16242c55e0f52280445de7ddabba805fe1608e18

SHA256
981329310b0f2e8b289070ef58efc45f708d60d0edea4d47bbe7dfd3b5fefda7

SHA512
b3bb2d6a115ffe44aa3ff20a22a50258a5e93ed116a4f249cae70f4f3b9422f23156db04bd40ef765d4e2c3426239881bc85435908fc19e86240b77b8d5c7660

Download Submit
C:\Windows\{22281E46-A1C3-4d97-B3B3-5F395C530DC6}.exe

Filesize
89KB

MD5
b0b0dd5aab2650890c03f6e7be34a970

SHA1
8222e47470181033198017647e34acbc731b581d

SHA256
adcaffc88c69bfb4d89e5a4080818ca9dcb147a04cbb14db000063342bd0eb9d

SHA512
dac6c043d03bdb94a73c45d9863fa409701048a681b361d516e8e7a5948f95db0eda832f7eed6d68f16356c743584c24cb6254bb9babe62c209a84851e889fea

Download Submit
C:\Windows\{33716BDB-F07D-480e-ABB0-0F9B8A279A2F}.exe

Filesize
89KB

MD5
946cda013c8ebcee1925172eb2b40e1e

SHA1
084fce30a35ec11c8fe9e93799de7c1bdcbdb4af

SHA256
26219a1bd54d7be91d58cbc05ead7e7005d13126042257fb91bed391db5cab27

SHA512
629a78997e578d34bec69dd20a4537a4a9d3dc019937b7c96feae57fb9f07862929604013b8feed7b28c3e8ca7f1d2fcfc9ca63c5c1f4bc96faf51fe7382cf31

Download Submit
C:\Windows\{5631C343-AB4F-4c59-95F1-39820C47EEF4}.exe

Filesize
89KB

MD5
903d81ffc0551f5ff1d609f48f18b4a1

SHA1
266edbfdd66fbbbcdd57a134ae2fda24bd589106

SHA256
64c20c9fe7d9a06c3fd5057e37ca6c1ac3f7533283123930158afbacecacc56f

SHA512
54af5df27b287f257d95f241f6e2fd17254a523e3e57eca066672e19e93808cc6e0e68fae0b9b6d6053fbccc597d40b0566bd762dea94f6541d2d0a2ee034fe2

Download Submit
C:\Windows\{7015E89A-B825-4444-AD65-683A232022BA}.exe

Filesize
89KB

MD5
25722d5cad86f504eaba5b610eb96f7f

SHA1
a401c844f1e0fdcf70e879ba584f4b08f11e6acd

SHA256
7381e7103cc8aa27e5da63b8e34567891df7ca981be0ca2b60bb78dbd194ce96

SHA512
0f9da8202aee10be37918a0509de5f40715eb534697c1c18442eef52035625dce5349f293bf9f471e9d2612634e7a013d25d3616500f7ce056423ef10628ad46

Download Submit
C:\Windows\{741F3E15-491C-43e1-A728-EA93A5B8B031}.exe

Filesize
89KB

MD5
e8cbda90e2ed7b78d9a6dcef616ae339

SHA1
4e96201b43d066b5996aa50612bd44018ccda041

SHA256
6df765b9d835062025806558f208fe695baa129eeb30a4bbf04bd8422936f5d7

SHA512
400fbf75d9af1923cf32077e120d386758567d7872edb0885fb28a20c7a9752e022af9a95bcaf18af71cf1ded93cf92f4adf84b6fca7a2fb453517398f429fd9

Download Submit
C:\Windows\{83F6C0BC-2C8C-46b6-8333-13EB30734AF3}.exe

Filesize
89KB

MD5
28227ea69bceb0d940a5c72389b29438

SHA1
dd62ecf19b14c3d9af3a1d647f6ba47ff4824c3c

SHA256
b554cb7a590bb57cf236b78a52e085cc3e5a6a677209a1b6f792f5e07f2be6ee

SHA512
7d799424cc5b63a753e66cf1e51a2a7107e69139493eb3327489938215016a131d2d5562696ff24fb5f8d77abb39d16e50a38f13162cb637dfefdddaa9b62b6d

Download Submit
C:\Windows\{F141E8E9-8BB8-4742-8CCA-D74011DBE6EC}.exe

Filesize
89KB

MD5
47d92d248201bc22247082bb517de1e2

SHA1
b6039a40bd830ab14785d628e8e764a4b9fd858c

SHA256
5c5a0f3c39db513a19d580bc9e193eae59b4519bbbc16840065a1df1a5bcafe4

SHA512
c133e630b87c9a75cf729dc29b4d0140373493ef73cc6b272755d39ae6dbdba75667ebf6f74b814eb037dfca03113c954983377bdf2cc9f0c7a7a06e60a142d1

Download Submit
C:\Windows\{F547C647-B781-4a23-8763-A6AACE051135}.exe

Filesize
89KB

MD5
31c612dec5d5c204d897095eb52df554

SHA1
3ce1fdda5d523d70f20cfad86b30826c6e4eb526

SHA256
8177f5430d3695672ee658b5b9634ce4fd1b43186a011c6f282105911a5521ca

SHA512
2f49c68805ab5de9d3c9483562aa08979dc95657bc4e13500b4b55d9d88921b920b2ae61a1c3088f61ccb276963d5a7bdc1dd1cc8a03d9e705b90db2a11d726a

Download Submit
memory/1184-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1184-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1416-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1416-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2508-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2508-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3436-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3436-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3492-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3552-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3552-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4116-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4116-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4368-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4368-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4400-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4400-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4528-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4528-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4660-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4660-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4824-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4824-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4948-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4948-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads