72efa2ec5bdb105c3a972e22a27df0008c65c06191397be8479432d6e0da591e

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5222f955a4a87366feb771e552a5ae80_NEAS.exe
Size

90KB
MD5

5222f955a4a87366feb771e552a5ae80
SHA1

25c8cecb5a717723feb088146b72a6e53fd1e7fd
SHA256

72efa2ec5bdb105c3a972e22a27df0008c65c06191397be8479432d6e0da591e
SHA512

4ff87802d329faa93ab8ecc639b05a7512b2bcd4d3e59ca723e524879348d5de8b08a33ff63ce170560fef20f892811e3c610e76fdf71c82c81ca53707d1211c
SSDEEP

768:50w981IshKQLrog4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0oglVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ED18025-9B48-4772-B9DE-A88574DFA802}\stubpath = "C:\\Windows\\{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe"	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7231AAC5-7630-4a92-919A-AD327DD9D3D4}	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}\stubpath = "C:\\Windows\\{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe"	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}\stubpath = "C:\\Windows\\{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe"	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA7F559-04C1-4d1b-8551-761573EFA112}	{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}	5222f955a4a87366feb771e552a5ae80_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ED18025-9B48-4772-B9DE-A88574DFA802}	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BB6807F-356D-4645-A99C-E7FF4025CCDE}	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}\stubpath = "C:\\Windows\\{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe"	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B57E118-7978-4268-A99D-67DBD877FEC7}	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}\stubpath = "C:\\Windows\\{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe"	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}\stubpath = "C:\\Windows\\{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe"	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B57E118-7978-4268-A99D-67DBD877FEC7}\stubpath = "C:\\Windows\\{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe"	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BB6807F-356D-4645-A99C-E7FF4025CCDE}\stubpath = "C:\\Windows\\{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe"	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA7F559-04C1-4d1b-8551-761573EFA112}\stubpath = "C:\\Windows\\{AEA7F559-04C1-4d1b-8551-761573EFA112}.exe"	{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}\stubpath = "C:\\Windows\\{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe"	5222f955a4a87366feb771e552a5ae80_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8E2F16-A251-4eda-B9D2-971A49041083}	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8E2F16-A251-4eda-B9D2-971A49041083}\stubpath = "C:\\Windows\\{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe"	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7231AAC5-7630-4a92-919A-AD327DD9D3D4}\stubpath = "C:\\Windows\\{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe"	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe

Executes dropped EXE 12 IoCs

pid	Process
5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe
944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe
4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe
1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe
3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe
3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe
1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe
944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe
4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe
5040	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe
3112	{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe
1748	{AEA7F559-04C1-4d1b-8551-761573EFA112}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe
File created	C:\Windows\{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe
File created	C:\Windows\{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe
File created	C:\Windows\{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe
File created	C:\Windows\{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe
File created	C:\Windows\{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe	5222f955a4a87366feb771e552a5ae80_NEAS.exe
File created	C:\Windows\{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe
File created	C:\Windows\{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe
File created	C:\Windows\{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe
File created	C:\Windows\{AEA7F559-04C1-4d1b-8551-761573EFA112}.exe	{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe
File created	C:\Windows\{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe
File created	C:\Windows\{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	216	5222f955a4a87366feb771e552a5ae80_NEAS.exe
Token: SeIncBasePriorityPrivilege	5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe
Token: SeIncBasePriorityPrivilege	944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe
Token: SeIncBasePriorityPrivilege	4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe
Token: SeIncBasePriorityPrivilege	1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe
Token: SeIncBasePriorityPrivilege	3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe
Token: SeIncBasePriorityPrivilege	3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe
Token: SeIncBasePriorityPrivilege	1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe
Token: SeIncBasePriorityPrivilege	944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe
Token: SeIncBasePriorityPrivilege	4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe
Token: SeIncBasePriorityPrivilege	5040	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe
Token: SeIncBasePriorityPrivilege	3112	{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 5056	216	5222f955a4a87366feb771e552a5ae80_NEAS.exe	97
PID 216 wrote to memory of 5056	216	5222f955a4a87366feb771e552a5ae80_NEAS.exe	97
PID 216 wrote to memory of 5056	216	5222f955a4a87366feb771e552a5ae80_NEAS.exe	97
PID 216 wrote to memory of 4916	216	5222f955a4a87366feb771e552a5ae80_NEAS.exe	98
PID 216 wrote to memory of 4916	216	5222f955a4a87366feb771e552a5ae80_NEAS.exe	98
PID 216 wrote to memory of 4916	216	5222f955a4a87366feb771e552a5ae80_NEAS.exe	98
PID 5056 wrote to memory of 944	5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe	99
PID 5056 wrote to memory of 944	5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe	99
PID 5056 wrote to memory of 944	5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe	99
PID 5056 wrote to memory of 4680	5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe	100
PID 5056 wrote to memory of 4680	5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe	100
PID 5056 wrote to memory of 4680	5056	{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe	100
PID 944 wrote to memory of 4760	944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe	103
PID 944 wrote to memory of 4760	944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe	103
PID 944 wrote to memory of 4760	944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe	103
PID 944 wrote to memory of 4560	944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe	104
PID 944 wrote to memory of 4560	944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe	104
PID 944 wrote to memory of 4560	944	{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe	104
PID 4760 wrote to memory of 1012	4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe	105
PID 4760 wrote to memory of 1012	4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe	105
PID 4760 wrote to memory of 1012	4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe	105
PID 4760 wrote to memory of 3872	4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe	106
PID 4760 wrote to memory of 3872	4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe	106
PID 4760 wrote to memory of 3872	4760	{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe	106
PID 1012 wrote to memory of 3480	1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe	107
PID 1012 wrote to memory of 3480	1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe	107
PID 1012 wrote to memory of 3480	1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe	107
PID 1012 wrote to memory of 1356	1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe	108
PID 1012 wrote to memory of 1356	1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe	108
PID 1012 wrote to memory of 1356	1012	{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe	108
PID 3480 wrote to memory of 3932	3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe	114
PID 3480 wrote to memory of 3932	3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe	114
PID 3480 wrote to memory of 3932	3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe	114
PID 3480 wrote to memory of 1692	3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe	115
PID 3480 wrote to memory of 1692	3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe	115
PID 3480 wrote to memory of 1692	3480	{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe	115
PID 3932 wrote to memory of 1092	3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe	116
PID 3932 wrote to memory of 1092	3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe	116
PID 3932 wrote to memory of 1092	3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe	116
PID 3932 wrote to memory of 3516	3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe	117
PID 3932 wrote to memory of 3516	3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe	117
PID 3932 wrote to memory of 3516	3932	{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe	117
PID 1092 wrote to memory of 944	1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe	124
PID 1092 wrote to memory of 944	1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe	124
PID 1092 wrote to memory of 944	1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe	124
PID 1092 wrote to memory of 2204	1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe	125
PID 1092 wrote to memory of 2204	1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe	125
PID 1092 wrote to memory of 2204	1092	{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe	125
PID 944 wrote to memory of 4308	944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe	126
PID 944 wrote to memory of 4308	944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe	126
PID 944 wrote to memory of 4308	944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe	126
PID 944 wrote to memory of 4692	944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe	127
PID 944 wrote to memory of 4692	944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe	127
PID 944 wrote to memory of 4692	944	{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe	127
PID 4308 wrote to memory of 5040	4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe	128
PID 4308 wrote to memory of 5040	4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe	128
PID 4308 wrote to memory of 5040	4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe	128
PID 4308 wrote to memory of 1356	4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe	129
PID 4308 wrote to memory of 1356	4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe	129
PID 4308 wrote to memory of 1356	4308	{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe	129
PID 5040 wrote to memory of 3112	5040	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe	132
PID 5040 wrote to memory of 3112	5040	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe	132
PID 5040 wrote to memory of 3112	5040	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe	132
PID 5040 wrote to memory of 5012	5040	{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe	133

C:\Users\Admin\AppData\Local\Temp\5222f955a4a87366feb771e552a5ae80_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\5222f955a4a87366feb771e552a5ae80_NEAS.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe
  C:\Windows\{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe
    C:\Windows\{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe
      C:\Windows\{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe
        
        C:\Windows\{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
      - C:\Windows\{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe
        
        C:\Windows\{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe
        
        C:\Windows\{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe
        
        C:\Windows\{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe
        
        C:\Windows\{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe
        
        C:\Windows\{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe
        
        C:\Windows\{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe
        
        C:\Windows\{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\{AEA7F559-04C1-4d1b-8551-761573EFA112}.exe
        
        C:\Windows\{AEA7F559-04C1-4d1b-8551-761573EFA112}.exe
        13⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD9E4~1.EXE > nul
        13⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF8E2~1.EXE > nul
        12⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB68~1.EXE > nul
        11⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B57E~1.EXE > nul
        10⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F281~1.EXE > nul
        9⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D00FA~1.EXE > nul
        8⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48350~1.EXE > nul
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B364~1.EXE > nul
        6⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7231A~1.EXE > nul
        5⤵
        
        PID:3872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED18~1.EXE > nul
      4⤵
      PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BDFB5~1.EXE > nul
    3⤵
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5222F9~1.EXE > nul
  2⤵
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1ED18025-9B48-4772-B9DE-A88574DFA802}.exe

Filesize
90KB

MD5
c05db877a7edfa3cddd0bde6ad4a8368

SHA1
5540f54e240fd80d8cbb023ed2fb83a13643133d

SHA256
ca07f6a242e5e27fca56f44acfaa687ef42f25a0331a37635ca59b5467ec2c5a

SHA512
6d34a84567c76cb6062c491286d9bd1987ae915446e25c13917a9dbcd2a7cb7da9cc2702170ccbd8e4d954f7e5777318d7d885e828e7b0299cafce0dea1f02a1

Download Submit
C:\Windows\{2B57E118-7978-4268-A99D-67DBD877FEC7}.exe

Filesize
90KB

MD5
a0652390bc8df341b089ff993aa37673

SHA1
469aa69621772bbd8ddad6239ac87c3854949839

SHA256
5490e9b5e145e99bd74403242b72b05e99c5d9243a3860e5a5e30ee637317d33

SHA512
ea14723643f2d32ba08d5ac57ad9c4278a36f4562bf4392c2b45b82a17f612189a8da62604f3102b2359fef784d844bb7198cf8dec1aed57f8465d4672c94c51

Download Submit
C:\Windows\{48350B3F-1420-4eda-A87B-FFFDC39CFE9B}.exe

Filesize
90KB

MD5
53d471d718facc50f80a29b78d682589

SHA1
58e84420e4bfc315fb7f1e5f7122e250d79f2ee6

SHA256
8ee4a385e3bce3b573aa6cf2aff27a9e35fd9aeebc97a118a66d4bb5d19d865f

SHA512
eb565e49d5cb42be87453936d1be9606dc7a22ad9c471e191de3e337c80aee8377bdf4bc1ffdc3c35d4de7537a5cb534f0e09362d4b8c30e41384977ed7627ec

Download Submit
C:\Windows\{5BB6807F-356D-4645-A99C-E7FF4025CCDE}.exe

Filesize
90KB

MD5
3eb89391d9574726800f734a6536bc00

SHA1
8043c149b0a617f6414506ef3803d00248dd82e8

SHA256
329af3a8b8e629dc70acf16bf4826fe299e16363d96cc97b82522b27619171ed

SHA512
1f6c27de0aace4328972232270ae60ec7e1013a61855dd1133392189f6b2f27f51cc8c71ca38b59d5b85955c63cb84dc6668a0298078d4042523b6eba50ab7ed

Download Submit
C:\Windows\{6F281F8C-5456-49e0-AF9F-30AB49B8D57F}.exe

Filesize
90KB

MD5
1178ab10d4fcdfe9dca2e51c148fe6f0

SHA1
8c166636b3b2f44596aed0a822dbc684dd7e1f4e

SHA256
240555545e9f7c315f03a7ef5ea6c9d90cb87ae18c87c68090c23b4e4e56c5fd

SHA512
df5ca1014f3a0091a99a02d864065dd9c7937c8a71c5f9157ff312daa94e0a14ac8f27bf896e401b9462ddd50fa17361c65cd91cd47d9940111bb56bb305140b

Download Submit
C:\Windows\{7231AAC5-7630-4a92-919A-AD327DD9D3D4}.exe

Filesize
90KB

MD5
4106f95d0db4ae317eba56062a1b21a6

SHA1
020303d6d51f8f98f599aa9c3b9dac70ff0d3005

SHA256
9f0f69bf5dd6e7aa3c488c202224a32cf0c735658707a4561f4a33aaffcac719

SHA512
b3b5518b904c13708caa28d535c57bbccc15ae5dd85ebf7bcdc1116ea6034e7dd8f7655a22acbac9944580a6d28c4c97d15165f6f06ba465701a9bac1e97ad78

Download Submit
C:\Windows\{9B364F98-880A-40fc-A1AD-7689DCA7FBB3}.exe

Filesize
90KB

MD5
d993a30ea3d4613e11e5005175abd24b

SHA1
f5f6305f2118f7a7133d924a202d1a5828399f1e

SHA256
893e1c68f9907c19db6a8f0bbbae83478bb15c336e61d385b18891045e4d968c

SHA512
78233f4d6a8e308ba29c876d54fe1abab1bffb2d609baace5f1c8251d5e4d0316e3bc4e5f8fdc3e015c1b72bca342a6e66147f559f55208413ad2ec74ea4e5b9

Download Submit
C:\Windows\{AEA7F559-04C1-4d1b-8551-761573EFA112}.exe

Filesize
90KB

MD5
2bb9dafb4bafd6123e639782b4432360

SHA1
bad551565df1d462512c59eb82134b463be51c57

SHA256
4706ea7e8808f4db85ef13c6c1a75abe77552170a754e5bd58c99472ae8e8a3b

SHA512
400b8bb096bbeb0a1441a466c17397dfdc6416be6457ab41114a1ba9abb0b045bee7aecd0ed9c23d74738899e25102ca0bd86ffb3b96f8d352bfe6c7215c002e

Download Submit
C:\Windows\{BD9E4C0A-15E7-49a3-A0E6-008D4673D735}.exe

Filesize
90KB

MD5
b9e4b121a02f601a8fc6dd01d06c8f0e

SHA1
f33885c844b1cf58baeb9a2db7464beb2ac91136

SHA256
e751eb363d41aa15efef213c071ee7dd017325bf87226de78e1b79e88b6bd76b

SHA512
7f33c1010191c49f9eb3cd86f4b5cf5b3299dd23d319ee3724b6f45613c6489c5424bd39a468aa5f9f6886ffb2fc25bc0229efcd21c54c3eceb007d5afb5db89

Download Submit
C:\Windows\{BDFB5671-AA6F-404d-AB8A-23FB9B32D53B}.exe

Filesize
90KB

MD5
60c9d8594981d516b9ea781f3c020a75

SHA1
79e033bae9721dfdc2be15efd2db3eab23004fe7

SHA256
eec10d1cbf16321d7279cd611df06307b8ba03f87f5e925f56841dba6ba07e09

SHA512
a8ac7ee24874b662708f2994f0f85c5e51ad6885dee7286250112aa1ed2fa3b5379549a93b36482f899ca9c64f32ab0f7e0c6ff6be1203e626371fd7944452eb

Download Submit
C:\Windows\{D00FA0AF-2C53-4541-8C0B-D8B5A7CF0E56}.exe

Filesize
90KB

MD5
7f7afebba081a673bdf3b4b75b18e125

SHA1
c748ed34319afdc2e063eef99c42e3eb0f709cd9

SHA256
4ac488c9be3a535f40b8354b6ea99cd0adbf61be8f6594351c9ca7bb534a3a05

SHA512
c39dabd33968f6d9138585dd72b008ddc1e048c58307dc39bc2929fbb8668cc9f2b29c112c5a2c6437c890e472fff4bee114a0f2900a2eb76b70a9967f117162

Download Submit
C:\Windows\{DF8E2F16-A251-4eda-B9D2-971A49041083}.exe

Filesize
90KB

MD5
d8e28fb83ff8fc5d0bf7ed4c72675b8e

SHA1
797a8d43d41c81441bfba5ce4a7e5e09198c4bde

SHA256
5d6ef7e2b2cb52ff22eef54c88195ade37963106cf42ac179355326d8434d130

SHA512
21472b5c7fd626177533dded3bd318fe5a95f22adb19e5557b5fec1ee97c6d75f693a965e5534c2540b2bb6db5c79e98c5c03ddde36609d00364fd09fbd18585

Download Submit
memory/216-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/216-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/944-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/944-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/944-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/944-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1012-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1012-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1748-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3112-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3112-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3480-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3480-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3932-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3932-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4308-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4760-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5040-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5040-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5056-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5056-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads