a20aab8166d583c919b74748c38a61c82ad75f60de0b6e3e30593819722550ab

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Size

118KB
MD5

db07deb0b8521b511b8ac99a449b4dc0
SHA1

f64b4f8311d067cd54b523741718192cee2920e4
SHA256

a20aab8166d583c919b74748c38a61c82ad75f60de0b6e3e30593819722550ab
SHA512

2e4bba01da61670a70b388c30859624dbcba4dac6d670034421437efddbd6d76e3d392e46521bb3973f3f97bda4c7f26ff52033a6220a86bf259b2efde6797ca
SSDEEP

1536:nEGh0ozl2unMxVS3HgdoKjhLJh731xvsr:nEGh0ozlvMUyNjhLJh731xvsr

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A02BCAB-1565-4dac-A2E7-94289657D194}\stubpath = "C:\\Windows\\{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe"	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}\stubpath = "C:\\Windows\\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe"	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0DD3517-567F-4217-9365-14420673421E}	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83644C71-BA58-4a65-B205-44CB7D6995EB}\stubpath = "C:\\Windows\\{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe"	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E8E1A84-D066-44b5-940D-7024473D8094}	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}\stubpath = "C:\\Windows\\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe"	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0DD3517-567F-4217-9365-14420673421E}\stubpath = "C:\\Windows\\{E0DD3517-567F-4217-9365-14420673421E}.exe"	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}	{E0DD3517-567F-4217-9365-14420673421E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83644C71-BA58-4a65-B205-44CB7D6995EB}	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}\stubpath = "C:\\Windows\\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe"	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}\stubpath = "C:\\Windows\\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}.exe"	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}\stubpath = "C:\\Windows\\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe"	{E0DD3517-567F-4217-9365-14420673421E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E8E1A84-D066-44b5-940D-7024473D8094}\stubpath = "C:\\Windows\\{3E8E1A84-D066-44b5-940D-7024473D8094}.exe"	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A02BCAB-1565-4dac-A2E7-94289657D194}	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe

Executes dropped EXE 9 IoCs

pid	Process
3872	{E0DD3517-567F-4217-9365-14420673421E}.exe
4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe
3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe
1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe
4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe
60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe
2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe
1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe
5088	{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{E0DD3517-567F-4217-9365-14420673421E}.exe	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
File created	C:\Windows\{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe
File created	C:\Windows\{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe
File created	C:\Windows\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe
File created	C:\Windows\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe	{E0DD3517-567F-4217-9365-14420673421E}.exe
File created	C:\Windows\{3E8E1A84-D066-44b5-940D-7024473D8094}.exe	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe
File created	C:\Windows\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe
File created	C:\Windows\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe
File created	C:\Windows\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}.exe	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1528	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Token: SeIncBasePriorityPrivilege	3872	{E0DD3517-567F-4217-9365-14420673421E}.exe
Token: SeIncBasePriorityPrivilege	4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe
Token: SeIncBasePriorityPrivilege	3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe
Token: SeIncBasePriorityPrivilege	1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe
Token: SeIncBasePriorityPrivilege	4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe
Token: SeIncBasePriorityPrivilege	60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe
Token: SeIncBasePriorityPrivilege	2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe
Token: SeIncBasePriorityPrivilege	1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3872	1528	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	89
PID 1528 wrote to memory of 3872	1528	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	89
PID 1528 wrote to memory of 3872	1528	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	89
PID 1528 wrote to memory of 5064	1528	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	88
PID 1528 wrote to memory of 5064	1528	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	88
PID 1528 wrote to memory of 5064	1528	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	88
PID 3872 wrote to memory of 4488	3872	{E0DD3517-567F-4217-9365-14420673421E}.exe	98
PID 3872 wrote to memory of 4488	3872	{E0DD3517-567F-4217-9365-14420673421E}.exe	98
PID 3872 wrote to memory of 4488	3872	{E0DD3517-567F-4217-9365-14420673421E}.exe	98
PID 3872 wrote to memory of 4388	3872	{E0DD3517-567F-4217-9365-14420673421E}.exe	99
PID 3872 wrote to memory of 4388	3872	{E0DD3517-567F-4217-9365-14420673421E}.exe	99
PID 3872 wrote to memory of 4388	3872	{E0DD3517-567F-4217-9365-14420673421E}.exe	99
PID 4488 wrote to memory of 3216	4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe	101
PID 4488 wrote to memory of 3216	4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe	101
PID 4488 wrote to memory of 3216	4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe	101
PID 4488 wrote to memory of 3808	4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe	100
PID 4488 wrote to memory of 3808	4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe	100
PID 4488 wrote to memory of 3808	4488	{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe	100
PID 3216 wrote to memory of 1408	3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe	104
PID 3216 wrote to memory of 1408	3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe	104
PID 3216 wrote to memory of 1408	3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe	104
PID 3216 wrote to memory of 4212	3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe	105
PID 3216 wrote to memory of 4212	3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe	105
PID 3216 wrote to memory of 4212	3216	{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe	105
PID 1408 wrote to memory of 4232	1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe	106
PID 1408 wrote to memory of 4232	1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe	106
PID 1408 wrote to memory of 4232	1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe	106
PID 1408 wrote to memory of 3596	1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe	107
PID 1408 wrote to memory of 3596	1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe	107
PID 1408 wrote to memory of 3596	1408	{3E8E1A84-D066-44b5-940D-7024473D8094}.exe	107
PID 4232 wrote to memory of 60	4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe	108
PID 4232 wrote to memory of 60	4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe	108
PID 4232 wrote to memory of 60	4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe	108
PID 4232 wrote to memory of 1892	4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe	109
PID 4232 wrote to memory of 1892	4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe	109
PID 4232 wrote to memory of 1892	4232	{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe	109
PID 60 wrote to memory of 2984	60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe	110
PID 60 wrote to memory of 2984	60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe	110
PID 60 wrote to memory of 2984	60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe	110
PID 60 wrote to memory of 1120	60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe	111
PID 60 wrote to memory of 1120	60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe	111
PID 60 wrote to memory of 1120	60	{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe	111
PID 2984 wrote to memory of 1572	2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe	112
PID 2984 wrote to memory of 1572	2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe	112
PID 2984 wrote to memory of 1572	2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe	112
PID 2984 wrote to memory of 2512	2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe	113
PID 2984 wrote to memory of 2512	2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe	113
PID 2984 wrote to memory of 2512	2984	{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe	113
PID 1572 wrote to memory of 5088	1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe	114
PID 1572 wrote to memory of 5088	1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe	114
PID 1572 wrote to memory of 5088	1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe	114
PID 1572 wrote to memory of 2876	1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe	115
PID 1572 wrote to memory of 2876	1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe	115
PID 1572 wrote to memory of 2876	1572	{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe	115

C:\Users\Admin\AppData\Local\Temp\NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASDB~1.EXE > nul
  2⤵
  PID:5064
- C:\Windows\{E0DD3517-567F-4217-9365-14420673421E}.exe
  C:\Windows\{E0DD3517-567F-4217-9365-14420673421E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe
    C:\Windows\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80BF9~1.EXE > nul
      4⤵
      PID:3808
  - - C:\Windows\{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe
      C:\Windows\{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\{3E8E1A84-D066-44b5-940D-7024473D8094}.exe
        
        C:\Windows\{3E8E1A84-D066-44b5-940D-7024473D8094}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe
        
        C:\Windows\{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe
        
        C:\Windows\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe
        
        C:\Windows\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe
        
        C:\Windows\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}.exe
        
        C:\Windows\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}.exe
        10⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA09~1.EXE > nul
        10⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E65BC~1.EXE > nul
        9⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ABA6~1.EXE > nul
        8⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A02B~1.EXE > nul
        7⤵
        
        PID:1892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E8E1~1.EXE > nul
        6⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83644~1.EXE > nul
        5⤵
        
        PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E0DD3~1.EXE > nul
    3⤵
    PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe

Filesize
118KB

MD5
ce4cb9ed3a6db574a06f976c12efec81

SHA1
494f5c024cc0f2e52c11792492ccb1791902fc04

SHA256
47a910aa0804c5ca81c45982e6102cc47c7c70db522e5e4793707c62c5d64f5a

SHA512
83956e9d2a123cb70bb54b0859ed9a876ff711dc13ee3f464484ae118f4c26f69ff2b2778d313cddc2539386cb3b537bef0a4893dc5f194eab24a929bedfdeeb

Download Submit
C:\Windows\{0ABA655D-6E4D-4e46-8CA7-1AA60B62CFE4}.exe

Filesize
118KB

MD5
ce4cb9ed3a6db574a06f976c12efec81

SHA1
494f5c024cc0f2e52c11792492ccb1791902fc04

SHA256
47a910aa0804c5ca81c45982e6102cc47c7c70db522e5e4793707c62c5d64f5a

SHA512
83956e9d2a123cb70bb54b0859ed9a876ff711dc13ee3f464484ae118f4c26f69ff2b2778d313cddc2539386cb3b537bef0a4893dc5f194eab24a929bedfdeeb

Download Submit
C:\Windows\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe

Filesize
118KB

MD5
e108927525b43affe1011c5d7ea2fd9f

SHA1
1b8e178cb42376300872f95419bd6bf8d6bc4d3f

SHA256
37ba7f831ad7fab8c4bcc7925567ac1db556cbf35c32375c807c7b9e7055b801

SHA512
db3e03a6f52590267f0d700ade02039c32f3f598101a288a63d3aa7c363d22b624f7882cc02656941b70a4bcd5adc2b3f0861facc5871ee5f8307ff64d651f91

Download Submit
C:\Windows\{3CA0983E-5828-46c3-ADF4-9AC2356FE6BC}.exe

Filesize
118KB

MD5
e108927525b43affe1011c5d7ea2fd9f

SHA1
1b8e178cb42376300872f95419bd6bf8d6bc4d3f

SHA256
37ba7f831ad7fab8c4bcc7925567ac1db556cbf35c32375c807c7b9e7055b801

SHA512
db3e03a6f52590267f0d700ade02039c32f3f598101a288a63d3aa7c363d22b624f7882cc02656941b70a4bcd5adc2b3f0861facc5871ee5f8307ff64d651f91

Download Submit
C:\Windows\{3E8E1A84-D066-44b5-940D-7024473D8094}.exe

Filesize
118KB

MD5
314575f52d49ac6b721224a460134d8a

SHA1
6342906ca7f1aadde8c7c1ef8b1d6bec634fba3e

SHA256
e0fbadd3f12a693c60175c40edbf7a7b0044dadcf0c8e4c5f2f138bd9f274d03

SHA512
42c15f761cc70582417b90a0ed13b69d0f208f518109c7a91597d6850f0a05709001488755b7be174572fcf7b03d9cf1eac0039bea9e3066c423771c2a45c627

Download Submit
C:\Windows\{3E8E1A84-D066-44b5-940D-7024473D8094}.exe

Filesize
118KB

MD5
314575f52d49ac6b721224a460134d8a

SHA1
6342906ca7f1aadde8c7c1ef8b1d6bec634fba3e

SHA256
e0fbadd3f12a693c60175c40edbf7a7b0044dadcf0c8e4c5f2f138bd9f274d03

SHA512
42c15f761cc70582417b90a0ed13b69d0f208f518109c7a91597d6850f0a05709001488755b7be174572fcf7b03d9cf1eac0039bea9e3066c423771c2a45c627

Download Submit
C:\Windows\{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe

Filesize
118KB

MD5
90c037fdeacce725f79e26db97e9482f

SHA1
ac2cad79e3213828b734d87229881f6a0d920c1f

SHA256
f5fe0456fecb1305ce268fa40f211bf9fae827e77b5bbe3163353421effb3dbe

SHA512
ecd4a9fd963aed8a9ad4fcc637f2083898aca83f5e87ebc1746152f870c9703c5d4e9506855e0a82635652c75192cb1db2f0df5aace0280dbec158d4389d35ef

Download Submit
C:\Windows\{4A02BCAB-1565-4dac-A2E7-94289657D194}.exe

Filesize
118KB

MD5
90c037fdeacce725f79e26db97e9482f

SHA1
ac2cad79e3213828b734d87229881f6a0d920c1f

SHA256
f5fe0456fecb1305ce268fa40f211bf9fae827e77b5bbe3163353421effb3dbe

SHA512
ecd4a9fd963aed8a9ad4fcc637f2083898aca83f5e87ebc1746152f870c9703c5d4e9506855e0a82635652c75192cb1db2f0df5aace0280dbec158d4389d35ef

Download Submit
C:\Windows\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe

Filesize
118KB

MD5
d6910af851c2367c27c59367c75d4ee6

SHA1
ef5e3b79631e952637cc3c5184d020007a8188b6

SHA256
df1b98a1f879a2f363547bd3e331fa4c94392687197c3e3cc54b6c36ab402bcc

SHA512
e5ad2676250b3f74bf0a88d1c1a45aa4a27c98ad464f92a8e9b0be9e7b52179070ae930c0c11ecab6f991697578a066eba8d88f81d8e77a9738e91160a067051

Download Submit
C:\Windows\{80BF95FC-3117-46a5-82CA-699D6D3E7CF7}.exe

Filesize
118KB

MD5
d6910af851c2367c27c59367c75d4ee6

SHA1
ef5e3b79631e952637cc3c5184d020007a8188b6

SHA256
df1b98a1f879a2f363547bd3e331fa4c94392687197c3e3cc54b6c36ab402bcc

SHA512
e5ad2676250b3f74bf0a88d1c1a45aa4a27c98ad464f92a8e9b0be9e7b52179070ae930c0c11ecab6f991697578a066eba8d88f81d8e77a9738e91160a067051

Download Submit
C:\Windows\{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe

Filesize
118KB

MD5
e84e324ec09dadc7e2aebba29278f4ef

SHA1
a5de3aafffcb9268702e8ac6e3cb9826f9a58f80

SHA256
eea52a028114e6d7482ff932390ae500f9cf50df68928c142082f33977699bbc

SHA512
ae09cdd32cdc3e13adad2cb784d972784eeef582599abdffeceec00036bf95bf2fc838343664d98d91a3f2e577881523981b38e8861fd171ab92d55358a84159

Download Submit
C:\Windows\{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe

Filesize
118KB

MD5
e84e324ec09dadc7e2aebba29278f4ef

SHA1
a5de3aafffcb9268702e8ac6e3cb9826f9a58f80

SHA256
eea52a028114e6d7482ff932390ae500f9cf50df68928c142082f33977699bbc

SHA512
ae09cdd32cdc3e13adad2cb784d972784eeef582599abdffeceec00036bf95bf2fc838343664d98d91a3f2e577881523981b38e8861fd171ab92d55358a84159

Download Submit
C:\Windows\{83644C71-BA58-4a65-B205-44CB7D6995EB}.exe

Filesize
118KB

MD5
e84e324ec09dadc7e2aebba29278f4ef

SHA1
a5de3aafffcb9268702e8ac6e3cb9826f9a58f80

SHA256
eea52a028114e6d7482ff932390ae500f9cf50df68928c142082f33977699bbc

SHA512
ae09cdd32cdc3e13adad2cb784d972784eeef582599abdffeceec00036bf95bf2fc838343664d98d91a3f2e577881523981b38e8861fd171ab92d55358a84159

Download Submit
C:\Windows\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}.exe

Filesize
118KB

MD5
d9daec44cf3a5c2f1b6491014e45e8cd

SHA1
9aae357255c818c39276d923eb1a80be231c5e6a

SHA256
04cd9520dca7f86f178cb41053df4b6c84794a79889d3133fa78da8c4a117134

SHA512
de1e7a674a698209e5fbf12a7dea93fda40dc42b0ea4ec5b8b506c2cf2627a2c456f5afd5224ce4ac27e1f27afcf4475a0ff2486f8b4d22a164b3a2947d44b42

Download Submit
C:\Windows\{C1647B07-517C-4d6e-9F16-FBC5683D3AC6}.exe

Filesize
118KB

MD5
d9daec44cf3a5c2f1b6491014e45e8cd

SHA1
9aae357255c818c39276d923eb1a80be231c5e6a

SHA256
04cd9520dca7f86f178cb41053df4b6c84794a79889d3133fa78da8c4a117134

SHA512
de1e7a674a698209e5fbf12a7dea93fda40dc42b0ea4ec5b8b506c2cf2627a2c456f5afd5224ce4ac27e1f27afcf4475a0ff2486f8b4d22a164b3a2947d44b42

Download Submit
C:\Windows\{E0DD3517-567F-4217-9365-14420673421E}.exe

Filesize
118KB

MD5
b2775b6749456f5139ed15b1c229b7ce

SHA1
d9aea6bb16c2bebd73130568578aedd0645b9c88

SHA256
7fd6201acc3e49a291b6de9109db5975b194c8b326736976dbc21cee12f47ce9

SHA512
c375a5c1a8cfdaf850e22e8459bc376def357a7a75a8f74aa1aafd4fd1ca330507d696c3b3d49ac5509473bc6779aad1f9224f88f4bd96ff831d3fd10847542d

Download Submit
C:\Windows\{E0DD3517-567F-4217-9365-14420673421E}.exe

Filesize
118KB

MD5
b2775b6749456f5139ed15b1c229b7ce

SHA1
d9aea6bb16c2bebd73130568578aedd0645b9c88

SHA256
7fd6201acc3e49a291b6de9109db5975b194c8b326736976dbc21cee12f47ce9

SHA512
c375a5c1a8cfdaf850e22e8459bc376def357a7a75a8f74aa1aafd4fd1ca330507d696c3b3d49ac5509473bc6779aad1f9224f88f4bd96ff831d3fd10847542d

Download Submit
C:\Windows\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe

Filesize
118KB

MD5
a21eabd560bded4e6b44a2afc4ea43f2

SHA1
6cd6ac52c1cfea1047575798b6ee02759d44b9e1

SHA256
79f42f22b3db5558c89c56406782a7904bc1d83a3563589833abf6f3687eecfa

SHA512
7cc072345776e9ea4a83092df6ac70f1c46fd1b3bbe0dd241f91816aba43a174f8474b449c5feed9871def0348aaaabf55fb5d9af6a002abe712ca855d8e0841

Download Submit
C:\Windows\{E65BCE58-0B4D-4c7e-B519-4F0FAC86C429}.exe

Filesize
118KB

MD5
a21eabd560bded4e6b44a2afc4ea43f2

SHA1
6cd6ac52c1cfea1047575798b6ee02759d44b9e1

SHA256
79f42f22b3db5558c89c56406782a7904bc1d83a3563589833abf6f3687eecfa

SHA512
7cc072345776e9ea4a83092df6ac70f1c46fd1b3bbe0dd241f91816aba43a174f8474b449c5feed9871def0348aaaabf55fb5d9af6a002abe712ca855d8e0841

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads