b7996358d1ed96a2ec293b7e0eca2369908ada130e2cd540899e3bf5e171d6d8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe
Size

98KB
MD5

36d8b96258c3b8ce57c1d370a5ac4c40
SHA1

ae8552286336d237623c17287df0a03aaa090131
SHA256

b7996358d1ed96a2ec293b7e0eca2369908ada130e2cd540899e3bf5e171d6d8
SHA512

fb2eb4cd1f66a49c34478afaf3e25a8da7776933c35fdb536f38756959313ed5fe6b96101558b82b8957ebd0c665342270dfa6c3a848a884b19eb81491b8c328
SSDEEP

768:5vw981UMhKQLrom4/wQ4pNrfrunMxVFA3b7glw6:lEG00oml3zunMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74A38482-3B18-476d-B00E-BF25135733A6}\stubpath = "C:\\Windows\\{74A38482-3B18-476d-B00E-BF25135733A6}.exe"	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{587BF79D-791B-4984-9D7A-1188E74C64DB}\stubpath = "C:\\Windows\\{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe"	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}\stubpath = "C:\\Windows\\{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe"	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73755A9E-380C-4fd2-AB54-3D19B8BC944E}	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}	{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}\stubpath = "C:\\Windows\\{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe"	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}\stubpath = "C:\\Windows\\{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe"	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}\stubpath = "C:\\Windows\\{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe"	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}\stubpath = "C:\\Windows\\{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe"	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74A38482-3B18-476d-B00E-BF25135733A6}	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7085FD96-03F9-43ac-B646-7C05AB709D93}\stubpath = "C:\\Windows\\{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe"	{74A38482-3B18-476d-B00E-BF25135733A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{587BF79D-791B-4984-9D7A-1188E74C64DB}	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}\stubpath = "C:\\Windows\\{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe"	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7085FD96-03F9-43ac-B646-7C05AB709D93}	{74A38482-3B18-476d-B00E-BF25135733A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}\stubpath = "C:\\Windows\\{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe"	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73755A9E-380C-4fd2-AB54-3D19B8BC944E}\stubpath = "C:\\Windows\\{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe"	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}\stubpath = "C:\\Windows\\{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}.exe"	{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe

Executes dropped EXE 12 IoCs

pid	Process
3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe
860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe
4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe
3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe
3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe
3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe
2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe
5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe
3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe
4548	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe
3968	{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe
404	{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe
File created	C:\Windows\{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe
File created	C:\Windows\{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe
File created	C:\Windows\{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}.exe	{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe
File created	C:\Windows\{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe
File created	C:\Windows\{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe	{74A38482-3B18-476d-B00E-BF25135733A6}.exe
File created	C:\Windows\{74A38482-3B18-476d-B00E-BF25135733A6}.exe	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe
File created	C:\Windows\{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe
File created	C:\Windows\{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe
File created	C:\Windows\{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe
File created	C:\Windows\{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe
File created	C:\Windows\{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1624	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe
Token: SeIncBasePriorityPrivilege	860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe
Token: SeIncBasePriorityPrivilege	4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe
Token: SeIncBasePriorityPrivilege	3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe
Token: SeIncBasePriorityPrivilege	3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe
Token: SeIncBasePriorityPrivilege	3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe
Token: SeIncBasePriorityPrivilege	2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe
Token: SeIncBasePriorityPrivilege	5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe
Token: SeIncBasePriorityPrivilege	3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe
Token: SeIncBasePriorityPrivilege	4548	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe
Token: SeIncBasePriorityPrivilege	3968	{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3416	1624	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe	92
PID 1624 wrote to memory of 3416	1624	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe	92
PID 1624 wrote to memory of 3416	1624	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe	92
PID 1624 wrote to memory of 3080	1624	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe	93
PID 1624 wrote to memory of 3080	1624	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe	93
PID 1624 wrote to memory of 3080	1624	36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe	93
PID 3416 wrote to memory of 860	3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe	94
PID 3416 wrote to memory of 860	3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe	94
PID 3416 wrote to memory of 860	3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe	94
PID 3416 wrote to memory of 940	3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe	95
PID 3416 wrote to memory of 940	3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe	95
PID 3416 wrote to memory of 940	3416	{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe	95
PID 860 wrote to memory of 4964	860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe	97
PID 860 wrote to memory of 4964	860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe	97
PID 860 wrote to memory of 4964	860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe	97
PID 860 wrote to memory of 3124	860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe	98
PID 860 wrote to memory of 3124	860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe	98
PID 860 wrote to memory of 3124	860	{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe	98
PID 4964 wrote to memory of 3156	4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe	99
PID 4964 wrote to memory of 3156	4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe	99
PID 4964 wrote to memory of 3156	4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe	99
PID 4964 wrote to memory of 1392	4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe	100
PID 4964 wrote to memory of 1392	4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe	100
PID 4964 wrote to memory of 1392	4964	{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe	100
PID 3156 wrote to memory of 3380	3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe	101
PID 3156 wrote to memory of 3380	3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe	101
PID 3156 wrote to memory of 3380	3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe	101
PID 3156 wrote to memory of 2984	3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe	102
PID 3156 wrote to memory of 2984	3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe	102
PID 3156 wrote to memory of 2984	3156	{74A38482-3B18-476d-B00E-BF25135733A6}.exe	102
PID 3380 wrote to memory of 3748	3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe	103
PID 3380 wrote to memory of 3748	3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe	103
PID 3380 wrote to memory of 3748	3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe	103
PID 3380 wrote to memory of 3716	3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe	104
PID 3380 wrote to memory of 3716	3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe	104
PID 3380 wrote to memory of 3716	3380	{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe	104
PID 3748 wrote to memory of 2344	3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe	105
PID 3748 wrote to memory of 2344	3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe	105
PID 3748 wrote to memory of 2344	3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe	105
PID 3748 wrote to memory of 3100	3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe	106
PID 3748 wrote to memory of 3100	3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe	106
PID 3748 wrote to memory of 3100	3748	{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe	106
PID 2344 wrote to memory of 5096	2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe	107
PID 2344 wrote to memory of 5096	2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe	107
PID 2344 wrote to memory of 5096	2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe	107
PID 2344 wrote to memory of 2548	2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe	108
PID 2344 wrote to memory of 2548	2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe	108
PID 2344 wrote to memory of 2548	2344	{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe	108
PID 5096 wrote to memory of 3432	5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe	109
PID 5096 wrote to memory of 3432	5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe	109
PID 5096 wrote to memory of 3432	5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe	109
PID 5096 wrote to memory of 4512	5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe	110
PID 5096 wrote to memory of 4512	5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe	110
PID 5096 wrote to memory of 4512	5096	{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe	110
PID 3432 wrote to memory of 4548	3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe	111
PID 3432 wrote to memory of 4548	3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe	111
PID 3432 wrote to memory of 4548	3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe	111
PID 3432 wrote to memory of 60	3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe	112
PID 3432 wrote to memory of 60	3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe	112
PID 3432 wrote to memory of 60	3432	{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe	112
PID 4548 wrote to memory of 3968	4548	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe	113
PID 4548 wrote to memory of 3968	4548	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe	113
PID 4548 wrote to memory of 3968	4548	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe	113
PID 4548 wrote to memory of 2084	4548	{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe	114

C:\Users\Admin\AppData\Local\Temp\36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36d8b96258c3b8ce57c1d370a5ac4c40_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe
  C:\Windows\{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe
    C:\Windows\{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe
      C:\Windows\{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\{74A38482-3B18-476d-B00E-BF25135733A6}.exe
        
        C:\Windows\{74A38482-3B18-476d-B00E-BF25135733A6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Windows\{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe
        
        C:\Windows\{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe
        
        C:\Windows\{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe
        
        C:\Windows\{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe
        
        C:\Windows\{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe
        
        C:\Windows\{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe
        
        C:\Windows\{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe
        
        C:\Windows\{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}.exe
        
        C:\Windows\{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}.exe
        13⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DBFE~1.EXE > nul
        13⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73755~1.EXE > nul
        12⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57FA8~1.EXE > nul
        11⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F97E5~1.EXE > nul
        10⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49F2E~1.EXE > nul
        9⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{587BF~1.EXE > nul
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7085F~1.EXE > nul
        7⤵
        
        PID:3716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74A38~1.EXE > nul
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{053C1~1.EXE > nul
        5⤵
        
        PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5C6EC~1.EXE > nul
      4⤵
      PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{78B2C~1.EXE > nul
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\36D8B9~1.EXE > nul
  2⤵
  PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{053C1F45-2C3C-4aa1-AAB9-30B82E8FB6E5}.exe

Filesize
98KB

MD5
875e5567b05b080b6e89d8d67393f938

SHA1
928567dacc49c40f4b62309e1fa1752c6672248b

SHA256
a0fb8cbf3453329cb85e99490c6036ed0d13fe721d57ff62e5122e6edb6c9cc3

SHA512
1faa0305cb3522c44182e03976b0e0f9c259510d40fd47024be1ca7531673177553a90fbced6b3a7f31a1c26b99c6644202e302d56e2aa4cf0b7be476ee73e57

Download Submit
C:\Windows\{49F2E3B5-9FC7-4ad7-8A6C-9087A319F599}.exe

Filesize
98KB

MD5
0a9bdef297e55d7b03b29faf78606407

SHA1
c5d758c6da08b4d4c19b0ba662849269cab35ea4

SHA256
2e7d4abd6b7654e852f3186820eae07519d4f0742a24d619bb747a556bfcc692

SHA512
299d3e8ae936ba68e6924d89ee0504dc2a4da0897913ecf047cdd0fcae2893efb78f6c87e47da8bf6af49e1f24422b4094edfd936205114a8b7427671414b80f

Download Submit
C:\Windows\{57FA8FA2-9D61-47ce-ACF0-25601FC4660F}.exe

Filesize
98KB

MD5
b1756dd3b9b4b9bb9474728b49f40b16

SHA1
08d1d129244671289a12825f67b7e96a7bf3b97f

SHA256
698e6e0a2e825c9858a5aecda8a85511c56ca0fcc7f712bfb43b028b0dabaa39

SHA512
c696f376d22804134dd927fb0ad95c3110dd99d32a92cb9d645c9129b8b90667a68e7e9e184f921a082b638b914d4494c75848ec5ffc76f66d1de164d2d6c0f2

Download Submit
C:\Windows\{587BF79D-791B-4984-9D7A-1188E74C64DB}.exe

Filesize
98KB

MD5
7273622b7d3a9c70c76a85efbceb6fd0

SHA1
9f06d156367c6493cb2b79533430e92a194d53f5

SHA256
9f0feb2a9bb7f70fecd3b403ec31379396261dfedf2044fe508f30386afe9add

SHA512
0f9c839e9a10945ae94ea5340c1904ad784aa0a540dfe72a1600663ca89fb1db672e89b6f4c07526d103cb79fcde622b8586daa6493ce35052af4abd5004a1d6

Download Submit
C:\Windows\{5BA28F19-BDC7-4e22-8D57-A65FAD6A650D}.exe

Filesize
98KB

MD5
9f748d9d4fac0efe6073bea638d16784

SHA1
9c196d844f51247ddeb182f9ce4fc890a339922b

SHA256
b1ef3c0087b643fe336036abc9f657efb7d47a7f6d8d397f527b9bf23ebcf6ba

SHA512
a57899d53e41f5c3d396b73f733d837d6534b2a7fc16287cbb4166b303338ed3e1c324841867c12e491113be569ec243a665715cf3a2ebc200a56ad79757f5de

Download Submit
C:\Windows\{5C6EC7F2-4BA2-4afb-B100-582229D68C5D}.exe

Filesize
98KB

MD5
04285ead5b3722825bdcc1c98510594c

SHA1
bfe5282b920e2b227512d2ca86c7e485efa3ad00

SHA256
6b9c2bb69b75c2da695359e15113067af39cab23431c809ad1a274590741e42c

SHA512
3731db199673b6c2f69eeccd68b7336f3328f850f070be3057a7ac4dc5de4cac60e0adc059aad3449da1d5d09ded961e8edbb02dac624d5f85bcd0a8f1c6aa43

Download Submit
C:\Windows\{7085FD96-03F9-43ac-B646-7C05AB709D93}.exe

Filesize
98KB

MD5
3965e1813601904f1f0f4f08319ad98d

SHA1
3c31a00393582d30c7a23ea9e26fef38517ac43d

SHA256
d571a9ae61876de49fbc88e5d75c696d2c7b2d3feff6d5aa7398952168915137

SHA512
31ce25a8a2297d116a6d673f64d02a9d5e5f05bf365ff8f57048f8df3a68df880bf4bb423aee9c4ce5d9da59405446bc9b68c2056f147a7ad2e2be1cfe9fdb31

Download Submit
C:\Windows\{73755A9E-380C-4fd2-AB54-3D19B8BC944E}.exe

Filesize
98KB

MD5
e354ad134e090306d6f40067cfef175a

SHA1
7fba9360ec4a1b74f754498d0956aa2cc1b653f8

SHA256
aeb82aaeeb941c8fcbc47e589c827c2e060ebd94d2702f8499741a9cf47c7d88

SHA512
b8551770b9dbeb1e7c9796f70856151f02f5ff1db4f294bbce374346ce92521daa5ac5fc7da2e5e0d432525f15221be720016ef82ac975235ccc2fdb341b0971

Download Submit
C:\Windows\{74A38482-3B18-476d-B00E-BF25135733A6}.exe

Filesize
98KB

MD5
57e0120bbbf9a75fdcfafb6168cff1ea

SHA1
76144a0fb87bce87b83edb67bc92946381d41cf0

SHA256
638e0d00b02eaabac218b5f062c97fbb9ec3d98b514638d7faa2756b4175fa70

SHA512
e454ffdfb4659fec9b94a608ca69a287bd63575ebda3f2037ab0b7ae41633718a72d8a8651654c993d96790ec0d20e4cb94a064fc61abe27d5c8c51285d3c4de

Download Submit
C:\Windows\{78B2C8C3-9B76-43ed-AEE6-F402ED8CE072}.exe

Filesize
98KB

MD5
9527e55630dd7e1adf476730923f9b22

SHA1
7b8dac0a4ff88a6a27fc7b76483bb5c2c75c7590

SHA256
a89a2d0b15a22d17ada434a3dfe609292ff0bf40656e428a21aef76806060a22

SHA512
1481a018dc89313f30d5b56c8feaa7c19e42b1d4ca821ad82c21a30b57ddbddc1efa1b880ab4ff1381c975ca559d178320e43623ee450cf9ff72b10008df05b9

Download Submit
C:\Windows\{7DBFE6F9-8E15-48b6-8D80-B2E2CE85F0F0}.exe

Filesize
98KB

MD5
d4c7b3b65aa8702e7ac671adb3ee7c56

SHA1
48566936c63c4ef3a05968325996d3fc9b22bb99

SHA256
ef3ac32037df8a47de0cdba0f0c1c672953b8eaf33ac58498cab149505fe2ec7

SHA512
d12d1a2e71f5ca8f842db9cbde65043622bb0e88849b7899d1c08e481caa4128737def068c91d27af47ce1a782948b609c08afaf6d6bcd1b179b4a5e43a73390

Download Submit
C:\Windows\{F97E50A3-23B9-4aff-8985-3ADEA4D1B35E}.exe

Filesize
98KB

MD5
c81633d2dc5853c1d7533c6f96debc47

SHA1
0b94ca9edb16d283eceb55953009ab5aa801c7a1

SHA256
92af79628256598b2983300f2b0022d5422617334b8fb78211a6e279114daad2

SHA512
e62a5c99b88d76cf36436a13015829f82ee904152d1500c202160fe9bd7a42db01b7e2efbeb27b6ca95ff04557520214591d79221284e96cb0342d3924ccb8ce

Download Submit
memory/860-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/860-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1624-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1624-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3156-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3156-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3380-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3380-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3416-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3416-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3432-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3432-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3748-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3748-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4548-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4548-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4964-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4964-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5096-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5096-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads