7ab40bb8043b5edf1dc96641c89c774b8db69effd96216eb6d27923699e1dea4

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe
Size

60KB
MD5

924b74594c6261ce6f0854ea6d7b6d00
SHA1

a2d977e33b471df5eb6c139eb9b1afdabf5ecd87
SHA256

7ab40bb8043b5edf1dc96641c89c774b8db69effd96216eb6d27923699e1dea4
SHA512

0e15a2add15215821361f01daeb2773a03f89d65cc76a6a3e0f8c1cb7a5efcc2dfef47db1bb5b0f9539c7c653354e4db023bb38af0eb915d60be5fd7c68d36bb
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrod4/CFsrdHWMZ:vvw9816vhKQLrod4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}\stubpath = "C:\\Windows\\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe"	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}\stubpath = "C:\\Windows\\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe"	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}\stubpath = "C:\\Windows\\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe"	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{356B1F87-7D34-4501-B454-9D4FC3730356}	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8186127-0289-41e9-9E1E-BB47BBA0773B}\stubpath = "C:\\Windows\\{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe"	{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB74628D-1BA5-46d6-AE0D-245E9B497907}	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{356B1F87-7D34-4501-B454-9D4FC3730356}\stubpath = "C:\\Windows\\{356B1F87-7D34-4501-B454-9D4FC3730356}.exe"	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}\stubpath = "C:\\Windows\\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe"	{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8F82B1-0D65-45b9-B98F-3281250A450A}	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}\stubpath = "C:\\Windows\\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe"	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8186127-0289-41e9-9E1E-BB47BBA0773B}	{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB74628D-1BA5-46d6-AE0D-245E9B497907}\stubpath = "C:\\Windows\\{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe"	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}\stubpath = "C:\\Windows\\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe"	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}	{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6221DBE-1152-4b62-8C74-EBC9E9652964}	{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6221DBE-1152-4b62-8C74-EBC9E9652964}\stubpath = "C:\\Windows\\{F6221DBE-1152-4b62-8C74-EBC9E9652964}.exe"	{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8F82B1-0D65-45b9-B98F-3281250A450A}\stubpath = "C:\\Windows\\{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe"	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe
2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe
3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe
2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe
2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe
2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe
776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe
2672	{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe
2832	{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe
2892	{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe
2756	{F6221DBE-1152-4b62-8C74-EBC9E9652964}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe
File created	C:\Windows\{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe
File created	C:\Windows\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe
File created	C:\Windows\{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe
File created	C:\Windows\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe
File created	C:\Windows\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe
File created	C:\Windows\{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe
File created	C:\Windows\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe
File created	C:\Windows\{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe	{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe
File created	C:\Windows\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe	{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe
File created	C:\Windows\{F6221DBE-1152-4b62-8C74-EBC9E9652964}.exe	{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe
Token: SeIncBasePriorityPrivilege	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe
Token: SeIncBasePriorityPrivilege	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe
Token: SeIncBasePriorityPrivilege	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe
Token: SeIncBasePriorityPrivilege	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe
Token: SeIncBasePriorityPrivilege	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe
Token: SeIncBasePriorityPrivilege	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe
Token: SeIncBasePriorityPrivilege	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe
Token: SeIncBasePriorityPrivilege	2672	{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe
Token: SeIncBasePriorityPrivilege	2832	{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe
Token: SeIncBasePriorityPrivilege	2892	{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1120	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	28
PID 1288 wrote to memory of 1120	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	28
PID 1288 wrote to memory of 1120	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	28
PID 1288 wrote to memory of 1120	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	28
PID 1288 wrote to memory of 2560	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	29
PID 1288 wrote to memory of 2560	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	29
PID 1288 wrote to memory of 2560	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	29
PID 1288 wrote to memory of 2560	1288	NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe	29
PID 1120 wrote to memory of 2944	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	30
PID 1120 wrote to memory of 2944	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	30
PID 1120 wrote to memory of 2944	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	30
PID 1120 wrote to memory of 2944	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	30
PID 1120 wrote to memory of 2556	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	31
PID 1120 wrote to memory of 2556	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	31
PID 1120 wrote to memory of 2556	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	31
PID 1120 wrote to memory of 2556	1120	{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe	31
PID 2944 wrote to memory of 3048	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	34
PID 2944 wrote to memory of 3048	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	34
PID 2944 wrote to memory of 3048	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	34
PID 2944 wrote to memory of 3048	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	34
PID 2944 wrote to memory of 2488	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	35
PID 2944 wrote to memory of 2488	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	35
PID 2944 wrote to memory of 2488	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	35
PID 2944 wrote to memory of 2488	2944	{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe	35
PID 3048 wrote to memory of 2436	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	36
PID 3048 wrote to memory of 2436	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	36
PID 3048 wrote to memory of 2436	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	36
PID 3048 wrote to memory of 2436	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	36
PID 3048 wrote to memory of 2476	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	37
PID 3048 wrote to memory of 2476	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	37
PID 3048 wrote to memory of 2476	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	37
PID 3048 wrote to memory of 2476	3048	{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe	37
PID 2436 wrote to memory of 2552	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	38
PID 2436 wrote to memory of 2552	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	38
PID 2436 wrote to memory of 2552	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	38
PID 2436 wrote to memory of 2552	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	38
PID 2436 wrote to memory of 3052	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	39
PID 2436 wrote to memory of 3052	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	39
PID 2436 wrote to memory of 3052	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	39
PID 2436 wrote to memory of 3052	2436	{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe	39
PID 2552 wrote to memory of 2416	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	40
PID 2552 wrote to memory of 2416	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	40
PID 2552 wrote to memory of 2416	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	40
PID 2552 wrote to memory of 2416	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	40
PID 2552 wrote to memory of 1688	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	41
PID 2552 wrote to memory of 1688	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	41
PID 2552 wrote to memory of 1688	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	41
PID 2552 wrote to memory of 1688	2552	{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe	41
PID 2416 wrote to memory of 776	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	42
PID 2416 wrote to memory of 776	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	42
PID 2416 wrote to memory of 776	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	42
PID 2416 wrote to memory of 776	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	42
PID 2416 wrote to memory of 1180	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	43
PID 2416 wrote to memory of 1180	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	43
PID 2416 wrote to memory of 1180	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	43
PID 2416 wrote to memory of 1180	2416	{356B1F87-7D34-4501-B454-9D4FC3730356}.exe	43
PID 776 wrote to memory of 2672	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	44
PID 776 wrote to memory of 2672	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	44
PID 776 wrote to memory of 2672	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	44
PID 776 wrote to memory of 2672	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	44
PID 776 wrote to memory of 2872	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	45
PID 776 wrote to memory of 2872	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	45
PID 776 wrote to memory of 2872	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	45
PID 776 wrote to memory of 2872	776	{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.924b74594c6261ce6f0854ea6d7b6d00.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe
  C:\Windows\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe
    C:\Windows\{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe
      C:\Windows\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe
        
        C:\Windows\{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe
        
        C:\Windows\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{356B1F87-7D34-4501-B454-9D4FC3730356}.exe
        
        C:\Windows\{356B1F87-7D34-4501-B454-9D4FC3730356}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe
        
        C:\Windows\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe
        
        C:\Windows\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe
        
        C:\Windows\{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe
        
        C:\Windows\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{F6221DBE-1152-4b62-8C74-EBC9E9652964}.exe
        
        C:\Windows\{F6221DBE-1152-4b62-8C74-EBC9E9652964}.exe
        12⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2374~1.EXE > nul
        12⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8186~1.EXE > nul
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{411DB~1.EXE > nul
        10⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12B3E~1.EXE > nul
        9⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{356B1~1.EXE > nul
        8⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8442~1.EXE > nul
        7⤵
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB746~1.EXE > nul
        6⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A40D5~1.EXE > nul
        5⤵
        
        PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BB8F8~1.EXE > nul
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F30F6~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS92~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe

Filesize
60KB

MD5
bd5d68096a5223343bc19c8ac67dbec3

SHA1
411c952d10b671fb70c738af0cfc916c3e5cd573

SHA256
9ce52dd42cff7192f8f43b6775842bffbfe3e7d1810847253f744b0aa06ee688

SHA512
03c70a5f2bda9fbda6eb5b2d379d7b8474d6b3afc02fbf78de484831cc1d9784a7c5e83403c8d6646a82f8798494649b6468b604c0f83154d7c36b97e93eebe0

Download Submit
C:\Windows\{12B3EED2-17F3-46f5-84E7-AA1AAFCAD4F8}.exe

Filesize
60KB

MD5
bd5d68096a5223343bc19c8ac67dbec3

SHA1
411c952d10b671fb70c738af0cfc916c3e5cd573

SHA256
9ce52dd42cff7192f8f43b6775842bffbfe3e7d1810847253f744b0aa06ee688

SHA512
03c70a5f2bda9fbda6eb5b2d379d7b8474d6b3afc02fbf78de484831cc1d9784a7c5e83403c8d6646a82f8798494649b6468b604c0f83154d7c36b97e93eebe0

Download Submit
C:\Windows\{356B1F87-7D34-4501-B454-9D4FC3730356}.exe

Filesize
60KB

MD5
29a781efecb2a208df1b8a8309723961

SHA1
67c2452779d4662b4115170336959a7938e713da

SHA256
01abaf6076c5702205dad10cbf790522e36cce41ad25d159177fa86dfd33de02

SHA512
515137611510499bc152ac2fdc2b2016ce6b157693569980277a72f3096bba7baa82d6b2e2d12d68a685d41f641720e534c89c2964716b9f895a216d4e50d3a9

Download Submit
C:\Windows\{356B1F87-7D34-4501-B454-9D4FC3730356}.exe

Filesize
60KB

MD5
29a781efecb2a208df1b8a8309723961

SHA1
67c2452779d4662b4115170336959a7938e713da

SHA256
01abaf6076c5702205dad10cbf790522e36cce41ad25d159177fa86dfd33de02

SHA512
515137611510499bc152ac2fdc2b2016ce6b157693569980277a72f3096bba7baa82d6b2e2d12d68a685d41f641720e534c89c2964716b9f895a216d4e50d3a9

Download Submit
C:\Windows\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe

Filesize
60KB

MD5
ff49caca312605ab74b786adee674230

SHA1
ff75c803c38e4ea0c0154eded72902ec4f1b5189

SHA256
f0762b90b2fbc3d5131f91068113739090bcb2fd280251eb9833b465899c2a6e

SHA512
30435c193ab2893779e5a1090ed40dfd99f3a7eabb4f3ce547186582fcdfa704e1856f87f6ad7b8e356cf543db86cb82be7069ff3c3065e371bc5d7f66e63a11

Download Submit
C:\Windows\{411DB9EF-2DDC-42a1-9E19-80CFB41C5983}.exe

Filesize
60KB

MD5
ff49caca312605ab74b786adee674230

SHA1
ff75c803c38e4ea0c0154eded72902ec4f1b5189

SHA256
f0762b90b2fbc3d5131f91068113739090bcb2fd280251eb9833b465899c2a6e

SHA512
30435c193ab2893779e5a1090ed40dfd99f3a7eabb4f3ce547186582fcdfa704e1856f87f6ad7b8e356cf543db86cb82be7069ff3c3065e371bc5d7f66e63a11

Download Submit
C:\Windows\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe

Filesize
60KB

MD5
4428ecb3f2668283ddccf50597eb44f0

SHA1
51db76ca160130e7089ee01fda7ada989a5ee052

SHA256
3b39dffc5f357a9719b49500c50125986e0d2998fdb0f7831543f05929ba88f6

SHA512
f9c8dc7e7e5611ccba0164a59db5700af9fb7a263294638d3bbe8af7809c5e233bb3892ac196c9125ab37208cb25b6b39963b66bb35e78c4ba6e2943e45a8a47

Download Submit
C:\Windows\{A2374ED7-25C4-439a-AE6A-51A723D6EAD7}.exe

Filesize
60KB

MD5
4428ecb3f2668283ddccf50597eb44f0

SHA1
51db76ca160130e7089ee01fda7ada989a5ee052

SHA256
3b39dffc5f357a9719b49500c50125986e0d2998fdb0f7831543f05929ba88f6

SHA512
f9c8dc7e7e5611ccba0164a59db5700af9fb7a263294638d3bbe8af7809c5e233bb3892ac196c9125ab37208cb25b6b39963b66bb35e78c4ba6e2943e45a8a47

Download Submit
C:\Windows\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe

Filesize
60KB

MD5
2025d33b7b078d06b0f2aee41b84c863

SHA1
bc84bc6c7865416fba42b54c248e7469f45be688

SHA256
5e0370d887728566f2680fe028025b51aba9a133a7d3598df8fa661adc4bc90f

SHA512
a8847aa8b99f4b7c738274056fdb5877a60c1c4e46a77309db1ac3bcb8075544978cc74650f7c9a73d2a55587cc10f1d7214cd4d9fb716d8964738b49e04a5d7

Download Submit
C:\Windows\{A40D5008-DB49-41ac-ABCE-8E5EFA9455F4}.exe

Filesize
60KB

MD5
2025d33b7b078d06b0f2aee41b84c863

SHA1
bc84bc6c7865416fba42b54c248e7469f45be688

SHA256
5e0370d887728566f2680fe028025b51aba9a133a7d3598df8fa661adc4bc90f

SHA512
a8847aa8b99f4b7c738274056fdb5877a60c1c4e46a77309db1ac3bcb8075544978cc74650f7c9a73d2a55587cc10f1d7214cd4d9fb716d8964738b49e04a5d7

Download Submit
C:\Windows\{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe

Filesize
60KB

MD5
786977855d7ee61477bf981701fa0258

SHA1
91dcde8a835495e803b449505d8e43f044603ceb

SHA256
c535ac767286c96397b2033c23a487070defc6b67920c3202e2aed19d4da19e9

SHA512
659326ea2496da3f4cf02e49ffa44ff488e5417b5362dca9cea5cbde04f04616159c30da277e12462cb47b61e70d13bb2c278cd0ee320b6b69ec3ba81cedaa82

Download Submit
C:\Windows\{BB74628D-1BA5-46d6-AE0D-245E9B497907}.exe

Filesize
60KB

MD5
786977855d7ee61477bf981701fa0258

SHA1
91dcde8a835495e803b449505d8e43f044603ceb

SHA256
c535ac767286c96397b2033c23a487070defc6b67920c3202e2aed19d4da19e9

SHA512
659326ea2496da3f4cf02e49ffa44ff488e5417b5362dca9cea5cbde04f04616159c30da277e12462cb47b61e70d13bb2c278cd0ee320b6b69ec3ba81cedaa82

Download Submit
C:\Windows\{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe

Filesize
60KB

MD5
01cd0df4199e590143de5b57c69ee502

SHA1
59561481fc4fe9e59175ae2361aa1d3e7fe720fd

SHA256
2050ca2bffc3256301a0b5cb176332d9ca4e91c453adadc53c622606f1d33481

SHA512
3acf4cccf589ed4e6999314bae4dac8549f352d5cd05462be7d36c135e8419fa528eed85c3210831a52af16784b84a517d007b50481ef1c2cf7f99ea0f9e7b4b

Download Submit
C:\Windows\{BB8F82B1-0D65-45b9-B98F-3281250A450A}.exe

Filesize
60KB

MD5
01cd0df4199e590143de5b57c69ee502

SHA1
59561481fc4fe9e59175ae2361aa1d3e7fe720fd

SHA256
2050ca2bffc3256301a0b5cb176332d9ca4e91c453adadc53c622606f1d33481

SHA512
3acf4cccf589ed4e6999314bae4dac8549f352d5cd05462be7d36c135e8419fa528eed85c3210831a52af16784b84a517d007b50481ef1c2cf7f99ea0f9e7b4b

Download Submit
C:\Windows\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe

Filesize
60KB

MD5
729876e33bfb619dd62041f4fb49bec8

SHA1
bbc8cfc5062d658191dec6504a1d2c16f9ebd1e2

SHA256
6d1a168428465dbfb8226137ec577d16f406e54f0277863509ca09be443db4e2

SHA512
e84271e75b6f332cdd9e87e9a6272509dce44fb0bcb745d811352810451b5a344faab3a19647b7fe4ddb15c196d5248ebf7d9775f5a5840a73fa653b7503722f

Download Submit
C:\Windows\{C8442C60-A11F-4d22-AD68-C68F7957C7F6}.exe

Filesize
60KB

MD5
729876e33bfb619dd62041f4fb49bec8

SHA1
bbc8cfc5062d658191dec6504a1d2c16f9ebd1e2

SHA256
6d1a168428465dbfb8226137ec577d16f406e54f0277863509ca09be443db4e2

SHA512
e84271e75b6f332cdd9e87e9a6272509dce44fb0bcb745d811352810451b5a344faab3a19647b7fe4ddb15c196d5248ebf7d9775f5a5840a73fa653b7503722f

Download Submit
C:\Windows\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe

Filesize
60KB

MD5
243e353fed7240733f889c7182402ba9

SHA1
227436204dbcbf0eb61a30427cf77b8cd3c85756

SHA256
fd4e728358f3dc9c428a9d90d86b8d1b03583f81f5b85cb3d3ffd75d1e11dea8

SHA512
8fd9665eff13237943390444567eb171291621f3ba9bbddc33cf05ad8efaff3e3c1a41c01eead7321cdf3155e3f47f4839b07c78429aea6dd4cfc0e3a9d6eff4

Download Submit
C:\Windows\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe

Filesize
60KB

MD5
243e353fed7240733f889c7182402ba9

SHA1
227436204dbcbf0eb61a30427cf77b8cd3c85756

SHA256
fd4e728358f3dc9c428a9d90d86b8d1b03583f81f5b85cb3d3ffd75d1e11dea8

SHA512
8fd9665eff13237943390444567eb171291621f3ba9bbddc33cf05ad8efaff3e3c1a41c01eead7321cdf3155e3f47f4839b07c78429aea6dd4cfc0e3a9d6eff4

Download Submit
C:\Windows\{F30F6A63-A1C8-4f10-8389-AD6261B78C99}.exe

Filesize
60KB

MD5
243e353fed7240733f889c7182402ba9

SHA1
227436204dbcbf0eb61a30427cf77b8cd3c85756

SHA256
fd4e728358f3dc9c428a9d90d86b8d1b03583f81f5b85cb3d3ffd75d1e11dea8

SHA512
8fd9665eff13237943390444567eb171291621f3ba9bbddc33cf05ad8efaff3e3c1a41c01eead7321cdf3155e3f47f4839b07c78429aea6dd4cfc0e3a9d6eff4

Download Submit
C:\Windows\{F6221DBE-1152-4b62-8C74-EBC9E9652964}.exe

Filesize
60KB

MD5
87736625d193b283b7e82d8b8b99a146

SHA1
f4122de385449c3bda443c075e23e77ca2ce7af9

SHA256
3cefe8a13b1ed6b4bc306681f170aacf04e58d1fc9dc77a2e1db196ee1df09ef

SHA512
4ffd9f2e44fb9e37470b3c4d4b2d78282a498ccbd34ea9e63c4577fff28d19883e98c0ed623d65470f09c0e19b7ef088dd92fe216d3d64510334d823402275d1

Download Submit
C:\Windows\{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe

Filesize
60KB

MD5
40a8edbf8eec6b452d9fc49e366e86e5

SHA1
680e39cb808b7355e5673c863bf6d39a1d948c08

SHA256
bf53d0aed2410c78f79dfcb3ff55092920a0074903bd667da49481ae2abf77c7

SHA512
1956e35243a6b0f9910c987ecfa40a77cccb412273186895bd8823ae450a768362fc506220b29d2ea09fd5a9d2b78a46335f45787f9c25ee40e77a10fd31f087

Download Submit
C:\Windows\{F8186127-0289-41e9-9E1E-BB47BBA0773B}.exe

Filesize
60KB

MD5
40a8edbf8eec6b452d9fc49e366e86e5

SHA1
680e39cb808b7355e5673c863bf6d39a1d948c08

SHA256
bf53d0aed2410c78f79dfcb3ff55092920a0074903bd667da49481ae2abf77c7

SHA512
1956e35243a6b0f9910c987ecfa40a77cccb412273186895bd8823ae450a768362fc506220b29d2ea09fd5a9d2b78a46335f45787f9c25ee40e77a10fd31f087

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads