608c3ccefd807e6bef2bc1451ee4729cc30980f47d5db2a50c3db0e6b7fee4a6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Size

90KB
MD5

bd78c8b66d6bb4a837951b8bf24f5e70
SHA1

356c2617c0f5848ad108248b0bdcaf1cb9f1eb13
SHA256

608c3ccefd807e6bef2bc1451ee4729cc30980f47d5db2a50c3db0e6b7fee4a6
SHA512

265f3f9a68f2f31999beb10ad285258f24455b614f8882acc95d8b37c2cd151b89e9be8a05da0e3a1efd37685bbd085aaef6f334fd6bf16e5cd2a83b5d298809
SSDEEP

768:Qvw9816vhKQLroi4/wQRNrfrunMxVFA3b7glw6:YEGh0oil2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F0DCDD3-305E-4af4-90A0-31536286962D}	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}\stubpath = "C:\\Windows\\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe"	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}\stubpath = "C:\\Windows\\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}.exe"	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}\stubpath = "C:\\Windows\\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe"	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A943D68-DC34-494d-8B87-12C8A043C342}	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A943D68-DC34-494d-8B87-12C8A043C342}\stubpath = "C:\\Windows\\{6A943D68-DC34-494d-8B87-12C8A043C342}.exe"	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F0DCDD3-305E-4af4-90A0-31536286962D}\stubpath = "C:\\Windows\\{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe"	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}\stubpath = "C:\\Windows\\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe"	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}\stubpath = "C:\\Windows\\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe"	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3B4121-D33C-4fed-A55E-34C337415D03}	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA5E9AFF-D36E-42af-A887-595904E41E87}	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}\stubpath = "C:\\Windows\\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe"	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA5E9AFF-D36E-42af-A887-595904E41E87}\stubpath = "C:\\Windows\\{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe"	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3B4121-D33C-4fed-A55E-34C337415D03}\stubpath = "C:\\Windows\\{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe"	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}\stubpath = "C:\\Windows\\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe"	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe

Executes dropped EXE 11 IoCs

pid	Process
1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe
1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe
4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe
1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe
1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe
4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe
4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe
1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe
2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe
5064	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe
2044	{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
File created	C:\Windows\{6A943D68-DC34-494d-8B87-12C8A043C342}.exe	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe
File created	C:\Windows\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe
File created	C:\Windows\{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe
File created	C:\Windows\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe
File created	C:\Windows\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe
File created	C:\Windows\{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe
File created	C:\Windows\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe
File created	C:\Windows\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe
File created	C:\Windows\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe
File created	C:\Windows\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}.exe	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4788	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Token: SeIncBasePriorityPrivilege	1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe
Token: SeIncBasePriorityPrivilege	1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe
Token: SeIncBasePriorityPrivilege	4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe
Token: SeIncBasePriorityPrivilege	1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe
Token: SeIncBasePriorityPrivilege	1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe
Token: SeIncBasePriorityPrivilege	4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe
Token: SeIncBasePriorityPrivilege	4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe
Token: SeIncBasePriorityPrivilege	1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe
Token: SeIncBasePriorityPrivilege	2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe
Token: SeIncBasePriorityPrivilege	5064	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1064	4788	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	87
PID 4788 wrote to memory of 1064	4788	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	87
PID 4788 wrote to memory of 1064	4788	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	87
PID 4788 wrote to memory of 3296	4788	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	88
PID 4788 wrote to memory of 3296	4788	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	88
PID 4788 wrote to memory of 3296	4788	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	88
PID 1064 wrote to memory of 1252	1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe	89
PID 1064 wrote to memory of 1252	1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe	89
PID 1064 wrote to memory of 1252	1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe	89
PID 1064 wrote to memory of 4032	1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe	90
PID 1064 wrote to memory of 4032	1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe	90
PID 1064 wrote to memory of 4032	1064	{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe	90
PID 1252 wrote to memory of 4128	1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe	96
PID 1252 wrote to memory of 4128	1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe	96
PID 1252 wrote to memory of 4128	1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe	96
PID 1252 wrote to memory of 3612	1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe	97
PID 1252 wrote to memory of 3612	1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe	97
PID 1252 wrote to memory of 3612	1252	{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe	97
PID 4128 wrote to memory of 1852	4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe	98
PID 4128 wrote to memory of 1852	4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe	98
PID 4128 wrote to memory of 1852	4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe	98
PID 4128 wrote to memory of 3216	4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe	99
PID 4128 wrote to memory of 3216	4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe	99
PID 4128 wrote to memory of 3216	4128	{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe	99
PID 1852 wrote to memory of 1276	1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe	100
PID 1852 wrote to memory of 1276	1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe	100
PID 1852 wrote to memory of 1276	1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe	100
PID 1852 wrote to memory of 1460	1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe	101
PID 1852 wrote to memory of 1460	1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe	101
PID 1852 wrote to memory of 1460	1852	{6A943D68-DC34-494d-8B87-12C8A043C342}.exe	101
PID 1276 wrote to memory of 4976	1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe	102
PID 1276 wrote to memory of 4976	1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe	102
PID 1276 wrote to memory of 4976	1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe	102
PID 1276 wrote to memory of 4944	1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe	103
PID 1276 wrote to memory of 4944	1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe	103
PID 1276 wrote to memory of 4944	1276	{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe	103
PID 4976 wrote to memory of 4296	4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe	104
PID 4976 wrote to memory of 4296	4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe	104
PID 4976 wrote to memory of 4296	4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe	104
PID 4976 wrote to memory of 2240	4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe	105
PID 4976 wrote to memory of 2240	4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe	105
PID 4976 wrote to memory of 2240	4976	{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe	105
PID 4296 wrote to memory of 1624	4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe	109
PID 4296 wrote to memory of 1624	4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe	109
PID 4296 wrote to memory of 1624	4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe	109
PID 4296 wrote to memory of 4360	4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe	110
PID 4296 wrote to memory of 4360	4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe	110
PID 4296 wrote to memory of 4360	4296	{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe	110
PID 1624 wrote to memory of 2852	1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe	111
PID 1624 wrote to memory of 2852	1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe	111
PID 1624 wrote to memory of 2852	1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe	111
PID 1624 wrote to memory of 4764	1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe	112
PID 1624 wrote to memory of 4764	1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe	112
PID 1624 wrote to memory of 4764	1624	{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe	112
PID 2852 wrote to memory of 5064	2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe	113
PID 2852 wrote to memory of 5064	2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe	113
PID 2852 wrote to memory of 5064	2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe	113
PID 2852 wrote to memory of 4788	2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe	114
PID 2852 wrote to memory of 4788	2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe	114
PID 2852 wrote to memory of 4788	2852	{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe	114
PID 5064 wrote to memory of 2044	5064	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe	115
PID 5064 wrote to memory of 2044	5064	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe	115
PID 5064 wrote to memory of 2044	5064	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe	115
PID 5064 wrote to memory of 2212	5064	{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe	116

C:\Users\Admin\AppData\Local\Temp\NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe
  C:\Windows\{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe
    C:\Windows\{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe
      C:\Windows\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\{6A943D68-DC34-494d-8B87-12C8A043C342}.exe
        
        C:\Windows\{6A943D68-DC34-494d-8B87-12C8A043C342}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe
        
        C:\Windows\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe
        
        C:\Windows\{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe
        
        C:\Windows\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe
        
        C:\Windows\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe
        
        C:\Windows\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe
        
        C:\Windows\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}.exe
        
        C:\Windows\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CC14~1.EXE > nul
        13⤵
        
        PID:4316
        
        C:\Windows\{2A60FC23-EBE3-44e3-AF18-ECF6ADE8434C}.exe
        
        C:\Windows\{2A60FC23-EBE3-44e3-AF18-ECF6ADE8434C}.exe
        13⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC01~1.EXE > nul
        12⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51FDB~1.EXE > nul
        11⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AAA1~1.EXE > nul
        10⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EEF9~1.EXE > nul
        9⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0DC~1.EXE > nul
        8⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5343E~1.EXE > nul
        7⤵
        
        PID:4944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A943~1.EXE > nul
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CB21~1.EXE > nul
        5⤵
        
        PID:3216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BA5E9~1.EXE > nul
      4⤵
      PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A3B4~1.EXE > nul
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASBD~1.EXE > nul
  2⤵
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe

Filesize
90KB

MD5
a6b55a919a2e1f29f3bcb6f1c3783fdd

SHA1
d9dccb34434bbda85854f1ff9e8156fb6e62ef59

SHA256
30c0e62ba75865c0366157a53b9cb90b71db2f09233adb47535f866c1be6a528

SHA512
2def78e2c8427592674a459b695f85cd1f8546249fa219719ddddd4ca90e5c40ba03fdc961bf6aa77d158020919dd036af3007ed0dcbd1c4e279de949bb9ea8f

Download Submit
C:\Windows\{1EEF90D4-AB82-48a8-9AAC-B6B9E8AF29FA}.exe

Filesize
90KB

MD5
a6b55a919a2e1f29f3bcb6f1c3783fdd

SHA1
d9dccb34434bbda85854f1ff9e8156fb6e62ef59

SHA256
30c0e62ba75865c0366157a53b9cb90b71db2f09233adb47535f866c1be6a528

SHA512
2def78e2c8427592674a459b695f85cd1f8546249fa219719ddddd4ca90e5c40ba03fdc961bf6aa77d158020919dd036af3007ed0dcbd1c4e279de949bb9ea8f

Download Submit
C:\Windows\{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe

Filesize
90KB

MD5
5fec30fd35e7d8fda88e29f68047f7f0

SHA1
60a57897726bd18953de733d99cba20d07d2024b

SHA256
a63af49721bf1a87cbfca331604d91f3d0cd27403f2923733a9c517e058217bf

SHA512
2be4cefd32d73521ea164153b267d3a0a3770328ab6ee9b9cb1220727125a34ddb1cd3a9d5c7a3ba864c45ac3a5ccfd024902725e81a7cecd4ad58b4054ec1ae

Download Submit
C:\Windows\{2A3B4121-D33C-4fed-A55E-34C337415D03}.exe

Filesize
90KB

MD5
5fec30fd35e7d8fda88e29f68047f7f0

SHA1
60a57897726bd18953de733d99cba20d07d2024b

SHA256
a63af49721bf1a87cbfca331604d91f3d0cd27403f2923733a9c517e058217bf

SHA512
2be4cefd32d73521ea164153b267d3a0a3770328ab6ee9b9cb1220727125a34ddb1cd3a9d5c7a3ba864c45ac3a5ccfd024902725e81a7cecd4ad58b4054ec1ae

Download Submit
C:\Windows\{2A60FC23-EBE3-44e3-AF18-ECF6ADE8434C}.exe

Filesize
64KB

MD5
3437186485202b0ad7c41cc46e52014a

SHA1
3920706f0b2f9da8838cb73fad23ff31936eb6d1

SHA256
f69198a7f3312ea89618560d257d8f23424ec9914a05a327f879af142bd85ef5

SHA512
6de03c930d8d30bf94f03fb8802d7623cc792188ca92ed23e00d7068157932f101c04dfec21bd4a75fa3477ae170a488cb61f6de5623d491855abea2e768a117

Download Submit
C:\Windows\{2A60FC23-EBE3-44e3-AF18-ECF6ADE8434C}.exe

Filesize
90KB

MD5
84377dc17e1c6722afbaeda25ae2c67c

SHA1
cebc0b64b77729688e17fcde0c82ba2d07e58bf1

SHA256
d35df8022920b53fffa897a6b84f177ad48b100332d9daa375a96983f6ba1efa

SHA512
a4a6f034e78e600eabe2a04686876ec9a9bba7dcded1477510702dd3adad675ac59c7c5513565b94c4db008d23fdd8f0b3fad00888a806865cce9def207e9063

Download Submit
C:\Windows\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}.exe

Filesize
90KB

MD5
5627979920a398fffc5e9558bdd1cb7a

SHA1
6c734580777997ac4b2d33aef908e0a7bdf99ca6

SHA256
8e6fd29a497908cd56244097b9e2ba217d11c239242098f212f2a3f2d49492a5

SHA512
ffc463205d146835db2f731f06e8bf1f23e867de4a9e1002f291c7a572cf684cc48e362c364cb1a99c9344c2a5e1a477ca0fedd27476ec8707b797f4341c85b1

Download Submit
C:\Windows\{2CC146CB-D70F-4f01-A8B9-3A2494E751B4}.exe

Filesize
90KB

MD5
5627979920a398fffc5e9558bdd1cb7a

SHA1
6c734580777997ac4b2d33aef908e0a7bdf99ca6

SHA256
8e6fd29a497908cd56244097b9e2ba217d11c239242098f212f2a3f2d49492a5

SHA512
ffc463205d146835db2f731f06e8bf1f23e867de4a9e1002f291c7a572cf684cc48e362c364cb1a99c9344c2a5e1a477ca0fedd27476ec8707b797f4341c85b1

Download Submit
C:\Windows\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe

Filesize
90KB

MD5
d792e0ec914ad9dd6b848b4d6ca04540

SHA1
b9ff23e990f6b5fbfe1de921e0b9971b45d0af31

SHA256
e5caae6a2f61c9860ce218d4e04e6d54f54031a7cee0e6eb30484303a1d5271a

SHA512
118655c5bbf84cec1da670c3c75b03eb31276c597f333b160ab3a1e9c3373dab9563696cf354ede15304da42b3a2fe85e98f3ea45be88ac58d7e6ce3d519a011

Download Submit
C:\Windows\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe

Filesize
90KB

MD5
d792e0ec914ad9dd6b848b4d6ca04540

SHA1
b9ff23e990f6b5fbfe1de921e0b9971b45d0af31

SHA256
e5caae6a2f61c9860ce218d4e04e6d54f54031a7cee0e6eb30484303a1d5271a

SHA512
118655c5bbf84cec1da670c3c75b03eb31276c597f333b160ab3a1e9c3373dab9563696cf354ede15304da42b3a2fe85e98f3ea45be88ac58d7e6ce3d519a011

Download Submit
C:\Windows\{3CB21567-DD38-4a1b-B29B-CEE8DD0BAEA5}.exe

Filesize
90KB

MD5
d792e0ec914ad9dd6b848b4d6ca04540

SHA1
b9ff23e990f6b5fbfe1de921e0b9971b45d0af31

SHA256
e5caae6a2f61c9860ce218d4e04e6d54f54031a7cee0e6eb30484303a1d5271a

SHA512
118655c5bbf84cec1da670c3c75b03eb31276c597f333b160ab3a1e9c3373dab9563696cf354ede15304da42b3a2fe85e98f3ea45be88ac58d7e6ce3d519a011

Download Submit
C:\Windows\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe

Filesize
90KB

MD5
ae07b06ff73bde9ab5d675071545b0fe

SHA1
1068a2b0f8034a7689b345cd8c8273f49f1051db

SHA256
e34db09ab7a3c5744d378f4b92cec9e26283daa7f4d0fb6b2354ad5b0b3f9a3d

SHA512
5a4d61bb3ef7348e4c075a02e132011c052a33015100e25c6896597ae14b40a86ebabaa342cee0fdbb69e7d5f25cfff1d6197c01dc15e287b3d197168f01e4cb

Download Submit
C:\Windows\{4AAA1346-293A-4259-9D5A-C6EF5B0F6765}.exe

Filesize
90KB

MD5
ae07b06ff73bde9ab5d675071545b0fe

SHA1
1068a2b0f8034a7689b345cd8c8273f49f1051db

SHA256
e34db09ab7a3c5744d378f4b92cec9e26283daa7f4d0fb6b2354ad5b0b3f9a3d

SHA512
5a4d61bb3ef7348e4c075a02e132011c052a33015100e25c6896597ae14b40a86ebabaa342cee0fdbb69e7d5f25cfff1d6197c01dc15e287b3d197168f01e4cb

Download Submit
C:\Windows\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe

Filesize
90KB

MD5
4824e3eae5348b0cafd9047b00497054

SHA1
0d5bd57d50265598b15bad4190530e10165d9c90

SHA256
f3eeb18ef26c5004495f11841e1c60f8b64a1f1388f63a3c3a83be754e24be60

SHA512
bf9846ef7d0690bee426169fd1170660f1f41e17bf8ff021b51ff7ceeb9096c42bcaac1e401b89c5ca7f9a4695b9b76467ac145c17506acb465ac0942fc2a6b6

Download Submit
C:\Windows\{51FDB617-7272-4bb9-A017-A3DEDF7B9663}.exe

Filesize
90KB

MD5
4824e3eae5348b0cafd9047b00497054

SHA1
0d5bd57d50265598b15bad4190530e10165d9c90

SHA256
f3eeb18ef26c5004495f11841e1c60f8b64a1f1388f63a3c3a83be754e24be60

SHA512
bf9846ef7d0690bee426169fd1170660f1f41e17bf8ff021b51ff7ceeb9096c42bcaac1e401b89c5ca7f9a4695b9b76467ac145c17506acb465ac0942fc2a6b6

Download Submit
C:\Windows\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe

Filesize
90KB

MD5
6aee38518ded6e4209faacfa29463d9a

SHA1
7dd0b6d0b154ca50733d43cf2076f2b5cc744952

SHA256
616d8ca97bcec0c521ea6968c81926adba875be6237833c02885ccc262681324

SHA512
c9b915a59e41dddcd5e8145f021c862fb2c9152baeab0764514fbca5017efd16e1bd40f6e01850c35175df3b6423c5a22f48c718c0989d433f91f9ed93b5f802

Download Submit
C:\Windows\{5343E120-9BC2-4fc5-9A2F-DEBFD1623B50}.exe

Filesize
90KB

MD5
6aee38518ded6e4209faacfa29463d9a

SHA1
7dd0b6d0b154ca50733d43cf2076f2b5cc744952

SHA256
616d8ca97bcec0c521ea6968c81926adba875be6237833c02885ccc262681324

SHA512
c9b915a59e41dddcd5e8145f021c862fb2c9152baeab0764514fbca5017efd16e1bd40f6e01850c35175df3b6423c5a22f48c718c0989d433f91f9ed93b5f802

Download Submit
C:\Windows\{6A943D68-DC34-494d-8B87-12C8A043C342}.exe

Filesize
90KB

MD5
58bff77651f6ba149e7b9c49487fdfb4

SHA1
68a09e8c9235784cf210a794d52345567460dbad

SHA256
8272a504d6201eb5467f732b0468775991cd6decffd1b3d17ecebe10bdcc8100

SHA512
6306ce21b457fbda8e4be00322604eff6b8c16c3f4227498af8e350bc85c656a87ef41534f29bd21f6cca2dd8d3a241b9b952942ecb52f2e4988185330d67200

Download Submit
C:\Windows\{6A943D68-DC34-494d-8B87-12C8A043C342}.exe

Filesize
90KB

MD5
58bff77651f6ba149e7b9c49487fdfb4

SHA1
68a09e8c9235784cf210a794d52345567460dbad

SHA256
8272a504d6201eb5467f732b0468775991cd6decffd1b3d17ecebe10bdcc8100

SHA512
6306ce21b457fbda8e4be00322604eff6b8c16c3f4227498af8e350bc85c656a87ef41534f29bd21f6cca2dd8d3a241b9b952942ecb52f2e4988185330d67200

Download Submit
C:\Windows\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe

Filesize
90KB

MD5
560710bf0e6848008356477681182f21

SHA1
ff1d03005f60a8dc3ac6201644f7287ec3c05fb6

SHA256
0f74a7953e76c1b539840163e5a37e45d7fb08d3ebcd4cb878b773ffb71e9d41

SHA512
d38dfca615c87d250d365fdd6e5d37cca967f3d100b1ea3f1145d8486e305fcbcfb27f05b0bb79359facbb97c17abcee6daa983aed048322cecfd61fad00c4be

Download Submit
C:\Windows\{8DC01AF2-D1A4-445f-A2FD-EBABF379A802}.exe

Filesize
90KB

MD5
560710bf0e6848008356477681182f21

SHA1
ff1d03005f60a8dc3ac6201644f7287ec3c05fb6

SHA256
0f74a7953e76c1b539840163e5a37e45d7fb08d3ebcd4cb878b773ffb71e9d41

SHA512
d38dfca615c87d250d365fdd6e5d37cca967f3d100b1ea3f1145d8486e305fcbcfb27f05b0bb79359facbb97c17abcee6daa983aed048322cecfd61fad00c4be

Download Submit
C:\Windows\{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe

Filesize
90KB

MD5
7c96ec1e771da7843707654c34285b6f

SHA1
f3eab55a57318b631da21dc666914e13b1228654

SHA256
e668214142a9b7f57f9b26e45e7dbf67d894c06953c96c2c000ec81741ec3582

SHA512
8722548a6e15880a5adacc7e32cc9c4bca32732def1680b9eae51e4e06e82823bae3cf285cad0d368f4b902108157afad858e36e1ae985dd2c29f66c4c366240

Download Submit
C:\Windows\{8F0DCDD3-305E-4af4-90A0-31536286962D}.exe

Filesize
90KB

MD5
7c96ec1e771da7843707654c34285b6f

SHA1
f3eab55a57318b631da21dc666914e13b1228654

SHA256
e668214142a9b7f57f9b26e45e7dbf67d894c06953c96c2c000ec81741ec3582

SHA512
8722548a6e15880a5adacc7e32cc9c4bca32732def1680b9eae51e4e06e82823bae3cf285cad0d368f4b902108157afad858e36e1ae985dd2c29f66c4c366240

Download Submit
C:\Windows\{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe

Filesize
90KB

MD5
30d0cbbdc6faa40c6de3678f366266d5

SHA1
b8180e893c579fb199481246cac1ad9c82b84544

SHA256
1b946cb3d3360b59e11a101e1e1cde3a03a969297d423bdfa301f0da5fdd8b1c

SHA512
21118fe8806bd56ce78295701bc39bc8dbdc2ab40ef2b3f7b511be39756fab0ad59fd3db858b93b3a6d967a5a1ccfe9197cb9b3d2fd110b66f814132c3bd53e3

Download Submit
C:\Windows\{BA5E9AFF-D36E-42af-A887-595904E41E87}.exe

Filesize
90KB

MD5
30d0cbbdc6faa40c6de3678f366266d5

SHA1
b8180e893c579fb199481246cac1ad9c82b84544

SHA256
1b946cb3d3360b59e11a101e1e1cde3a03a969297d423bdfa301f0da5fdd8b1c

SHA512
21118fe8806bd56ce78295701bc39bc8dbdc2ab40ef2b3f7b511be39756fab0ad59fd3db858b93b3a6d967a5a1ccfe9197cb9b3d2fd110b66f814132c3bd53e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads