53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 12:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe
Size

64KB
MD5

6463a5c6315e28a04a0f71a997cfc840
SHA1

a4b28e5e7552be5e983dd7da8ea9cc7b23334627
SHA256

53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b
SHA512

d03b8c5ab96096ed0239af34daf2c0e3cd614ad1bad8270bc0d467087b9fb6072f62940be5e170fd18f6e90efccec244704fd7af64f4c1b834d1710a560c7a8c
SSDEEP

384:ObIwOs8AHsc4sMDwhKQLro34/CFsrdHWMZp:OEw9816vhKQLro34/wQpWMZp

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{474F15AE-52AF-4506-85C8-1C41037F6B38}	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8BE958-00F0-4348-B013-BD38ADC26E43}\stubpath = "C:\\Windows\\{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe"	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{474F15AE-52AF-4506-85C8-1C41037F6B38}\stubpath = "C:\\Windows\\{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe"	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFA62D8F-0C49-403e-B3C2-04C6620F4536}\stubpath = "C:\\Windows\\{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe"	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}\stubpath = "C:\\Windows\\{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe"	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37C4C934-62A2-47ab-AE37-77A08B2E894C}	{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}\stubpath = "C:\\Windows\\{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe"	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}\stubpath = "C:\\Windows\\{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe"	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0938AA-7929-4fcb-9846-1D4C72C8F348}	{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}\stubpath = "C:\\Windows\\{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe"	{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E33B83-CFEC-432f-9C17-D6163D25A280}	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E33B83-CFEC-432f-9C17-D6163D25A280}\stubpath = "C:\\Windows\\{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe"	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}\stubpath = "C:\\Windows\\{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe"	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8BE958-00F0-4348-B013-BD38ADC26E43}	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFA62D8F-0C49-403e-B3C2-04C6620F4536}	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37C4C934-62A2-47ab-AE37-77A08B2E894C}\stubpath = "C:\\Windows\\{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe"	{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}	{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0938AA-7929-4fcb-9846-1D4C72C8F348}\stubpath = "C:\\Windows\\{DC0938AA-7929-4fcb-9846-1D4C72C8F348}.exe"	{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe

Executes dropped EXE 11 IoCs

pid	Process
2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe
2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe
2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe
2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe
1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe
376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe
1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe
1040	{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe
2844	{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe
2832	{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe
3020	{DC0938AA-7929-4fcb-9846-1D4C72C8F348}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe
File created	C:\Windows\{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe
File created	C:\Windows\{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe	{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe
File created	C:\Windows\{DC0938AA-7929-4fcb-9846-1D4C72C8F348}.exe	{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe
File created	C:\Windows\{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe
File created	C:\Windows\{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe
File created	C:\Windows\{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe
File created	C:\Windows\{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe
File created	C:\Windows\{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe
File created	C:\Windows\{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe
File created	C:\Windows\{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe	{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe
Token: SeIncBasePriorityPrivilege	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe
Token: SeIncBasePriorityPrivilege	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe
Token: SeIncBasePriorityPrivilege	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe
Token: SeIncBasePriorityPrivilege	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe
Token: SeIncBasePriorityPrivilege	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe
Token: SeIncBasePriorityPrivilege	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe
Token: SeIncBasePriorityPrivilege	1040	{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe
Token: SeIncBasePriorityPrivilege	2844	{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe
Token: SeIncBasePriorityPrivilege	2832	{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2544	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2544	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2544	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2544	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2640	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2640	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2640	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2640	2184	53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe	29
PID 2544 wrote to memory of 2716	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	30
PID 2544 wrote to memory of 2716	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	30
PID 2544 wrote to memory of 2716	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	30
PID 2544 wrote to memory of 2716	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	30
PID 2544 wrote to memory of 2644	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	31
PID 2544 wrote to memory of 2644	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	31
PID 2544 wrote to memory of 2644	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	31
PID 2544 wrote to memory of 2644	2544	{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe	31
PID 2716 wrote to memory of 2404	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	32
PID 2716 wrote to memory of 2404	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	32
PID 2716 wrote to memory of 2404	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	32
PID 2716 wrote to memory of 2404	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	32
PID 2716 wrote to memory of 2452	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	33
PID 2716 wrote to memory of 2452	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	33
PID 2716 wrote to memory of 2452	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	33
PID 2716 wrote to memory of 2452	2716	{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe	33
PID 2404 wrote to memory of 2744	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	36
PID 2404 wrote to memory of 2744	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	36
PID 2404 wrote to memory of 2744	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	36
PID 2404 wrote to memory of 2744	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	36
PID 2404 wrote to memory of 2776	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	37
PID 2404 wrote to memory of 2776	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	37
PID 2404 wrote to memory of 2776	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	37
PID 2404 wrote to memory of 2776	2404	{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe	37
PID 2744 wrote to memory of 1784	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	38
PID 2744 wrote to memory of 1784	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	38
PID 2744 wrote to memory of 1784	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	38
PID 2744 wrote to memory of 1784	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	38
PID 2744 wrote to memory of 2296	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	39
PID 2744 wrote to memory of 2296	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	39
PID 2744 wrote to memory of 2296	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	39
PID 2744 wrote to memory of 2296	2744	{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe	39
PID 1784 wrote to memory of 376	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	40
PID 1784 wrote to memory of 376	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	40
PID 1784 wrote to memory of 376	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	40
PID 1784 wrote to memory of 376	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	40
PID 1784 wrote to memory of 1832	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	41
PID 1784 wrote to memory of 1832	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	41
PID 1784 wrote to memory of 1832	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	41
PID 1784 wrote to memory of 1832	1784	{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe	41
PID 376 wrote to memory of 1336	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	42
PID 376 wrote to memory of 1336	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	42
PID 376 wrote to memory of 1336	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	42
PID 376 wrote to memory of 1336	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	42
PID 376 wrote to memory of 3032	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	43
PID 376 wrote to memory of 3032	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	43
PID 376 wrote to memory of 3032	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	43
PID 376 wrote to memory of 3032	376	{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe	43
PID 1336 wrote to memory of 1040	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	44
PID 1336 wrote to memory of 1040	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	44
PID 1336 wrote to memory of 1040	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	44
PID 1336 wrote to memory of 1040	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	44
PID 1336 wrote to memory of 1628	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	45
PID 1336 wrote to memory of 1628	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	45
PID 1336 wrote to memory of 1628	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	45
PID 1336 wrote to memory of 1628	1336	{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe	45

C:\Users\Admin\AppData\Local\Temp\53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53aded7f88911f5c32f13cf064561c6cf8ffbf8545a5ae3deeb0e786bdf0bc2b_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe
  C:\Windows\{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe
    C:\Windows\{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe
      C:\Windows\{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe
        
        C:\Windows\{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe
        
        C:\Windows\{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe
        
        C:\Windows\{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe
        
        C:\Windows\{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe
        
        C:\Windows\{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe
        
        C:\Windows\{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe
        
        C:\Windows\{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\{DC0938AA-7929-4fcb-9846-1D4C72C8F348}.exe
        
        C:\Windows\{DC0938AA-7929-4fcb-9846-1D4C72C8F348}.exe
        12⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CA93~1.EXE > nul
        12⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37C4C~1.EXE > nul
        11⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F12F0~1.EXE > nul
        10⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93BFB~1.EXE > nul
        9⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA62~1.EXE > nul
        8⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{474F1~1.EXE > nul
        7⤵
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F8BE~1.EXE > nul
        6⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77B92~1.EXE > nul
        5⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97E33~1.EXE > nul
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E0A5~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\53ADED~1.EXE > nul
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F8BE958-00F0-4348-B013-BD38ADC26E43}.exe

Filesize
64KB

MD5
84e17119efab016a30a46d88e13a8557

SHA1
ebe613e23422a087cabcdb87f06e59e5aa67583f

SHA256
8e2f7d6a4d8b7ce124c11dbc35d80aec31fdcf780de37311f88da5621b81018c

SHA512
dd14d580258636a2d9138a092c30e506d879134f83efcaa28a7d8e2db69b1c5d79732ef34937b4274dae3e331e119dcf3e94c49a7f27c735606ac95e9d919a01

Download Submit
C:\Windows\{37C4C934-62A2-47ab-AE37-77A08B2E894C}.exe

Filesize
64KB

MD5
0ff7d476c3c556b1713e13ffb41d7d72

SHA1
cd05aa108d88504a0fe2ee838a534d30d6f69d8a

SHA256
ae0b118674b801ee02392ee149402c7c2f0a44f553c82a3b5eda838c1f4039d4

SHA512
52bf529139bf22bc427d923d4ec618b85f02411d2da6ef5cea1d7f31b38c446a5e738c59dde4fa1c0dcbecdbe091ba66da52e4a33f56dfbab04cf5115962b656

Download Submit
C:\Windows\{474F15AE-52AF-4506-85C8-1C41037F6B38}.exe

Filesize
64KB

MD5
9f8ed2f91ac491f96b52ff789da5253a

SHA1
f592b7cfebf513cfb59308e9f00e217f4b4304cd

SHA256
afa5650c47505b8721af90617046879a3e5e8a7af8f1cbb64c69e3cb998c8bae

SHA512
13c1c9e4d713165c3a07f652e1c1dca4930495814b1e1ecc412b356efb796638971419706eec5ebdd6652857a77fd9353fd9966feb4987af88da529fc0b7a35a

Download Submit
C:\Windows\{77B92D50-25F1-4231-9EDC-BFE4FFA610AC}.exe

Filesize
64KB

MD5
43d7723a402b7305990c3c9cc220a652

SHA1
0e8b5c274bb8a16eaff5957f84ce2de56e20e687

SHA256
1dd9b76e03200a0419b760cc26b2675ee35faa143951af2fe41a10055c52becd

SHA512
a078394e6bf2365c301305cca59b64d507b80281e8bed42170881275d63cd4d4b8a94af5496e22336594803fe231238038f6c1c459a8c962731d5ca0f22e732d

Download Submit
C:\Windows\{7CA93CAD-D9F5-4813-BFB0-8F252F77D00B}.exe

Filesize
64KB

MD5
e2394995b3df341b35ef67621b60e64c

SHA1
8d5acaff722bf012da47c326330ead9353348c22

SHA256
c49d52520065f5e8f990b8f67cbd5fccdddb3138c4aa11ca423ca1181a353632

SHA512
d076fef49eea2911f6c10d31113173b0a1d364779f26475358f2e86f2e288c6c21024731a279c2cdc296d085e30f21e8468b5903939dadae97898d5a8741868f

Download Submit
C:\Windows\{7E0A50F3-80B6-4e42-86F3-CC9BEDFD6174}.exe

Filesize
64KB

MD5
28764d68e1b3f6de61e4bbcd6faa50f4

SHA1
91c0eda05af7ca06d64da1d4d96159f8ba9db201

SHA256
c2dc8401b4fb8bbfbd89b7a14658d510023dad7c7a88b167f40cdf110b45410b

SHA512
cdec6c3e6805f4b85756d3359c6b00367dcbd3dc1ab01977f2c6e7237266453ee0640b3f54f31a9012a9044bf7397f0b0fc9f90ddb67d21002e5de14287aecb1

Download Submit
C:\Windows\{93BFBB38-A8EB-4304-9C60-DB79F80DDC48}.exe

Filesize
64KB

MD5
5fe92a7a3b319b39bb852101dccf75e2

SHA1
311d8ec60b652c6a258122905744934542284438

SHA256
c57695388d7f68d87f3e8ad408e7202aff43561088ac14cbd7127454dabdca32

SHA512
ee69a894508d4562b40f71de55ae1a8de62ad72f4a4f4b09ed7b2df9a7e5a520e4672469c44f0092fed2500acaa881590363453415fdefa0442fe14e2a05f05a

Download Submit
C:\Windows\{97E33B83-CFEC-432f-9C17-D6163D25A280}.exe

Filesize
64KB

MD5
6cbeadd2d052febad4f57cd3d3aac9d1

SHA1
08a6e8532bc0107cae4dbcfac32048047e6d037b

SHA256
d88c58286793fa58d4fef17c7407d5dbd0ff1186d168ca575faa94514ec7ee9e

SHA512
8204120eaa7b697736e4a2fb41a2c0c7d1fae4ec392891bf36d0a6fe58eff3f3be295d925361e9892196e5be5b43cd2c34445072c700b857a9c9f15a560185b7

Download Submit
C:\Windows\{DC0938AA-7929-4fcb-9846-1D4C72C8F348}.exe

Filesize
64KB

MD5
6c5c4c1db1892ba2e2291f26bbea046d

SHA1
231f8a42f9d1b9ad156d657dc7000ef55050c29a

SHA256
6ca5dbdb209568ea4ed51ec7607d54dc8750c52407ccbae724b9f2f9ae2d7d54

SHA512
5c4f6c218a382e8767ab990296b626be95815fdd0ea8ae283b18fbe639cb5e0cfb02e3b7c6e20378069e817974ae536cbdc2b7aa4eb90355e5798872b12235e9

Download Submit
C:\Windows\{EFA62D8F-0C49-403e-B3C2-04C6620F4536}.exe

Filesize
64KB

MD5
724d899237196f4c8926d2c70290a81f

SHA1
2a4078d86f499b3315a66c18bad86c48eedbd6ea

SHA256
cc99c3274c0a09116c5cd7863aebf7d612271a3c0fa46f4aafbb4d55b0851805

SHA512
da7db9bb8c44b8b2ba34172fed7595b8ba9ff856c7989cee75a11b7d1e04a6c0ab92551caa9ae530dbda9fc7f909d9f05a8505c03c1ce13cef0c4ba54eda4d11

Download Submit
C:\Windows\{F12F04D0-0E25-4dd8-957C-5B34A4CD53ED}.exe

Filesize
64KB

MD5
fa4c6baf0eae4e892a12f8c285c82277

SHA1
301ae3039b25df9a43e82a4b2d365440cfd74d25

SHA256
991813bcc000fb6cdc62387e485c94ec7e9053305ed8105c196730f970bd60a3

SHA512
24be47c377db093f469af77ffa155edf662109c7a9e8f9dc37a97ce86eb14c3f9a14eadee6000e749c47388a2adf416c1a29a657b79ee7b7db84b354374150c8

Download Submit
memory/376-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/376-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1040-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1040-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1336-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1336-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1784-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2184-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2184-3-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2184-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2404-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2404-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2544-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2544-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2716-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2716-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2832-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2844-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads