97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
Size

408KB
MD5

f8c137fe47235171dba91a3b43a6c703
SHA1

4a867ff97f12a69de0a910a804b09eaf0f399b7e
SHA256

97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a
SHA512

1798c1693ff97f234121bb2277943f1bfe7a7038215e7962798db30709923f66fd1bd68eb8b72a14a50f93aa01f6304047135919501c826f201ff2757c7c0696
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}\stubpath = "C:\\Windows\\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe"	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}\stubpath = "C:\\Windows\\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe"	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}\stubpath = "C:\\Windows\\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}.exe"	{32469719-8AAB-4d55-93AE-8564A89DE601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155D0C39-E3BF-4699-8928-59402E11E269}\stubpath = "C:\\Windows\\{155D0C39-E3BF-4699-8928-59402E11E269}.exe"	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}\stubpath = "C:\\Windows\\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe"	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32469719-8AAB-4d55-93AE-8564A89DE601}\stubpath = "C:\\Windows\\{32469719-8AAB-4d55-93AE-8564A89DE601}.exe"	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155D0C39-E3BF-4699-8928-59402E11E269}	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}\stubpath = "C:\\Windows\\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe"	{155D0C39-E3BF-4699-8928-59402E11E269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E94D318-9154-4332-84DF-24B84E47EB19}	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}\stubpath = "C:\\Windows\\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe"	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}\stubpath = "C:\\Windows\\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe"	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32469719-8AAB-4d55-93AE-8564A89DE601}	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}	{32469719-8AAB-4d55-93AE-8564A89DE601}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}	{155D0C39-E3BF-4699-8928-59402E11E269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}\stubpath = "C:\\Windows\\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe"	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C15488E-D469-44a7-BA6C-8113F5B5696F}	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C15488E-D469-44a7-BA6C-8113F5B5696F}\stubpath = "C:\\Windows\\{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe"	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E94D318-9154-4332-84DF-24B84E47EB19}\stubpath = "C:\\Windows\\{1E94D318-9154-4332-84DF-24B84E47EB19}.exe"	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe

Executes dropped EXE 12 IoCs

pid	Process
1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe
1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe
1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe
1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe
4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe
3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe
396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe
4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe
4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe
3216	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe
4688	{32469719-8AAB-4d55-93AE-8564A89DE601}.exe
2348	{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}.exe	{32469719-8AAB-4d55-93AE-8564A89DE601}.exe
File created	C:\Windows\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe	{155D0C39-E3BF-4699-8928-59402E11E269}.exe
File created	C:\Windows\{1E94D318-9154-4332-84DF-24B84E47EB19}.exe	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe
File created	C:\Windows\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe
File created	C:\Windows\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe
File created	C:\Windows\{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe
File created	C:\Windows\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe
File created	C:\Windows\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe
File created	C:\Windows\{32469719-8AAB-4d55-93AE-8564A89DE601}.exe	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe
File created	C:\Windows\{155D0C39-E3BF-4699-8928-59402E11E269}.exe	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
File created	C:\Windows\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe
File created	C:\Windows\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5060	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
Token: SeIncBasePriorityPrivilege	1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe
Token: SeIncBasePriorityPrivilege	1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe
Token: SeIncBasePriorityPrivilege	1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe
Token: SeIncBasePriorityPrivilege	1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe
Token: SeIncBasePriorityPrivilege	4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe
Token: SeIncBasePriorityPrivilege	3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe
Token: SeIncBasePriorityPrivilege	396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe
Token: SeIncBasePriorityPrivilege	4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe
Token: SeIncBasePriorityPrivilege	4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe
Token: SeIncBasePriorityPrivilege	3216	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe
Token: SeIncBasePriorityPrivilege	4688	{32469719-8AAB-4d55-93AE-8564A89DE601}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1276	5060	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	93
PID 5060 wrote to memory of 1276	5060	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	93
PID 5060 wrote to memory of 1276	5060	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	93
PID 5060 wrote to memory of 3764	5060	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	94
PID 5060 wrote to memory of 3764	5060	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	94
PID 5060 wrote to memory of 3764	5060	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	94
PID 1276 wrote to memory of 1904	1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe	97
PID 1276 wrote to memory of 1904	1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe	97
PID 1276 wrote to memory of 1904	1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe	97
PID 1276 wrote to memory of 5028	1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe	98
PID 1276 wrote to memory of 5028	1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe	98
PID 1276 wrote to memory of 5028	1276	{155D0C39-E3BF-4699-8928-59402E11E269}.exe	98
PID 1904 wrote to memory of 1940	1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe	100
PID 1904 wrote to memory of 1940	1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe	100
PID 1904 wrote to memory of 1940	1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe	100
PID 1904 wrote to memory of 4972	1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe	101
PID 1904 wrote to memory of 4972	1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe	101
PID 1904 wrote to memory of 4972	1904	{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe	101
PID 1940 wrote to memory of 1540	1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe	103
PID 1940 wrote to memory of 1540	1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe	103
PID 1940 wrote to memory of 1540	1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe	103
PID 1940 wrote to memory of 4080	1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe	104
PID 1940 wrote to memory of 4080	1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe	104
PID 1940 wrote to memory of 4080	1940	{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe	104
PID 1540 wrote to memory of 4508	1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe	105
PID 1540 wrote to memory of 4508	1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe	105
PID 1540 wrote to memory of 4508	1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe	105
PID 1540 wrote to memory of 988	1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe	106
PID 1540 wrote to memory of 988	1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe	106
PID 1540 wrote to memory of 988	1540	{1E94D318-9154-4332-84DF-24B84E47EB19}.exe	106
PID 4508 wrote to memory of 3340	4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe	108
PID 4508 wrote to memory of 3340	4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe	108
PID 4508 wrote to memory of 3340	4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe	108
PID 4508 wrote to memory of 3240	4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe	109
PID 4508 wrote to memory of 3240	4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe	109
PID 4508 wrote to memory of 3240	4508	{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe	109
PID 3340 wrote to memory of 396	3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe	110
PID 3340 wrote to memory of 396	3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe	110
PID 3340 wrote to memory of 396	3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe	110
PID 3340 wrote to memory of 692	3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe	111
PID 3340 wrote to memory of 692	3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe	111
PID 3340 wrote to memory of 692	3340	{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe	111
PID 396 wrote to memory of 4676	396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe	112
PID 396 wrote to memory of 4676	396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe	112
PID 396 wrote to memory of 4676	396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe	112
PID 396 wrote to memory of 1696	396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe	113
PID 396 wrote to memory of 1696	396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe	113
PID 396 wrote to memory of 1696	396	{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe	113
PID 4676 wrote to memory of 4536	4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe	121
PID 4676 wrote to memory of 4536	4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe	121
PID 4676 wrote to memory of 4536	4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe	121
PID 4676 wrote to memory of 1504	4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe	122
PID 4676 wrote to memory of 1504	4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe	122
PID 4676 wrote to memory of 1504	4676	{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe	122
PID 4536 wrote to memory of 3216	4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe	123
PID 4536 wrote to memory of 3216	4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe	123
PID 4536 wrote to memory of 3216	4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe	123
PID 4536 wrote to memory of 1332	4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe	124
PID 4536 wrote to memory of 1332	4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe	124
PID 4536 wrote to memory of 1332	4536	{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe	124
PID 3216 wrote to memory of 4688	3216	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe	125
PID 3216 wrote to memory of 4688	3216	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe	125
PID 3216 wrote to memory of 4688	3216	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe	125
PID 3216 wrote to memory of 3724	3216	{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe	126

C:\Users\Admin\AppData\Local\Temp\NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\{155D0C39-E3BF-4699-8928-59402E11E269}.exe
  C:\Windows\{155D0C39-E3BF-4699-8928-59402E11E269}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe
    C:\Windows\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe
      C:\Windows\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\{1E94D318-9154-4332-84DF-24B84E47EB19}.exe
        
        C:\Windows\{1E94D318-9154-4332-84DF-24B84E47EB19}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe
        
        C:\Windows\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe
        
        C:\Windows\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe
        
        C:\Windows\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe
        
        C:\Windows\{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe
        
        C:\Windows\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe
        
        C:\Windows\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\{32469719-8AAB-4d55-93AE-8564A89DE601}.exe
        
        C:\Windows\{32469719-8AAB-4d55-93AE-8564A89DE601}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
        
        C:\Windows\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}.exe
        
        C:\Windows\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}.exe
        13⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32469~1.EXE > nul
        13⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD99E~1.EXE > nul
        12⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9531~1.EXE > nul
        11⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C154~1.EXE > nul
        10⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77591~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53BEF~1.EXE > nul
        8⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3440F~1.EXE > nul
        7⤵
        
        PID:3240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E94D~1.EXE > nul
        6⤵
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4119~1.EXE > nul
        5⤵
        
        PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DAA3~1.EXE > nul
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{155D0~1.EXE > nul
    3⤵
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS97~1.EXE > nul
  2⤵
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{155D0C39-E3BF-4699-8928-59402E11E269}.exe

Filesize
408KB

MD5
b774650044e9a5f9bc781ca86a01c08f

SHA1
2413b50726b11042751834ef7295ca5cab07df3e

SHA256
6e9e25d830da9c17111f41dc78d10063fc9fac5fa4486413a7890617edd94000

SHA512
56c3aea756ac57167bffd783237e72ed94c02a7c6c4c1e649f50417c70ce29dd2f93c0551617ac6ff5c548fc2c4156ee0653c65cb29960c849fbb98f0749200f

Download Submit
C:\Windows\{155D0C39-E3BF-4699-8928-59402E11E269}.exe

Filesize
408KB

MD5
b774650044e9a5f9bc781ca86a01c08f

SHA1
2413b50726b11042751834ef7295ca5cab07df3e

SHA256
6e9e25d830da9c17111f41dc78d10063fc9fac5fa4486413a7890617edd94000

SHA512
56c3aea756ac57167bffd783237e72ed94c02a7c6c4c1e649f50417c70ce29dd2f93c0551617ac6ff5c548fc2c4156ee0653c65cb29960c849fbb98f0749200f

Download Submit
C:\Windows\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}.exe

Filesize
408KB

MD5
b72e8b6c520d50e8684842381bbf6165

SHA1
6908cff3bf118d2dc01eab01615dbbb93d3bbcef

SHA256
b0cb18dbc79dc1fd8b83f1c7ede2ed680f1c98df6029ef69e2a875b4640942f5

SHA512
cc7d6141ce184c580a5418695467e7390ab1363f5e2e7a48b4af91d2da1e4bd46ab5ce5704f17682eb645e5696ba0e6a61bed1c875a3d9dbc6bd5d905ca06314

Download Submit
C:\Windows\{1D462C92-5DC3-40ba-A3B9-ADFCA8BD1806}.exe

Filesize
408KB

MD5
b72e8b6c520d50e8684842381bbf6165

SHA1
6908cff3bf118d2dc01eab01615dbbb93d3bbcef

SHA256
b0cb18dbc79dc1fd8b83f1c7ede2ed680f1c98df6029ef69e2a875b4640942f5

SHA512
cc7d6141ce184c580a5418695467e7390ab1363f5e2e7a48b4af91d2da1e4bd46ab5ce5704f17682eb645e5696ba0e6a61bed1c875a3d9dbc6bd5d905ca06314

Download Submit
C:\Windows\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe

Filesize
408KB

MD5
98a7dd84deb3372c284e9ee4d1ac56d1

SHA1
79472c5090556011f27796c438a53ef26a118679

SHA256
e2fadfd2a9c54c36e943b7c519f8fad8b7221538f01eb46d5ec9651e4058f14a

SHA512
e7d657a1ba50e044f1e82d94c96b1673108c655768f1d8d20831c569ce5eb9b9849c84bab7edd3dc8f5ac43532bc24cda738c61c1388cb246ea7f19236156eca

Download Submit
C:\Windows\{1DAA3515-2692-447b-8C3B-DD74510AD1E3}.exe

Filesize
408KB

MD5
98a7dd84deb3372c284e9ee4d1ac56d1

SHA1
79472c5090556011f27796c438a53ef26a118679

SHA256
e2fadfd2a9c54c36e943b7c519f8fad8b7221538f01eb46d5ec9651e4058f14a

SHA512
e7d657a1ba50e044f1e82d94c96b1673108c655768f1d8d20831c569ce5eb9b9849c84bab7edd3dc8f5ac43532bc24cda738c61c1388cb246ea7f19236156eca

Download Submit
C:\Windows\{1E94D318-9154-4332-84DF-24B84E47EB19}.exe

Filesize
408KB

MD5
a024facb1574dd720f486630754aac22

SHA1
7fcda9df401c0a48a5cbb7552bce22aaeef47765

SHA256
f5e4f2289f7f8a09327f2ff46be12b60bb0a19dccb4b4663fa62e59eb872f7f0

SHA512
ce9bb533deedf71ede376ec404ae1345c240eede08ffefada4abac0a21903dc9a82f016a9081c0b3ce460fe4c880d8372a3902092d4f8dae7b124ace418068ef

Download Submit
C:\Windows\{1E94D318-9154-4332-84DF-24B84E47EB19}.exe

Filesize
408KB

MD5
a024facb1574dd720f486630754aac22

SHA1
7fcda9df401c0a48a5cbb7552bce22aaeef47765

SHA256
f5e4f2289f7f8a09327f2ff46be12b60bb0a19dccb4b4663fa62e59eb872f7f0

SHA512
ce9bb533deedf71ede376ec404ae1345c240eede08ffefada4abac0a21903dc9a82f016a9081c0b3ce460fe4c880d8372a3902092d4f8dae7b124ace418068ef

Download Submit
C:\Windows\{32469719-8AAB-4d55-93AE-8564A89DE601}.exe

Filesize
408KB

MD5
0d188a255f761f67c5e336082cb1e664

SHA1
056b60fb9d6218c50e30c6710ade838093ad0c3b

SHA256
a83d66efeabac1dc56f2bc28a2e02b73c0849dc7fbf63434adbf316bdd421ae1

SHA512
8d0f036319ca8a8664cebb7a5e0e00f6d55b82749b5c775f64e0c030703d5a10399e69bd41555b1a462184a4f54176f679138b66b30bab6ad1a226ffb63fcd4d

Download Submit
C:\Windows\{32469719-8AAB-4d55-93AE-8564A89DE601}.exe

Filesize
408KB

MD5
0d188a255f761f67c5e336082cb1e664

SHA1
056b60fb9d6218c50e30c6710ade838093ad0c3b

SHA256
a83d66efeabac1dc56f2bc28a2e02b73c0849dc7fbf63434adbf316bdd421ae1

SHA512
8d0f036319ca8a8664cebb7a5e0e00f6d55b82749b5c775f64e0c030703d5a10399e69bd41555b1a462184a4f54176f679138b66b30bab6ad1a226ffb63fcd4d

Download Submit
C:\Windows\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe

Filesize
408KB

MD5
4f2432b19314d241bf16e79db4e5dc2d

SHA1
744853e930981adce11145b44130838512230a5d

SHA256
4f686601e459166482361929a7eb1d016837d71af31bf5251ca2a88be978978f

SHA512
9ae7264705b3758ff7069092866c61a68911aa6051d34ddff0c1fd9c15b4f134131a8ad6ccd551c190b1a40389f28e6a0a5bd498b47fd4ee377266273fdc41b0

Download Submit
C:\Windows\{3440FC86-D2F3-4f15-A596-FC994CF08C1F}.exe

Filesize
408KB

MD5
4f2432b19314d241bf16e79db4e5dc2d

SHA1
744853e930981adce11145b44130838512230a5d

SHA256
4f686601e459166482361929a7eb1d016837d71af31bf5251ca2a88be978978f

SHA512
9ae7264705b3758ff7069092866c61a68911aa6051d34ddff0c1fd9c15b4f134131a8ad6ccd551c190b1a40389f28e6a0a5bd498b47fd4ee377266273fdc41b0

Download Submit
C:\Windows\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe

Filesize
408KB

MD5
6bac95b6d612febea12a3f99b097a4b7

SHA1
5360fdc611eb34f8b80be43684da32a174f7e0f8

SHA256
50da079b62246f1875deb5f267e555499a1959854277950de0c2b0da57d90f50

SHA512
399ffeb24ff62f79e22289bd1e18751e8791d6c0ee90334a772adf9ef6bea9c98ba810b3476c2afc73bfb265d162874b35959f5f35653539a989490d5cbf4951

Download Submit
C:\Windows\{53BEFCD0-1DBF-4494-9107-A4B3B425C89D}.exe

Filesize
408KB

MD5
6bac95b6d612febea12a3f99b097a4b7

SHA1
5360fdc611eb34f8b80be43684da32a174f7e0f8

SHA256
50da079b62246f1875deb5f267e555499a1959854277950de0c2b0da57d90f50

SHA512
399ffeb24ff62f79e22289bd1e18751e8791d6c0ee90334a772adf9ef6bea9c98ba810b3476c2afc73bfb265d162874b35959f5f35653539a989490d5cbf4951

Download Submit
C:\Windows\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe

Filesize
408KB

MD5
dc7302e66675b8a2dc7734e684ff32cd

SHA1
372c54bbdf3e770d5e0ff4734e9b5cef78c5c1e9

SHA256
acb6e497f50dde2014a2d89acfd3dd91d4cc1788b505c0d6917cc8603694d389

SHA512
10c984c9d517920f94e8e36d18c221aa048e41eae49617f6906396fe462f758aa5ba9cf925da52cb3f056e34ec8177583f328719d77d668c54fbf16631f32d92

Download Submit
C:\Windows\{7759115F-0FFF-48b6-A97D-C52A9CA5D8E8}.exe

Filesize
408KB

MD5
dc7302e66675b8a2dc7734e684ff32cd

SHA1
372c54bbdf3e770d5e0ff4734e9b5cef78c5c1e9

SHA256
acb6e497f50dde2014a2d89acfd3dd91d4cc1788b505c0d6917cc8603694d389

SHA512
10c984c9d517920f94e8e36d18c221aa048e41eae49617f6906396fe462f758aa5ba9cf925da52cb3f056e34ec8177583f328719d77d668c54fbf16631f32d92

Download Submit
C:\Windows\{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe

Filesize
408KB

MD5
fb6d8d65d4117e408aafbc6543c670f3

SHA1
4982c2d5f57fb9755796224a7801f0669fae0eb1

SHA256
32cbd1c2a6d97e50c274b520121aa8abb5531e6dd0b7e91c244ab4d971498748

SHA512
606722003048bdad3896e7888820364ba86962196a930220aea2f5991dc8b6579f2c69a2469349e5d5e11353b230665cfe82a8d40bb88e560856ac4381a8b3bf

Download Submit
C:\Windows\{7C15488E-D469-44a7-BA6C-8113F5B5696F}.exe

Filesize
408KB

MD5
fb6d8d65d4117e408aafbc6543c670f3

SHA1
4982c2d5f57fb9755796224a7801f0669fae0eb1

SHA256
32cbd1c2a6d97e50c274b520121aa8abb5531e6dd0b7e91c244ab4d971498748

SHA512
606722003048bdad3896e7888820364ba86962196a930220aea2f5991dc8b6579f2c69a2469349e5d5e11353b230665cfe82a8d40bb88e560856ac4381a8b3bf

Download Submit
C:\Windows\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe

Filesize
408KB

MD5
91988d81d0fe919e6bbbf2d3a4aa117c

SHA1
83a819c7e193be79b8b63605ae2e0e54c327f055

SHA256
2520ded700db9acb6e00eb361873d462433da7102f67b55bda8b3f90f873a195

SHA512
15473dcfaf7e5200ba51d2969576c645880fd554555bb6ae4b75d3a7fc015932e6fdff8d063bfedf642c8d3399a08e5a128185eb2240a260ee2d62d39a282121

Download Submit
C:\Windows\{AD99E758-4CD3-4801-ACD1-5BD42C578A8C}.exe

Filesize
408KB

MD5
91988d81d0fe919e6bbbf2d3a4aa117c

SHA1
83a819c7e193be79b8b63605ae2e0e54c327f055

SHA256
2520ded700db9acb6e00eb361873d462433da7102f67b55bda8b3f90f873a195

SHA512
15473dcfaf7e5200ba51d2969576c645880fd554555bb6ae4b75d3a7fc015932e6fdff8d063bfedf642c8d3399a08e5a128185eb2240a260ee2d62d39a282121

Download Submit
C:\Windows\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe

Filesize
408KB

MD5
3913b2b3549fd0241f0a4255d69f4253

SHA1
14e6254955642e2b3e0d1fdb83b4242b1d5bc606

SHA256
eb25333cc7633b895ffb97a44c036d828693e6a6e74315fded8d349afaa8e87a

SHA512
fd2c033dd74be5ef700b5304a46600160e5155776aa4441566f6c2d3dfdc0cf3b6706ad9848433957ec27a4385797ec44aa620660e825688addd639d8e90b815

Download Submit
C:\Windows\{C9531821-1CA2-47e2-A622-5D3F8D0D6BC6}.exe

Filesize
408KB

MD5
3913b2b3549fd0241f0a4255d69f4253

SHA1
14e6254955642e2b3e0d1fdb83b4242b1d5bc606

SHA256
eb25333cc7633b895ffb97a44c036d828693e6a6e74315fded8d349afaa8e87a

SHA512
fd2c033dd74be5ef700b5304a46600160e5155776aa4441566f6c2d3dfdc0cf3b6706ad9848433957ec27a4385797ec44aa620660e825688addd639d8e90b815

Download Submit
C:\Windows\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe

Filesize
408KB

MD5
e81cdfdae80348f300b2834915924188

SHA1
22992e67337372827b90829e15d88e1fde547651

SHA256
bc885844b6ce1d0eeaaa44e55572f7176ce8173e9af9d144436a4327746d8df9

SHA512
48af0bc8861e605937492668237d864652974e4198ba93490bff5b7c72f2e0e395490dd9fa36618896ab947d72e74d65c5bf0a58169de25ff80996f1d21dd733

Download Submit
C:\Windows\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe

Filesize
408KB

MD5
e81cdfdae80348f300b2834915924188

SHA1
22992e67337372827b90829e15d88e1fde547651

SHA256
bc885844b6ce1d0eeaaa44e55572f7176ce8173e9af9d144436a4327746d8df9

SHA512
48af0bc8861e605937492668237d864652974e4198ba93490bff5b7c72f2e0e395490dd9fa36618896ab947d72e74d65c5bf0a58169de25ff80996f1d21dd733

Download Submit
C:\Windows\{D4119A9C-84B7-4208-BD1D-48AE3AB94030}.exe

Filesize
408KB

MD5
e81cdfdae80348f300b2834915924188

SHA1
22992e67337372827b90829e15d88e1fde547651

SHA256
bc885844b6ce1d0eeaaa44e55572f7176ce8173e9af9d144436a4327746d8df9

SHA512
48af0bc8861e605937492668237d864652974e4198ba93490bff5b7c72f2e0e395490dd9fa36618896ab947d72e74d65c5bf0a58169de25ff80996f1d21dd733

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads