dd4c86477264547cead32bc58358031defc4b9e1b092852d2bd1e7244402d664

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.60c8d790d4826e25260224c572d95430_JC.exe
Size

116KB
MD5

60c8d790d4826e25260224c572d95430
SHA1

6304aa817567c5a7719b94e509a2cc5e847c64ee
SHA256

dd4c86477264547cead32bc58358031defc4b9e1b092852d2bd1e7244402d664
SHA512

2a5a03f07d0644e07a25a8d705c55df1dc907750fb1c2e9172f0914eb0530de11b676d0a01efdfba301598e989b9537d3dea623932bea0492a8974443cf115da
SSDEEP

768:Qvw9816vhKQLroO4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0oOl2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}\stubpath = "C:\\Windows\\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe"	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B708FC60-3AF5-44dc-9305-E0FA7378978D}\stubpath = "C:\\Windows\\{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe"	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77840C83-1771-44c0-A69F-6BF76E0C68C2}	{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}\stubpath = "C:\\Windows\\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe"	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}\stubpath = "C:\\Windows\\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe"	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77840C83-1771-44c0-A69F-6BF76E0C68C2}\stubpath = "C:\\Windows\\{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe"	{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}	{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}\stubpath = "C:\\Windows\\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe"	{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F906E2FE-E834-48e7-9DF0-9BC993AC9025}	{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}\stubpath = "C:\\Windows\\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe"	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}\stubpath = "C:\\Windows\\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe"	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B708FC60-3AF5-44dc-9305-E0FA7378978D}	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}	{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F906E2FE-E834-48e7-9DF0-9BC993AC9025}\stubpath = "C:\\Windows\\{F906E2FE-E834-48e7-9DF0-9BC993AC9025}.exe"	{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}\stubpath = "C:\\Windows\\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe"	NEAS.60c8d790d4826e25260224c572d95430_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}\stubpath = "C:\\Windows\\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe"	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}	NEAS.60c8d790d4826e25260224c572d95430_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}\stubpath = "C:\\Windows\\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe"	{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe
2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe
2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe
2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe
2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe
2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe
1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe
1648	{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe
1992	{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe
2980	{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe
2056	{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe
2088	{F906E2FE-E834-48e7-9DF0-9BC993AC9025}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe
File created	C:\Windows\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe
File created	C:\Windows\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe
File created	C:\Windows\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe
File created	C:\Windows\{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe
File created	C:\Windows\{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe	{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe
File created	C:\Windows\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	NEAS.60c8d790d4826e25260224c572d95430_JC.exe
File created	C:\Windows\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe
File created	C:\Windows\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe	{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe
File created	C:\Windows\{F906E2FE-E834-48e7-9DF0-9BC993AC9025}.exe	{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe
File created	C:\Windows\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe
File created	C:\Windows\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe	{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe
Token: SeIncBasePriorityPrivilege	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe
Token: SeIncBasePriorityPrivilege	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe
Token: SeIncBasePriorityPrivilege	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe
Token: SeIncBasePriorityPrivilege	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe
Token: SeIncBasePriorityPrivilege	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe
Token: SeIncBasePriorityPrivilege	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe
Token: SeIncBasePriorityPrivilege	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe
Token: SeIncBasePriorityPrivilege	1648	{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe
Token: SeIncBasePriorityPrivilege	1992	{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe
Token: SeIncBasePriorityPrivilege	2980	{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe
Token: SeIncBasePriorityPrivilege	2056	{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2332	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	28
PID 1724 wrote to memory of 2332	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	28
PID 1724 wrote to memory of 2332	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	28
PID 1724 wrote to memory of 2332	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	28
PID 1724 wrote to memory of 2736	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	29
PID 1724 wrote to memory of 2736	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	29
PID 1724 wrote to memory of 2736	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	29
PID 1724 wrote to memory of 2736	1724	NEAS.60c8d790d4826e25260224c572d95430_JC.exe	29
PID 2332 wrote to memory of 2616	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	32
PID 2332 wrote to memory of 2616	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	32
PID 2332 wrote to memory of 2616	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	32
PID 2332 wrote to memory of 2616	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	32
PID 2332 wrote to memory of 1048	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	33
PID 2332 wrote to memory of 1048	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	33
PID 2332 wrote to memory of 1048	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	33
PID 2332 wrote to memory of 1048	2332	{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe	33
PID 2616 wrote to memory of 2716	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	34
PID 2616 wrote to memory of 2716	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	34
PID 2616 wrote to memory of 2716	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	34
PID 2616 wrote to memory of 2716	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	34
PID 2616 wrote to memory of 2732	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	35
PID 2616 wrote to memory of 2732	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	35
PID 2616 wrote to memory of 2732	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	35
PID 2616 wrote to memory of 2732	2616	{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe	35
PID 2716 wrote to memory of 2632	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	36
PID 2716 wrote to memory of 2632	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	36
PID 2716 wrote to memory of 2632	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	36
PID 2716 wrote to memory of 2632	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	36
PID 2716 wrote to memory of 1984	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	37
PID 2716 wrote to memory of 1984	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	37
PID 2716 wrote to memory of 1984	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	37
PID 2716 wrote to memory of 1984	2716	{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe	37
PID 2632 wrote to memory of 2572	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	38
PID 2632 wrote to memory of 2572	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	38
PID 2632 wrote to memory of 2572	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	38
PID 2632 wrote to memory of 2572	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	38
PID 2632 wrote to memory of 2480	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	39
PID 2632 wrote to memory of 2480	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	39
PID 2632 wrote to memory of 2480	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	39
PID 2632 wrote to memory of 2480	2632	{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe	39
PID 2572 wrote to memory of 2580	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	40
PID 2572 wrote to memory of 2580	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	40
PID 2572 wrote to memory of 2580	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	40
PID 2572 wrote to memory of 2580	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	40
PID 2572 wrote to memory of 1428	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	41
PID 2572 wrote to memory of 1428	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	41
PID 2572 wrote to memory of 1428	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	41
PID 2572 wrote to memory of 1428	2572	{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe	41
PID 2580 wrote to memory of 1008	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	42
PID 2580 wrote to memory of 1008	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	42
PID 2580 wrote to memory of 1008	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	42
PID 2580 wrote to memory of 1008	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	42
PID 2580 wrote to memory of 1380	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	43
PID 2580 wrote to memory of 1380	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	43
PID 2580 wrote to memory of 1380	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	43
PID 2580 wrote to memory of 1380	2580	{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe	43
PID 1008 wrote to memory of 1648	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	44
PID 1008 wrote to memory of 1648	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	44
PID 1008 wrote to memory of 1648	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	44
PID 1008 wrote to memory of 1648	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	44
PID 1008 wrote to memory of 2444	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	45
PID 1008 wrote to memory of 2444	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	45
PID 1008 wrote to memory of 2444	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	45
PID 1008 wrote to memory of 2444	1008	{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.60c8d790d4826e25260224c572d95430_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.60c8d790d4826e25260224c572d95430_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe
  C:\Windows\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe
    C:\Windows\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe
      C:\Windows\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe
        
        C:\Windows\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe
        
        C:\Windows\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe
        
        C:\Windows\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe
        
        C:\Windows\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe
        
        C:\Windows\{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe
        
        C:\Windows\{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe
        
        C:\Windows\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D231~1.EXE > nul
        12⤵
        
        PID:2764
        
        C:\Windows\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe
        
        C:\Windows\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{F906E2FE-E834-48e7-9DF0-9BC993AC9025}.exe
        
        C:\Windows\{F906E2FE-E834-48e7-9DF0-9BC993AC9025}.exe
        13⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2261~1.EXE > nul
        13⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77840~1.EXE > nul
        11⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B708F~1.EXE > nul
        10⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37E74~1.EXE > nul
        9⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BD9B~1.EXE > nul
        8⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E4BF~1.EXE > nul
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80C4D~1.EXE > nul
        6⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAEDC~1.EXE > nul
        5⤵
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25EAE~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B37D~1.EXE > nul
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS60~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe

Filesize
116KB

MD5
4ae71516ab13f0cdc90940fe6a7571f9

SHA1
c2d9df1816f081216c5c4e466758b7411926e660

SHA256
68480bd74c384558d501664b2abadcb1ada6f8d94c941623b35fd4fdcb90f68c

SHA512
356f8c99a8864e75ee84063a7c9000389755d8f699677a17b0868cf17864d50a68364b7376d83b7b465b62863b418c542af866bba2c1f42282ad4be503bc8fb1

Download Submit
C:\Windows\{0BD9B137-BEE0-4a0f-8A47-532B58EA4A34}.exe

Filesize
116KB

MD5
4ae71516ab13f0cdc90940fe6a7571f9

SHA1
c2d9df1816f081216c5c4e466758b7411926e660

SHA256
68480bd74c384558d501664b2abadcb1ada6f8d94c941623b35fd4fdcb90f68c

SHA512
356f8c99a8864e75ee84063a7c9000389755d8f699677a17b0868cf17864d50a68364b7376d83b7b465b62863b418c542af866bba2c1f42282ad4be503bc8fb1

Download Submit
C:\Windows\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe

Filesize
116KB

MD5
a0082db371c43d74544b634f87c93fe2

SHA1
c87c1946683fb3ce1019decf49c695c6645bdc83

SHA256
2652b011883ff1d6bdc522d533eb4bfa70373606912c6c58f10bb041ce849ef8

SHA512
a1655d4f6734ca906b814f47802112614c118a32ba948053757738da92ff5f8f7538f88c7cea677170e624dfe0b05a13be3c4216f263c89d40baa124384a0a95

Download Submit
C:\Windows\{25EAE14A-087F-45ed-8F67-DF44BD532DB3}.exe

Filesize
116KB

MD5
a0082db371c43d74544b634f87c93fe2

SHA1
c87c1946683fb3ce1019decf49c695c6645bdc83

SHA256
2652b011883ff1d6bdc522d533eb4bfa70373606912c6c58f10bb041ce849ef8

SHA512
a1655d4f6734ca906b814f47802112614c118a32ba948053757738da92ff5f8f7538f88c7cea677170e624dfe0b05a13be3c4216f263c89d40baa124384a0a95

Download Submit
C:\Windows\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe

Filesize
116KB

MD5
bd00c6a6c44fd1d8d57092002370ece3

SHA1
a034aad498bf26983674395aca10d46036e64b40

SHA256
d595f0e1915a346fa42cef957e05f29be7bd2ce4fa9fceb87c25478d0ebbffa8

SHA512
3405d6ae900293ce7016795fccd890efb306802efd5afe85a29dc117b6ad95297db8c0de6ec76f29055d33b5ea69331bd5816238805b6921b8f453103fa7868e

Download Submit
C:\Windows\{37E749EE-74C2-47e0-9DEF-CD305FEE41A2}.exe

Filesize
116KB

MD5
bd00c6a6c44fd1d8d57092002370ece3

SHA1
a034aad498bf26983674395aca10d46036e64b40

SHA256
d595f0e1915a346fa42cef957e05f29be7bd2ce4fa9fceb87c25478d0ebbffa8

SHA512
3405d6ae900293ce7016795fccd890efb306802efd5afe85a29dc117b6ad95297db8c0de6ec76f29055d33b5ea69331bd5816238805b6921b8f453103fa7868e

Download Submit
C:\Windows\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe

Filesize
116KB

MD5
3c6d4d5a2c359c3ce7d913b833e3f3c6

SHA1
9428200c1f6d1f730f5011c75d091e8e6c9524a8

SHA256
bf71a12401c34630eb2c4080b0c8e5d750f85935c1602854d927978d88cc9ced

SHA512
bab5d57896e8d2b2c90250c974947a1f95cfb43d1248b1727a58d90b3f0bd47cb5f0c4995937743b5fa65a86d14a1df269c1a26c51b0d4f6c597fba74068dc12

Download Submit
C:\Windows\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe

Filesize
116KB

MD5
3c6d4d5a2c359c3ce7d913b833e3f3c6

SHA1
9428200c1f6d1f730f5011c75d091e8e6c9524a8

SHA256
bf71a12401c34630eb2c4080b0c8e5d750f85935c1602854d927978d88cc9ced

SHA512
bab5d57896e8d2b2c90250c974947a1f95cfb43d1248b1727a58d90b3f0bd47cb5f0c4995937743b5fa65a86d14a1df269c1a26c51b0d4f6c597fba74068dc12

Download Submit
C:\Windows\{3B37D06D-54C7-4e0f-BBBD-D38956059EFF}.exe

Filesize
116KB

MD5
3c6d4d5a2c359c3ce7d913b833e3f3c6

SHA1
9428200c1f6d1f730f5011c75d091e8e6c9524a8

SHA256
bf71a12401c34630eb2c4080b0c8e5d750f85935c1602854d927978d88cc9ced

SHA512
bab5d57896e8d2b2c90250c974947a1f95cfb43d1248b1727a58d90b3f0bd47cb5f0c4995937743b5fa65a86d14a1df269c1a26c51b0d4f6c597fba74068dc12

Download Submit
C:\Windows\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe

Filesize
116KB

MD5
74f5ee9a00dcbf62b613ace7a6f984ac

SHA1
05884cb99ee962529474a27d2ba57754e6440e0d

SHA256
a899fe49b83b0ed6f639ea2f7dbf7231768e36b86e3ea91c271687400861a0d6

SHA512
5d9e0aeef5228c4d33b1ab8ef3c81e1eef050270c797ace93b57d35b928c8c2a478937dccef5aeb6e43adcc7096bd8fe5ccbb345e7fc8b96ac9aab36a1879f55

Download Submit
C:\Windows\{3E4BF0AA-F114-4c88-832D-DCEF81CF71B1}.exe

Filesize
116KB

MD5
74f5ee9a00dcbf62b613ace7a6f984ac

SHA1
05884cb99ee962529474a27d2ba57754e6440e0d

SHA256
a899fe49b83b0ed6f639ea2f7dbf7231768e36b86e3ea91c271687400861a0d6

SHA512
5d9e0aeef5228c4d33b1ab8ef3c81e1eef050270c797ace93b57d35b928c8c2a478937dccef5aeb6e43adcc7096bd8fe5ccbb345e7fc8b96ac9aab36a1879f55

Download Submit
C:\Windows\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe

Filesize
116KB

MD5
45631c68fe356e8fff1116d766fba075

SHA1
e4fb6d72f8cb242c85a16db44b0e9b73f747e115

SHA256
111c226e11b8e0fc2c9eb61ae9b0701177447f12ad570924d758cedcb1a4e381

SHA512
3e7bf346b13e50e3704748f615e3f209ad35ab5e825fc6e17309b7e3bf4e9fd632bb52e3c7dab88416487f5c13f744d940571425e956089f1db37e3585c0b4a2

Download Submit
C:\Windows\{4D2316D9-F0A3-4a51-8025-DBF093E4025D}.exe

Filesize
116KB

MD5
45631c68fe356e8fff1116d766fba075

SHA1
e4fb6d72f8cb242c85a16db44b0e9b73f747e115

SHA256
111c226e11b8e0fc2c9eb61ae9b0701177447f12ad570924d758cedcb1a4e381

SHA512
3e7bf346b13e50e3704748f615e3f209ad35ab5e825fc6e17309b7e3bf4e9fd632bb52e3c7dab88416487f5c13f744d940571425e956089f1db37e3585c0b4a2

Download Submit
C:\Windows\{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe

Filesize
116KB

MD5
f0fc146695b567fdb2f4a8dcc5082e42

SHA1
f240d108209ef8ebe6de68671e27e2311331e85e

SHA256
b85fd70bffc2d967178221b84fabdb5de18f84f9f7ba9d3b87eab7db3f8babd1

SHA512
aac3d9766cbdf72f9544b5dbf46ca1dba2428507972625edfa339706ab49e5102d93867fc6e4ebff37546e1fc0e63a8e588ef7c224fd90ef921f38db43e55229

Download Submit
C:\Windows\{77840C83-1771-44c0-A69F-6BF76E0C68C2}.exe

Filesize
116KB

MD5
f0fc146695b567fdb2f4a8dcc5082e42

SHA1
f240d108209ef8ebe6de68671e27e2311331e85e

SHA256
b85fd70bffc2d967178221b84fabdb5de18f84f9f7ba9d3b87eab7db3f8babd1

SHA512
aac3d9766cbdf72f9544b5dbf46ca1dba2428507972625edfa339706ab49e5102d93867fc6e4ebff37546e1fc0e63a8e588ef7c224fd90ef921f38db43e55229

Download Submit
C:\Windows\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe

Filesize
116KB

MD5
47dc8c06b86b4e8229a45613f9d9d90f

SHA1
b0aafa2f2b6faf81ba7dda69067a471daadd2d7d

SHA256
44b68496d77ed3b7fe6a6fb6c5f754296ddec65a8261f9c63e1c4ab037087a80

SHA512
276f5aa15b7861b051ec192c82042c749cf8aab4cdbafa0b77d0bd0691597e2c5da88608eefe15285cfc9dee112177ab0a96a505ab9e86e17caa27d73aeee316

Download Submit
C:\Windows\{80C4D4A3-F9A7-499d-B221-22D6DAA90F3A}.exe

Filesize
116KB

MD5
47dc8c06b86b4e8229a45613f9d9d90f

SHA1
b0aafa2f2b6faf81ba7dda69067a471daadd2d7d

SHA256
44b68496d77ed3b7fe6a6fb6c5f754296ddec65a8261f9c63e1c4ab037087a80

SHA512
276f5aa15b7861b051ec192c82042c749cf8aab4cdbafa0b77d0bd0691597e2c5da88608eefe15285cfc9dee112177ab0a96a505ab9e86e17caa27d73aeee316

Download Submit
C:\Windows\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe

Filesize
116KB

MD5
7dff1b37cce0f81be8a9ec5ac242a6ab

SHA1
9ce1226baf6688d903e8a09daf0529d6d8455d1a

SHA256
e44104e2ebc94d0d026737073d326fadd59f6c2614a69add84e890405d690808

SHA512
2f6cd0ab79240030534adcf08f867f105dd762363d07f32be9ac56cf9adf36e581529f10c47c20678f79bc6d21e3b5fd4dbfbddca61ff8ec208692feb923fc81

Download Submit
C:\Windows\{AAEDCFA8-3B28-4020-907C-0252FD309AF8}.exe

Filesize
116KB

MD5
7dff1b37cce0f81be8a9ec5ac242a6ab

SHA1
9ce1226baf6688d903e8a09daf0529d6d8455d1a

SHA256
e44104e2ebc94d0d026737073d326fadd59f6c2614a69add84e890405d690808

SHA512
2f6cd0ab79240030534adcf08f867f105dd762363d07f32be9ac56cf9adf36e581529f10c47c20678f79bc6d21e3b5fd4dbfbddca61ff8ec208692feb923fc81

Download Submit
C:\Windows\{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe

Filesize
116KB

MD5
dcb5e65a84db96812572433e8ef83f75

SHA1
16757261ee167fa53f48db12291340a7242dfee5

SHA256
95dfb94b529148ce82d79fb2e1b109cd79d75950d83d810785ae0f01d244da8a

SHA512
a423e1a65ddefc86c61711c83897be64c779880056380a0c4e8cdfe6fcf7cbbf1a251e22ebeef17e12a34670298dcf4290dc7280c7af5773bdb4fa2b6d4ee977

Download Submit
C:\Windows\{B708FC60-3AF5-44dc-9305-E0FA7378978D}.exe

Filesize
116KB

MD5
dcb5e65a84db96812572433e8ef83f75

SHA1
16757261ee167fa53f48db12291340a7242dfee5

SHA256
95dfb94b529148ce82d79fb2e1b109cd79d75950d83d810785ae0f01d244da8a

SHA512
a423e1a65ddefc86c61711c83897be64c779880056380a0c4e8cdfe6fcf7cbbf1a251e22ebeef17e12a34670298dcf4290dc7280c7af5773bdb4fa2b6d4ee977

Download Submit
C:\Windows\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe

Filesize
116KB

MD5
46d38be4dbb13dee76b1ec565da09f54

SHA1
eb04456a7109063d6d56ae56c0945e632fbb7c04

SHA256
d5fc662056f52184acb681232beba83fb04344917401518ff0df43702ea04b15

SHA512
edccf10787f88a1cc7763260fdbb8d8d6bee23d14fd4f54b2245a4db50ce595f63bbef0e71bc2341f068d27cdabe5330f6e26302e1bbe934f1c92dee3ee570a8

Download Submit
C:\Windows\{C22610E4-AB85-4560-AC6A-3EC96D32FD1B}.exe

Filesize
116KB

MD5
46d38be4dbb13dee76b1ec565da09f54

SHA1
eb04456a7109063d6d56ae56c0945e632fbb7c04

SHA256
d5fc662056f52184acb681232beba83fb04344917401518ff0df43702ea04b15

SHA512
edccf10787f88a1cc7763260fdbb8d8d6bee23d14fd4f54b2245a4db50ce595f63bbef0e71bc2341f068d27cdabe5330f6e26302e1bbe934f1c92dee3ee570a8

Download Submit
C:\Windows\{F906E2FE-E834-48e7-9DF0-9BC993AC9025}.exe

Filesize
116KB

MD5
302ed2ae57656cfd02d27f93c06c4e6c

SHA1
5fc1c852567d44238a69d957c077ae3d19503def

SHA256
a49dc7c36008ad188a376ff70ec7535e9a681966985a265f48754e03293b86ad

SHA512
4585be9a95d0ea19701ac6c81f4fc829d3796b9a434ee6930784ebc6f4869797cbb33f9460363d97c823623b6991cb563d88dadadeb67f4389ebcf93729ce496

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads