328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Size

89KB
MD5

afa19dc9d2dd99e2f4029c369b89fdb0
SHA1

ea6e36b1438653a4c30ccb055ffb11cd1e52178a
SHA256

328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6
SHA512

21f94806d82ec4b06fc98f1da56308f3ecc94c706ed3978ca51f007fe822a4d576b35cb1089645e615e9cdd2e486130e77a4df038ffadebb899d131c5d1f77d7
SSDEEP

768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glL:YEGh0otl2unMxVS3Hg9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}\stubpath = "C:\\Windows\\{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe"	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}\stubpath = "C:\\Windows\\{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}.exe"	{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD847ED-A42F-4ab1-BADF-065E98548CD8}\stubpath = "C:\\Windows\\{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe"	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88497B8F-31A7-42be-95D3-9509437861F6}\stubpath = "C:\\Windows\\{88497B8F-31A7-42be-95D3-9509437861F6}.exe"	{292DCF56-74A1-49dd-9251-167C04B24651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA46E70E-419D-432c-9266-7FFA6E89F64A}\stubpath = "C:\\Windows\\{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe"	{88497B8F-31A7-42be-95D3-9509437861F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A27918AE-6018-447c-A9FA-39366A99C5C3}\stubpath = "C:\\Windows\\{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe"	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71154440-5ED4-4540-96F4-D68F9F78F0FF}\stubpath = "C:\\Windows\\{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe"	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}	{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBB87EF2-F0A7-4829-A984-B2148625C120}\stubpath = "C:\\Windows\\{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe"	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{292DCF56-74A1-49dd-9251-167C04B24651}\stubpath = "C:\\Windows\\{292DCF56-74A1-49dd-9251-167C04B24651}.exe"	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA46E70E-419D-432c-9266-7FFA6E89F64A}	{88497B8F-31A7-42be-95D3-9509437861F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FF0FBBB-312E-40db-8883-F1C7F6659695}	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}\stubpath = "C:\\Windows\\{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe"	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD847ED-A42F-4ab1-BADF-065E98548CD8}	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{292DCF56-74A1-49dd-9251-167C04B24651}	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FF0FBBB-312E-40db-8883-F1C7F6659695}\stubpath = "C:\\Windows\\{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe"	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}\stubpath = "C:\\Windows\\{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe"	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A27918AE-6018-447c-A9FA-39366A99C5C3}	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71154440-5ED4-4540-96F4-D68F9F78F0FF}	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBB87EF2-F0A7-4829-A984-B2148625C120}	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88497B8F-31A7-42be-95D3-9509437861F6}	{292DCF56-74A1-49dd-9251-167C04B24651}.exe

Executes dropped EXE 12 IoCs

pid	Process
4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe
868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe
4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe
1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe
1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe
1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe
2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe
4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe
1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe
2268	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe
2200	{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe
3084	{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe
File created	C:\Windows\{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe
File created	C:\Windows\{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe
File created	C:\Windows\{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe
File created	C:\Windows\{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe
File created	C:\Windows\{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}.exe	{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe
File created	C:\Windows\{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe
File created	C:\Windows\{292DCF56-74A1-49dd-9251-167C04B24651}.exe	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe
File created	C:\Windows\{88497B8F-31A7-42be-95D3-9509437861F6}.exe	{292DCF56-74A1-49dd-9251-167C04B24651}.exe
File created	C:\Windows\{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe	{88497B8F-31A7-42be-95D3-9509437861F6}.exe
File created	C:\Windows\{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe
File created	C:\Windows\{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	432	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe
Token: SeIncBasePriorityPrivilege	868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe
Token: SeIncBasePriorityPrivilege	4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe
Token: SeIncBasePriorityPrivilege	1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe
Token: SeIncBasePriorityPrivilege	1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe
Token: SeIncBasePriorityPrivilege	1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe
Token: SeIncBasePriorityPrivilege	2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe
Token: SeIncBasePriorityPrivilege	4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe
Token: SeIncBasePriorityPrivilege	1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe
Token: SeIncBasePriorityPrivilege	2268	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe
Token: SeIncBasePriorityPrivilege	2200	{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 4908	432	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	81
PID 432 wrote to memory of 4908	432	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	81
PID 432 wrote to memory of 4908	432	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	81
PID 432 wrote to memory of 4428	432	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	82
PID 432 wrote to memory of 4428	432	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	82
PID 432 wrote to memory of 4428	432	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	82
PID 4908 wrote to memory of 868	4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe	83
PID 4908 wrote to memory of 868	4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe	83
PID 4908 wrote to memory of 868	4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe	83
PID 4908 wrote to memory of 2492	4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe	84
PID 4908 wrote to memory of 2492	4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe	84
PID 4908 wrote to memory of 2492	4908	{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe	84
PID 868 wrote to memory of 4528	868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe	90
PID 868 wrote to memory of 4528	868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe	90
PID 868 wrote to memory of 4528	868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe	90
PID 868 wrote to memory of 2008	868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe	91
PID 868 wrote to memory of 2008	868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe	91
PID 868 wrote to memory of 2008	868	{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe	91
PID 4528 wrote to memory of 1196	4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe	94
PID 4528 wrote to memory of 1196	4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe	94
PID 4528 wrote to memory of 1196	4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe	94
PID 4528 wrote to memory of 1052	4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe	95
PID 4528 wrote to memory of 1052	4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe	95
PID 4528 wrote to memory of 1052	4528	{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe	95
PID 1196 wrote to memory of 1848	1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe	96
PID 1196 wrote to memory of 1848	1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe	96
PID 1196 wrote to memory of 1848	1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe	96
PID 1196 wrote to memory of 3012	1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe	97
PID 1196 wrote to memory of 3012	1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe	97
PID 1196 wrote to memory of 3012	1196	{292DCF56-74A1-49dd-9251-167C04B24651}.exe	97
PID 1848 wrote to memory of 1808	1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe	98
PID 1848 wrote to memory of 1808	1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe	98
PID 1848 wrote to memory of 1808	1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe	98
PID 1848 wrote to memory of 4532	1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe	99
PID 1848 wrote to memory of 4532	1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe	99
PID 1848 wrote to memory of 4532	1848	{88497B8F-31A7-42be-95D3-9509437861F6}.exe	99
PID 1808 wrote to memory of 2076	1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe	100
PID 1808 wrote to memory of 2076	1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe	100
PID 1808 wrote to memory of 2076	1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe	100
PID 1808 wrote to memory of 2504	1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe	101
PID 1808 wrote to memory of 2504	1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe	101
PID 1808 wrote to memory of 2504	1808	{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe	101
PID 2076 wrote to memory of 4788	2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe	102
PID 2076 wrote to memory of 4788	2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe	102
PID 2076 wrote to memory of 4788	2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe	102
PID 2076 wrote to memory of 3624	2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe	103
PID 2076 wrote to memory of 3624	2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe	103
PID 2076 wrote to memory of 3624	2076	{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe	103
PID 4788 wrote to memory of 1520	4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe	104
PID 4788 wrote to memory of 1520	4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe	104
PID 4788 wrote to memory of 1520	4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe	104
PID 4788 wrote to memory of 4720	4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe	105
PID 4788 wrote to memory of 4720	4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe	105
PID 4788 wrote to memory of 4720	4788	{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe	105
PID 1520 wrote to memory of 2268	1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe	106
PID 1520 wrote to memory of 2268	1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe	106
PID 1520 wrote to memory of 2268	1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe	106
PID 1520 wrote to memory of 2636	1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe	107
PID 1520 wrote to memory of 2636	1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe	107
PID 1520 wrote to memory of 2636	1520	{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe	107
PID 2268 wrote to memory of 2200	2268	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe	108
PID 2268 wrote to memory of 2200	2268	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe	108
PID 2268 wrote to memory of 2200	2268	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe	108
PID 2268 wrote to memory of 1904	2268	{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe	109

C:\Users\Admin\AppData\Local\Temp\328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe
  C:\Windows\{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe
    C:\Windows\{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe
      C:\Windows\{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Windows\{292DCF56-74A1-49dd-9251-167C04B24651}.exe
        
        C:\Windows\{292DCF56-74A1-49dd-9251-167C04B24651}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\{88497B8F-31A7-42be-95D3-9509437861F6}.exe
        
        C:\Windows\{88497B8F-31A7-42be-95D3-9509437861F6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe
        
        C:\Windows\{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe
        
        C:\Windows\{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe
        
        C:\Windows\{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe
        
        C:\Windows\{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe
        
        C:\Windows\{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe
        
        C:\Windows\{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}.exe
        
        C:\Windows\{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71154~1.EXE > nul
        13⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2791~1.EXE > nul
        12⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57080~1.EXE > nul
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C6D4~1.EXE > nul
        10⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FF0F~1.EXE > nul
        9⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA46E~1.EXE > nul
        8⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88497~1.EXE > nul
        7⤵
        
        PID:4532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{292DC~1.EXE > nul
        6⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BD84~1.EXE > nul
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DBB87~1.EXE > nul
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32AFB~1.EXE > nul
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328DE5~1.EXE > nul
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{292DCF56-74A1-49dd-9251-167C04B24651}.exe

Filesize
89KB

MD5
5e0730d65c276681c63e26349af7fd8b

SHA1
bc7a3b9a346fe1408b113d04b8dd845721f0c6e0

SHA256
2567bbe17a8640c5fc4609f59d1f83a42aa1b5af2d7466b9ca799111fc6d9a7a

SHA512
072c0cdd4d6ba0e2d7eda54a7269642548d84a335fcea1d095437dd46de1a9216a45d75dd62e57d5fc45a0b23748c3e1067f8d1e1c2072be8426b29680bd84ff

Download Submit
C:\Windows\{32AFB863-D421-4bbf-85B6-5DB7B69E9BE2}.exe

Filesize
89KB

MD5
ae3d53daa29d4457af2c43852d694ed4

SHA1
8111c78cdf558031cb39667eeacae75ec8683755

SHA256
8990f8f0d334675d2bb703495bc8f1a54f888e69e155a7ff29a938da87d38817

SHA512
a75b56ef07a39e326bdf74a7091ce32c13d0dd88ac34f5067624eb86962a9fde5bac4df0e2b5cea6e16994ddc6b4cac2fe396aabd98e22ab9e84a0fd77efa039

Download Submit
C:\Windows\{4FF0FBBB-312E-40db-8883-F1C7F6659695}.exe

Filesize
89KB

MD5
dbc6fba05674925aae5686160e02b70a

SHA1
c1f95c67829e9ff1f006731fd67482db9cfa0f64

SHA256
3b8b2e8e8e700e358afff4afb0052b61c422e591f4c73b6c85a8b526d3bea1cf

SHA512
6247e5bd5e6c3544358e832665cf860766c0bf77e3c1b6b4a29acf39684d82715459116a9db116c5df29dd3a88d11abda57938d63feac1e26e0fb22ecfa4dc16

Download Submit
C:\Windows\{57080726-5E0F-4c70-B251-2E0E1B6DBA8D}.exe

Filesize
89KB

MD5
b05fdb0f221a80fe8cd5a35716032837

SHA1
f016c2da80342780d92c9b587ec3ccfd917980a5

SHA256
8e7ac932c3ba18c176e4f23ec4dbc68ab32249a3a76357d6684f15b16fe51028

SHA512
be0ef3b0c0f1fdfcb792f90d522e878f201772b2a7a9329a0167f9109fa45f4f0a718ca4233f18c55173670aefc105e52119ceaa140eb11232d1a9781798e0a2

Download Submit
C:\Windows\{71154440-5ED4-4540-96F4-D68F9F78F0FF}.exe

Filesize
89KB

MD5
79f08a216af87ea933bc27557bd82f9a

SHA1
1508c889a239eccafe661cad4f3dddb9f4c20fdb

SHA256
ae08b59554bfed3c61aec9402565aa0627ef77d9eec18917311cd56a48c8a5bb

SHA512
37b2bd19e3ad629a0c83f25dc5b67394ae02eb2d8f4b228bcf2cfcbe51e517e1529aaf8a8775a54471fd573a9e90326fbf41d9d13c079fe328329aa426762872

Download Submit
C:\Windows\{88497B8F-31A7-42be-95D3-9509437861F6}.exe

Filesize
89KB

MD5
0df1d14987b0e390356798f536a43953

SHA1
996063f89e7103efc6fe794a1752e79187c46329

SHA256
1ff1631a6bcdff1cb6a593ccbe04164a08ac22623f8a8fbc2b861daa57799ed9

SHA512
967d1b910622da709d29fc0668930e69107c3f2f61def940d09d386998424ed2ff8c9226011525ecfe202fc3253b128c5f6f016f9297d7fd887b89074419a014

Download Submit
C:\Windows\{8C6D4FD3-979E-4936-AE7D-CA27385D9C15}.exe

Filesize
89KB

MD5
cb86119f1e4dbaf5aa695dbb70965bde

SHA1
d8c8b7868dde52221102aa39235c807fca2fdf79

SHA256
eb16c4bb2e4ab0ffd678dd6b471af708f25d145caa5b851032554e8304e4a1b1

SHA512
5c839a5a71c18b557b2fd1c30c7d2cdabd047e6698c20961404dffb9aa55a7b3d97c9ae52c34595194935fc24e5098eb47a1fff8562284973eedcac606ea9b2b

Download Submit
C:\Windows\{9BD847ED-A42F-4ab1-BADF-065E98548CD8}.exe

Filesize
89KB

MD5
db4e7cd5b3effd9e23cc04a7104b0af6

SHA1
3984f90688ba446ec607aebc1442cc639afec7f4

SHA256
147641dc5326b95c66c96a91ad56c1cd1b36d2dfffad98eedc863c019eb5e00c

SHA512
3d5fca490f0b3393f2de4c249ccf65b82894996c63001af5e74d0cb1bd0e4dd399721ffcc2cf48ccf5cf4ffa358dcb786a7c856e5ab6af4bfe54f5ccf1488756

Download Submit
C:\Windows\{A27918AE-6018-447c-A9FA-39366A99C5C3}.exe

Filesize
89KB

MD5
c6737ae462564cc6ae745082a776f4f0

SHA1
f843e77ab715d2e7bad5ca1b8a22ff50ad6cc492

SHA256
e803e3f681ea7588635f546428816237e00d6df530ddf10c25e0c7df29c8c41c

SHA512
659eabb499129c0ce1d0c3272ff90519d328d9ffc7cfd45f22e2d395e45f1a7503de7084def536c52d4c19c2825d11519f1150a0ca6306690d88c71f33272010

Download Submit
C:\Windows\{CA46E70E-419D-432c-9266-7FFA6E89F64A}.exe

Filesize
89KB

MD5
ea97feb261207cb41bb2302aee8c8d04

SHA1
c69788a18ea6e273a0bcd2d83d91562a2346bd8b

SHA256
d4c84c7b31ca39139fc0f2656692fbee515469dbed366d341a2a58ac89fda078

SHA512
6985cb7e001fcab692d6c62ca5a8ee2a8d0057b000cff79397feece7a31db65acefab55aad8e2f7397a20af06a75e38e4137b58f96a87be447bd503a93c5ced7

Download Submit
C:\Windows\{CC50CB42-0F0C-4875-BEA0-88330C1D1E5A}.exe

Filesize
89KB

MD5
d59414b2ca016fc14178b9f59fe613f7

SHA1
608370b81c09162c48e730d70dd5bfb483c5e8bf

SHA256
4fa9560aeb6d306788d6ccc5c2e9a2426007dfd90060300690862ecbcc91a4e1

SHA512
a353252a0e2fff60c44f07a643fd4508e727503acde4ab4693f8a26cbc3b5f06ce69460cf4b1fa66940fea77eedc683d1f39647bbff00057d501b28f7db10791

Download Submit
C:\Windows\{DBB87EF2-F0A7-4829-A984-B2148625C120}.exe

Filesize
89KB

MD5
c6a4b426d5ddc1d902679d96d8cad1cc

SHA1
0829832952f4a65d6ae9bb0f6edbc420f72b3f7f

SHA256
c0b0a2061dc1720543bddf4e582f0339fb042e50e832726b47218942a44e20f4

SHA512
3648a7c353d4164f657d5f1596f491dca4ee43c33fe2c326912a7b4dc275b983a2daceb729e090bddd270f2dcd6bfb52e4269cbe3bfa6ce573115d48a34c43d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads