982664a3dd55057e953ec1937127e01e7aa0ea64170e75fa4153f05df96aa4d3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 18:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe
Size

380KB
MD5

d613fdd7145e91f1009eb9de4d8f6f00
SHA1

df4f73db196ddb44bef97b2b0d3067417d0afedd
SHA256

982664a3dd55057e953ec1937127e01e7aa0ea64170e75fa4153f05df96aa4d3
SHA512

e9bf4a9e7df563f180ad4091671a2b36a52d3d8d61069e228e0f34a575f472f3c52339b3071278addfa70a2f2a8c107c19ea3c362bb9e0d162b121817ae2a019
SSDEEP

3072:mEGh0onlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}	{C1681F77-8A2D-452b-A65B-940808382B47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}\stubpath = "C:\\Windows\\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe"	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{505533D6-9C60-4e47-852E-6A371ECA7527}	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}\stubpath = "C:\\Windows\\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe"	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}\stubpath = "C:\\Windows\\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe"	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5362A9E4-276C-4499-B10F-6EDB3EC48201}	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}\stubpath = "C:\\Windows\\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe"	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E21A72-4A99-4cfe-AF22-37340ECE481F}	{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E21A72-4A99-4cfe-AF22-37340ECE481F}\stubpath = "C:\\Windows\\{95E21A72-4A99-4cfe-AF22-37340ECE481F}.exe"	{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}\stubpath = "C:\\Windows\\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe"	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}\stubpath = "C:\\Windows\\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe"	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{505533D6-9C60-4e47-852E-6A371ECA7527}\stubpath = "C:\\Windows\\{505533D6-9C60-4e47-852E-6A371ECA7527}.exe"	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1681F77-8A2D-452b-A65B-940808382B47}	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}\stubpath = "C:\\Windows\\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe"	{C1681F77-8A2D-452b-A65B-940808382B47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}\stubpath = "C:\\Windows\\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe"	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1681F77-8A2D-452b-A65B-940808382B47}\stubpath = "C:\\Windows\\{C1681F77-8A2D-452b-A65B-940808382B47}.exe"	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5362A9E4-276C-4499-B10F-6EDB3EC48201}\stubpath = "C:\\Windows\\{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe"	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe

Executes dropped EXE 12 IoCs

pid	Process
2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe
1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe
468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe
3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe
4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe
4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe
3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe
4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe
4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe
2344	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe
4432	{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe
1824	{95E21A72-4A99-4cfe-AF22-37340ECE481F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe	{C1681F77-8A2D-452b-A65B-940808382B47}.exe
File created	C:\Windows\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe
File created	C:\Windows\{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe
File created	C:\Windows\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe
File created	C:\Windows\{95E21A72-4A99-4cfe-AF22-37340ECE481F}.exe	{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe
File created	C:\Windows\{505533D6-9C60-4e47-852E-6A371ECA7527}.exe	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe
File created	C:\Windows\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe
File created	C:\Windows\{C1681F77-8A2D-452b-A65B-940808382B47}.exe	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe
File created	C:\Windows\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe
File created	C:\Windows\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe
File created	C:\Windows\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe
File created	C:\Windows\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1204	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe
Token: SeIncBasePriorityPrivilege	2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe
Token: SeIncBasePriorityPrivilege	1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe
Token: SeIncBasePriorityPrivilege	468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe
Token: SeIncBasePriorityPrivilege	3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe
Token: SeIncBasePriorityPrivilege	4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe
Token: SeIncBasePriorityPrivilege	4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe
Token: SeIncBasePriorityPrivilege	3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe
Token: SeIncBasePriorityPrivilege	4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe
Token: SeIncBasePriorityPrivilege	4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe
Token: SeIncBasePriorityPrivilege	2344	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe
Token: SeIncBasePriorityPrivilege	4432	{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2232	1204	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe	89
PID 1204 wrote to memory of 2232	1204	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe	89
PID 1204 wrote to memory of 2232	1204	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe	89
PID 1204 wrote to memory of 2632	1204	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe	90
PID 1204 wrote to memory of 2632	1204	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe	90
PID 1204 wrote to memory of 2632	1204	NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe	90
PID 2232 wrote to memory of 1592	2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe	91
PID 2232 wrote to memory of 1592	2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe	91
PID 2232 wrote to memory of 1592	2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe	91
PID 2232 wrote to memory of 1664	2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe	92
PID 2232 wrote to memory of 1664	2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe	92
PID 2232 wrote to memory of 1664	2232	{505533D6-9C60-4e47-852E-6A371ECA7527}.exe	92
PID 1592 wrote to memory of 468	1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe	96
PID 1592 wrote to memory of 468	1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe	96
PID 1592 wrote to memory of 468	1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe	96
PID 1592 wrote to memory of 4568	1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe	97
PID 1592 wrote to memory of 4568	1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe	97
PID 1592 wrote to memory of 4568	1592	{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe	97
PID 468 wrote to memory of 3004	468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe	98
PID 468 wrote to memory of 3004	468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe	98
PID 468 wrote to memory of 3004	468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe	98
PID 468 wrote to memory of 4068	468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe	99
PID 468 wrote to memory of 4068	468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe	99
PID 468 wrote to memory of 4068	468	{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe	99
PID 3004 wrote to memory of 4276	3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe	100
PID 3004 wrote to memory of 4276	3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe	100
PID 3004 wrote to memory of 4276	3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe	100
PID 3004 wrote to memory of 1624	3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe	101
PID 3004 wrote to memory of 1624	3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe	101
PID 3004 wrote to memory of 1624	3004	{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe	101
PID 4276 wrote to memory of 4684	4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe	102
PID 4276 wrote to memory of 4684	4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe	102
PID 4276 wrote to memory of 4684	4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe	102
PID 4276 wrote to memory of 3420	4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe	103
PID 4276 wrote to memory of 3420	4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe	103
PID 4276 wrote to memory of 3420	4276	{C1681F77-8A2D-452b-A65B-940808382B47}.exe	103
PID 4684 wrote to memory of 3364	4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe	104
PID 4684 wrote to memory of 3364	4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe	104
PID 4684 wrote to memory of 3364	4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe	104
PID 4684 wrote to memory of 3972	4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe	105
PID 4684 wrote to memory of 3972	4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe	105
PID 4684 wrote to memory of 3972	4684	{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe	105
PID 3364 wrote to memory of 4476	3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe	106
PID 3364 wrote to memory of 4476	3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe	106
PID 3364 wrote to memory of 4476	3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe	106
PID 3364 wrote to memory of 452	3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe	107
PID 3364 wrote to memory of 452	3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe	107
PID 3364 wrote to memory of 452	3364	{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe	107
PID 4476 wrote to memory of 4736	4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe	108
PID 4476 wrote to memory of 4736	4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe	108
PID 4476 wrote to memory of 4736	4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe	108
PID 4476 wrote to memory of 4572	4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe	109
PID 4476 wrote to memory of 4572	4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe	109
PID 4476 wrote to memory of 4572	4476	{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe	109
PID 4736 wrote to memory of 2344	4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe	110
PID 4736 wrote to memory of 2344	4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe	110
PID 4736 wrote to memory of 2344	4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe	110
PID 4736 wrote to memory of 2168	4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe	111
PID 4736 wrote to memory of 2168	4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe	111
PID 4736 wrote to memory of 2168	4736	{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe	111
PID 2344 wrote to memory of 4432	2344	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe	112
PID 2344 wrote to memory of 4432	2344	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe	112
PID 2344 wrote to memory of 4432	2344	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe	112
PID 2344 wrote to memory of 3092	2344	{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe	113

C:\Users\Admin\AppData\Local\Temp\NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d613fdd7145e91f1009eb9de4d8f6f00_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\{505533D6-9C60-4e47-852E-6A371ECA7527}.exe
  C:\Windows\{505533D6-9C60-4e47-852E-6A371ECA7527}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe
    C:\Windows\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe
      C:\Windows\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe
        
        C:\Windows\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\{C1681F77-8A2D-452b-A65B-940808382B47}.exe
        
        C:\Windows\{C1681F77-8A2D-452b-A65B-940808382B47}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe
        
        C:\Windows\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe
        
        C:\Windows\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe
        
        C:\Windows\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe
        
        C:\Windows\{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe
        
        C:\Windows\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe
        
        C:\Windows\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\{95E21A72-4A99-4cfe-AF22-37340ECE481F}.exe
        
        C:\Windows\{95E21A72-4A99-4cfe-AF22-37340ECE481F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{707D9~1.EXE > nul
        13⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B60A3~1.EXE > nul
        12⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5362A~1.EXE > nul
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82E5A~1.EXE > nul
        10⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3479F~1.EXE > nul
        9⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB4EC~1.EXE > nul
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1681~1.EXE > nul
        7⤵
        
        PID:3420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A0E0~1.EXE > nul
        6⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16BAB~1.EXE > nul
        5⤵
        
        PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36AEB~1.EXE > nul
      4⤵
      PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{50553~1.EXE > nul
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASD6~1.EXE > nul
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe

Filesize
380KB

MD5
37c3233a5f60bd4ae5cb1cf565f2acab

SHA1
0de240297b4c85af1fc045bc468b1c4ddf9f60dd

SHA256
87b7d718ed881612b7f3a77abd0e9634167654259e19a1323b6015f7d7b04ac7

SHA512
089875bd719fdb9951ce9ee51ed9082e3cd66b54239e657aad3dd44c41dc36b59955a498cc47eb99ab742037f29878e147959b948ef47e5d7be9adb6e800befc

Download Submit
C:\Windows\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe

Filesize
380KB

MD5
37c3233a5f60bd4ae5cb1cf565f2acab

SHA1
0de240297b4c85af1fc045bc468b1c4ddf9f60dd

SHA256
87b7d718ed881612b7f3a77abd0e9634167654259e19a1323b6015f7d7b04ac7

SHA512
089875bd719fdb9951ce9ee51ed9082e3cd66b54239e657aad3dd44c41dc36b59955a498cc47eb99ab742037f29878e147959b948ef47e5d7be9adb6e800befc

Download Submit
C:\Windows\{16BAB9A4-711E-43dd-8428-DDF0DEFC3436}.exe

Filesize
380KB

MD5
37c3233a5f60bd4ae5cb1cf565f2acab

SHA1
0de240297b4c85af1fc045bc468b1c4ddf9f60dd

SHA256
87b7d718ed881612b7f3a77abd0e9634167654259e19a1323b6015f7d7b04ac7

SHA512
089875bd719fdb9951ce9ee51ed9082e3cd66b54239e657aad3dd44c41dc36b59955a498cc47eb99ab742037f29878e147959b948ef47e5d7be9adb6e800befc

Download Submit
C:\Windows\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe

Filesize
380KB

MD5
635276302b74fff4c37c30e7a3d537ec

SHA1
89a864908b02b6d987b6ee7f61f7679862972a3d

SHA256
5414a0d966205db13c1725f74ca1662c37f53ff1a6f5c81d66b9cdb2d58d8b8c

SHA512
b4177603e591fab81dcc64b34259c8742977c9dfe95bd6b7e87678f3d82a7c89d7258ff2c0e3a8fe2c5ae12bd97f0ee2231b531ad62b10b9af7fd914f0a14723

Download Submit
C:\Windows\{3479F1FD-1A60-4c7c-834E-1343BE8A526B}.exe

Filesize
380KB

MD5
635276302b74fff4c37c30e7a3d537ec

SHA1
89a864908b02b6d987b6ee7f61f7679862972a3d

SHA256
5414a0d966205db13c1725f74ca1662c37f53ff1a6f5c81d66b9cdb2d58d8b8c

SHA512
b4177603e591fab81dcc64b34259c8742977c9dfe95bd6b7e87678f3d82a7c89d7258ff2c0e3a8fe2c5ae12bd97f0ee2231b531ad62b10b9af7fd914f0a14723

Download Submit
C:\Windows\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe

Filesize
380KB

MD5
de87a5acaf55877776a80257381febfe

SHA1
72f7fb889602a58cbfebd53ff4b75bb23e96793e

SHA256
7a9787cc500c582b7ac5c26220a5a981cf730958e159a675055d87d26b3e7d7d

SHA512
e6d05ca221191cab2f1ea4d01770080f6f65b4785a5cb28357753010bdc78963d4591beb035a06af89fe59cfb607a4ef03039d1222b9a907c7ff62ce4e58114c

Download Submit
C:\Windows\{36AEB395-ACF1-4f6d-882B-EFA546D5114E}.exe

Filesize
380KB

MD5
de87a5acaf55877776a80257381febfe

SHA1
72f7fb889602a58cbfebd53ff4b75bb23e96793e

SHA256
7a9787cc500c582b7ac5c26220a5a981cf730958e159a675055d87d26b3e7d7d

SHA512
e6d05ca221191cab2f1ea4d01770080f6f65b4785a5cb28357753010bdc78963d4591beb035a06af89fe59cfb607a4ef03039d1222b9a907c7ff62ce4e58114c

Download Submit
C:\Windows\{505533D6-9C60-4e47-852E-6A371ECA7527}.exe

Filesize
380KB

MD5
4c41a0b68c6b0ed145195d5e78c3c92f

SHA1
90f0702474d992c0b4a1f2116ce545ae8794d826

SHA256
a1380a04a5d47c2e6f61d00030750edb6a8292c35071651034e2fc2c2aa4874d

SHA512
6354142afab5b7bdfe12e03715657fe2ae589d930d43c99b25d9583ee53cf7f88e27b8eb76f76224f597cf31d22bd4ff9e32b055c1e1d2620a711b8625fa174a

Download Submit
C:\Windows\{505533D6-9C60-4e47-852E-6A371ECA7527}.exe

Filesize
380KB

MD5
4c41a0b68c6b0ed145195d5e78c3c92f

SHA1
90f0702474d992c0b4a1f2116ce545ae8794d826

SHA256
a1380a04a5d47c2e6f61d00030750edb6a8292c35071651034e2fc2c2aa4874d

SHA512
6354142afab5b7bdfe12e03715657fe2ae589d930d43c99b25d9583ee53cf7f88e27b8eb76f76224f597cf31d22bd4ff9e32b055c1e1d2620a711b8625fa174a

Download Submit
C:\Windows\{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe

Filesize
380KB

MD5
d9729a66c48da843a51b18c572427381

SHA1
ec36364263b0424b7a02a9e1bf40d512b99b382d

SHA256
c1155656b4495ceea81a99ac4099cd47b9297daae6fe6622cb18e05209c77c38

SHA512
71fde02cefdb125adb53a39918ebbbd50793e5fac1013d184c1bc79ae8cfd437da1ed2445dce5771c2075a49006ba3cb91bca428929eb92211818899a560d2cc

Download Submit
C:\Windows\{5362A9E4-276C-4499-B10F-6EDB3EC48201}.exe

Filesize
380KB

MD5
d9729a66c48da843a51b18c572427381

SHA1
ec36364263b0424b7a02a9e1bf40d512b99b382d

SHA256
c1155656b4495ceea81a99ac4099cd47b9297daae6fe6622cb18e05209c77c38

SHA512
71fde02cefdb125adb53a39918ebbbd50793e5fac1013d184c1bc79ae8cfd437da1ed2445dce5771c2075a49006ba3cb91bca428929eb92211818899a560d2cc

Download Submit
C:\Windows\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe

Filesize
380KB

MD5
8e37b48ab3b99fd9ad79cf2b51158389

SHA1
409f49cdd86e8297aec0bfcd7f85d32e78991b0c

SHA256
3a90f4fc9976864114f6e26cc9faaad69c694d291ce3a89c75af8ede85c6f611

SHA512
9bcc19863bf1ae89eb65de67b0ae164e3238a53125eaccef3ae982814b50dce90d6cfe684dc313512fa655ed3934f320b780520e5ae9db69e5b995ec2ff6795a

Download Submit
C:\Windows\{6A0E041F-0B55-4c90-AF0E-7575AA7E919B}.exe

Filesize
380KB

MD5
8e37b48ab3b99fd9ad79cf2b51158389

SHA1
409f49cdd86e8297aec0bfcd7f85d32e78991b0c

SHA256
3a90f4fc9976864114f6e26cc9faaad69c694d291ce3a89c75af8ede85c6f611

SHA512
9bcc19863bf1ae89eb65de67b0ae164e3238a53125eaccef3ae982814b50dce90d6cfe684dc313512fa655ed3934f320b780520e5ae9db69e5b995ec2ff6795a

Download Submit
C:\Windows\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe

Filesize
380KB

MD5
6750325f5bfa7b3b31d6de00208700cf

SHA1
5a54207d51693589941809e96daebc6bae3e3e62

SHA256
81bfff49741dd3e68598ec1145d4bcd4cc178dd8e116eec4d0e4c17f3ea7ab4b

SHA512
e06d48e8d8d72cd04021f06013734abfe09b26bc1fcdd711a5a56570ab968c60df1ada958236868a2903de47754863516035fb2d9133009f4b637585945182fa

Download Submit
C:\Windows\{707D96AC-CAD7-46ca-B2BE-2CB8D0E24252}.exe

Filesize
380KB

MD5
6750325f5bfa7b3b31d6de00208700cf

SHA1
5a54207d51693589941809e96daebc6bae3e3e62

SHA256
81bfff49741dd3e68598ec1145d4bcd4cc178dd8e116eec4d0e4c17f3ea7ab4b

SHA512
e06d48e8d8d72cd04021f06013734abfe09b26bc1fcdd711a5a56570ab968c60df1ada958236868a2903de47754863516035fb2d9133009f4b637585945182fa

Download Submit
C:\Windows\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe

Filesize
380KB

MD5
763c3ac39a064e1b50c4732ea2ea185d

SHA1
d47b8798d3a2447c582c10034077d7f9dbeb059f

SHA256
b410846dc9909db0ce019cbc4a79a3e1dbbb51e24c27f4529c4c3c9d2b159b8b

SHA512
22224521b12db504e5a2a3270312558dec6e140ba15f6ae26f4c96d2f7128dc72ad172a19b0386ca2f8f358dd74d64a057278c6c04e46f3791a6a8dbeb563ae6

Download Submit
C:\Windows\{82E5AFCF-6E8D-4e7e-A81C-2679B62E2437}.exe

Filesize
380KB

MD5
763c3ac39a064e1b50c4732ea2ea185d

SHA1
d47b8798d3a2447c582c10034077d7f9dbeb059f

SHA256
b410846dc9909db0ce019cbc4a79a3e1dbbb51e24c27f4529c4c3c9d2b159b8b

SHA512
22224521b12db504e5a2a3270312558dec6e140ba15f6ae26f4c96d2f7128dc72ad172a19b0386ca2f8f358dd74d64a057278c6c04e46f3791a6a8dbeb563ae6

Download Submit
C:\Windows\{95E21A72-4A99-4cfe-AF22-37340ECE481F}.exe

Filesize
380KB

MD5
e4b5f8978b18d0ba196cac33a3618a07

SHA1
e35e33e97b2ea9c96abde77f1b094d3a0063ad65

SHA256
cb1937510e64603178531fe27eda48dfa5f76f82e50a087eabbb21c4c704e605

SHA512
ab74e373546063ebf155fddcc234ddb9eb76be6d171b857c289b3b4c042be5e7ff7cff520b38aa37f44ea4f4561cbc05b0f5d15837b63821047efa4151100cf0

Download Submit
C:\Windows\{95E21A72-4A99-4cfe-AF22-37340ECE481F}.exe

Filesize
380KB

MD5
e4b5f8978b18d0ba196cac33a3618a07

SHA1
e35e33e97b2ea9c96abde77f1b094d3a0063ad65

SHA256
cb1937510e64603178531fe27eda48dfa5f76f82e50a087eabbb21c4c704e605

SHA512
ab74e373546063ebf155fddcc234ddb9eb76be6d171b857c289b3b4c042be5e7ff7cff520b38aa37f44ea4f4561cbc05b0f5d15837b63821047efa4151100cf0

Download Submit
C:\Windows\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe

Filesize
380KB

MD5
04397c88bfed74ce6596e1a8617e89b6

SHA1
9cdc062642efc9dc1248d863656d91ae0bfe597a

SHA256
02e651e36fa6796a5aeb5bec00fa5fc8191fc7e00a3f9c51fb6386ad96b5d00e

SHA512
43db0288f4d8a9b9470e0d516e8030466efb6b101e9ade285e86dfc980f8243836e13be00d150b4a98d802f0bd61f255156c593d6b17f57bdc4145f3dbbcfe6f

Download Submit
C:\Windows\{B60A39BA-EB5A-4bc2-8276-4A37701DB516}.exe

Filesize
380KB

MD5
04397c88bfed74ce6596e1a8617e89b6

SHA1
9cdc062642efc9dc1248d863656d91ae0bfe597a

SHA256
02e651e36fa6796a5aeb5bec00fa5fc8191fc7e00a3f9c51fb6386ad96b5d00e

SHA512
43db0288f4d8a9b9470e0d516e8030466efb6b101e9ade285e86dfc980f8243836e13be00d150b4a98d802f0bd61f255156c593d6b17f57bdc4145f3dbbcfe6f

Download Submit
C:\Windows\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe

Filesize
380KB

MD5
3f329ed507e4dc9bc4704dc017a78d89

SHA1
3bb3fe86c53599470af055656b2f80ecd42b7cf9

SHA256
432f0ec1ab5385a81308a436dd056e400e2b25c6f7a00461fb8769867c33d5a1

SHA512
ebcdaa916dddb07c1a61574df0ce1e2137bb65322781b960b987d20df44c8b6f37ce01fa1d93a69aff500accfb716acb5a80c7131ab14d529ec747645cbe7005

Download Submit
C:\Windows\{BB4ECBC4-A6BF-473e-9F28-7CB7CE390A44}.exe

Filesize
380KB

MD5
3f329ed507e4dc9bc4704dc017a78d89

SHA1
3bb3fe86c53599470af055656b2f80ecd42b7cf9

SHA256
432f0ec1ab5385a81308a436dd056e400e2b25c6f7a00461fb8769867c33d5a1

SHA512
ebcdaa916dddb07c1a61574df0ce1e2137bb65322781b960b987d20df44c8b6f37ce01fa1d93a69aff500accfb716acb5a80c7131ab14d529ec747645cbe7005

Download Submit
C:\Windows\{C1681F77-8A2D-452b-A65B-940808382B47}.exe

Filesize
380KB

MD5
7c4ca0b7b75f63695732b6ccb1c1758c

SHA1
8e1e41db2dbc92f149fd4aaafda9e68f4463b526

SHA256
42e4d75f8e2862b3b694f518efb4d0efb2579ad010f8e71027e02895230e7d29

SHA512
efe40ce1f1afa5b65b46ed8b21ff76180b13b56d7bc273ddb81419897eaa21850d4951817aa5779e3a9d2584009b8d8fa69bbaed5ad454cab15c389d27a2bd89

Download Submit
C:\Windows\{C1681F77-8A2D-452b-A65B-940808382B47}.exe

Filesize
380KB

MD5
7c4ca0b7b75f63695732b6ccb1c1758c

SHA1
8e1e41db2dbc92f149fd4aaafda9e68f4463b526

SHA256
42e4d75f8e2862b3b694f518efb4d0efb2579ad010f8e71027e02895230e7d29

SHA512
efe40ce1f1afa5b65b46ed8b21ff76180b13b56d7bc273ddb81419897eaa21850d4951817aa5779e3a9d2584009b8d8fa69bbaed5ad454cab15c389d27a2bd89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads