7aad157cd653a1574568fbc24b1886c68af6b4ec1306098178ca47163f1e88dc

Analysis

max time kernel
156s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.88a54f932538284d3e02e92cc6e38390.exe
Size

372KB
MD5

88a54f932538284d3e02e92cc6e38390
SHA1

042cdfd4e1bf569898c9d39da42b09411a57905a
SHA256

7aad157cd653a1574568fbc24b1886c68af6b4ec1306098178ca47163f1e88dc
SHA512

3b70913034e43ee930d21c3c02787ece6ae4abbbb1d0a382763c795bad82eb6961c44e2b945b25e1858f3aa6d2d434a25eaba08a3509701f57485ef58cb6e23a
SSDEEP

3072:CEGh0o8mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGHl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}	NEAS.88a54f932538284d3e02e92cc6e38390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5702D928-DBA3-4299-8006-2594976DD070}\stubpath = "C:\\Windows\\{5702D928-DBA3-4299-8006-2594976DD070}.exe"	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56EAC72-40BE-4a29-B150-4449626F2962}\stubpath = "C:\\Windows\\{F56EAC72-40BE-4a29-B150-4449626F2962}.exe"	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}\stubpath = "C:\\Windows\\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe"	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60082460-DC0F-4073-9DAE-87DFE2C79B02}\stubpath = "C:\\Windows\\{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe"	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}	{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60082460-DC0F-4073-9DAE-87DFE2C79B02}	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5702D928-DBA3-4299-8006-2594976DD070}	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}	{5702D928-DBA3-4299-8006-2594976DD070}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}\stubpath = "C:\\Windows\\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe"	{5702D928-DBA3-4299-8006-2594976DD070}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56EAC72-40BE-4a29-B150-4449626F2962}	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}\stubpath = "C:\\Windows\\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe"	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5CF9BE4-7991-43d1-B44D-1D126374C459}	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5CF9BE4-7991-43d1-B44D-1D126374C459}\stubpath = "C:\\Windows\\{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe"	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}\stubpath = "C:\\Windows\\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe"	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A791760D-C823-43a7-9E82-E042BEC7365B}	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}\stubpath = "C:\\Windows\\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}.exe"	{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}\stubpath = "C:\\Windows\\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe"	NEAS.88a54f932538284d3e02e92cc6e38390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A791760D-C823-43a7-9E82-E042BEC7365B}\stubpath = "C:\\Windows\\{A791760D-C823-43a7-9E82-E042BEC7365B}.exe"	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}\stubpath = "C:\\Windows\\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe"	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe

Executes dropped EXE 12 IoCs

pid	Process
3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe
4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe
4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe
2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe
2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe
4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe
1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe
4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe
4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe
3276	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe
3268	{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe
3148	{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F56EAC72-40BE-4a29-B150-4449626F2962}.exe	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe
File created	C:\Windows\{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe
File created	C:\Windows\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe
File created	C:\Windows\{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe
File created	C:\Windows\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe
File created	C:\Windows\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe
File created	C:\Windows\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe	NEAS.88a54f932538284d3e02e92cc6e38390.exe
File created	C:\Windows\{5702D928-DBA3-4299-8006-2594976DD070}.exe	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe
File created	C:\Windows\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe	{5702D928-DBA3-4299-8006-2594976DD070}.exe
File created	C:\Windows\{A791760D-C823-43a7-9E82-E042BEC7365B}.exe	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe
File created	C:\Windows\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe
File created	C:\Windows\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}.exe	{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4704	NEAS.88a54f932538284d3e02e92cc6e38390.exe
Token: SeIncBasePriorityPrivilege	3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe
Token: SeIncBasePriorityPrivilege	4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe
Token: SeIncBasePriorityPrivilege	4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe
Token: SeIncBasePriorityPrivilege	2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe
Token: SeIncBasePriorityPrivilege	2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe
Token: SeIncBasePriorityPrivilege	4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe
Token: SeIncBasePriorityPrivilege	1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe
Token: SeIncBasePriorityPrivilege	4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe
Token: SeIncBasePriorityPrivilege	4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe
Token: SeIncBasePriorityPrivilege	3276	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe
Token: SeIncBasePriorityPrivilege	3268	{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 3324	4704	NEAS.88a54f932538284d3e02e92cc6e38390.exe	90
PID 4704 wrote to memory of 3324	4704	NEAS.88a54f932538284d3e02e92cc6e38390.exe	90
PID 4704 wrote to memory of 3324	4704	NEAS.88a54f932538284d3e02e92cc6e38390.exe	90
PID 4704 wrote to memory of 620	4704	NEAS.88a54f932538284d3e02e92cc6e38390.exe	91
PID 4704 wrote to memory of 620	4704	NEAS.88a54f932538284d3e02e92cc6e38390.exe	91
PID 4704 wrote to memory of 620	4704	NEAS.88a54f932538284d3e02e92cc6e38390.exe	91
PID 3324 wrote to memory of 4504	3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe	93
PID 3324 wrote to memory of 4504	3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe	93
PID 3324 wrote to memory of 4504	3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe	93
PID 3324 wrote to memory of 3772	3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe	94
PID 3324 wrote to memory of 3772	3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe	94
PID 3324 wrote to memory of 3772	3324	{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe	94
PID 4504 wrote to memory of 4684	4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe	96
PID 4504 wrote to memory of 4684	4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe	96
PID 4504 wrote to memory of 4684	4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe	96
PID 4504 wrote to memory of 5028	4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe	97
PID 4504 wrote to memory of 5028	4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe	97
PID 4504 wrote to memory of 5028	4504	{5702D928-DBA3-4299-8006-2594976DD070}.exe	97
PID 4684 wrote to memory of 2028	4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe	99
PID 4684 wrote to memory of 2028	4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe	99
PID 4684 wrote to memory of 2028	4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe	99
PID 4684 wrote to memory of 4208	4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe	100
PID 4684 wrote to memory of 4208	4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe	100
PID 4684 wrote to memory of 4208	4684	{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe	100
PID 2028 wrote to memory of 2172	2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe	101
PID 2028 wrote to memory of 2172	2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe	101
PID 2028 wrote to memory of 2172	2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe	101
PID 2028 wrote to memory of 1512	2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe	102
PID 2028 wrote to memory of 1512	2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe	102
PID 2028 wrote to memory of 1512	2028	{A791760D-C823-43a7-9E82-E042BEC7365B}.exe	102
PID 2172 wrote to memory of 4492	2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe	103
PID 2172 wrote to memory of 4492	2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe	103
PID 2172 wrote to memory of 4492	2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe	103
PID 2172 wrote to memory of 1520	2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe	104
PID 2172 wrote to memory of 1520	2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe	104
PID 2172 wrote to memory of 1520	2172	{F56EAC72-40BE-4a29-B150-4449626F2962}.exe	104
PID 4492 wrote to memory of 1968	4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe	105
PID 4492 wrote to memory of 1968	4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe	105
PID 4492 wrote to memory of 1968	4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe	105
PID 4492 wrote to memory of 1684	4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe	106
PID 4492 wrote to memory of 1684	4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe	106
PID 4492 wrote to memory of 1684	4492	{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe	106
PID 1968 wrote to memory of 4932	1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe	107
PID 1968 wrote to memory of 4932	1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe	107
PID 1968 wrote to memory of 4932	1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe	107
PID 1968 wrote to memory of 4556	1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe	108
PID 1968 wrote to memory of 4556	1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe	108
PID 1968 wrote to memory of 4556	1968	{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe	108
PID 4932 wrote to memory of 4064	4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe	109
PID 4932 wrote to memory of 4064	4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe	109
PID 4932 wrote to memory of 4064	4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe	109
PID 4932 wrote to memory of 4048	4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe	110
PID 4932 wrote to memory of 4048	4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe	110
PID 4932 wrote to memory of 4048	4932	{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe	110
PID 4064 wrote to memory of 3276	4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe	111
PID 4064 wrote to memory of 3276	4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe	111
PID 4064 wrote to memory of 3276	4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe	111
PID 4064 wrote to memory of 840	4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe	112
PID 4064 wrote to memory of 840	4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe	112
PID 4064 wrote to memory of 840	4064	{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe	112
PID 3276 wrote to memory of 3268	3276	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe	113
PID 3276 wrote to memory of 3268	3276	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe	113
PID 3276 wrote to memory of 3268	3276	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe	113
PID 3276 wrote to memory of 2696	3276	{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.88a54f932538284d3e02e92cc6e38390.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.88a54f932538284d3e02e92cc6e38390.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe
  C:\Windows\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\{5702D928-DBA3-4299-8006-2594976DD070}.exe
    C:\Windows\{5702D928-DBA3-4299-8006-2594976DD070}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe
      C:\Windows\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\{A791760D-C823-43a7-9E82-E042BEC7365B}.exe
        
        C:\Windows\{A791760D-C823-43a7-9E82-E042BEC7365B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\{F56EAC72-40BE-4a29-B150-4449626F2962}.exe
        
        C:\Windows\{F56EAC72-40BE-4a29-B150-4449626F2962}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe
        
        C:\Windows\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe
        
        C:\Windows\{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe
        
        C:\Windows\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe
        
        C:\Windows\{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe
        
        C:\Windows\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe
        
        C:\Windows\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}.exe
        
        C:\Windows\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}.exe
        13⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D83A5~1.EXE > nul
        13⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0061~1.EXE > nul
        12⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60082~1.EXE > nul
        11⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72383~1.EXE > nul
        10⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5CF9~1.EXE > nul
        9⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8420~1.EXE > nul
        8⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F56EA~1.EXE > nul
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7917~1.EXE > nul
        6⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E6D4~1.EXE > nul
        5⤵
        
        PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5702D~1.EXE > nul
      4⤵
      PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{63EC6~1.EXE > nul
    3⤵
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS88~1.EXE > nul
  2⤵
  PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}.exe

Filesize
372KB

MD5
616b6876099f1e52c255082c9189beff

SHA1
14a9ef829dcd492b123ca5c3f1c38b37f441143a

SHA256
3724d8b7a25cada3d9a0c62fa4c1ddc70d34d24a2d27a92277a065d6dcbad865

SHA512
cbe6a6cb1757a353acfd3c448b01a5fce1bf4e65421138598ef007aa8f155613d616dcbc82833eade8c2302e7aa30e373e75455bb706d290bc3c7ad355678925

Download Submit
C:\Windows\{4E1A2F74-3EAF-4667-87A8-B0C88F3D9F46}.exe

Filesize
372KB

MD5
616b6876099f1e52c255082c9189beff

SHA1
14a9ef829dcd492b123ca5c3f1c38b37f441143a

SHA256
3724d8b7a25cada3d9a0c62fa4c1ddc70d34d24a2d27a92277a065d6dcbad865

SHA512
cbe6a6cb1757a353acfd3c448b01a5fce1bf4e65421138598ef007aa8f155613d616dcbc82833eade8c2302e7aa30e373e75455bb706d290bc3c7ad355678925

Download Submit
C:\Windows\{5702D928-DBA3-4299-8006-2594976DD070}.exe

Filesize
372KB

MD5
006361c0fe80446d2b02ddf671b77f55

SHA1
ad6fb5b260ec8415dfbdf7f96b99eb07de7ad992

SHA256
3ffaa7d6bd711c97a05a8fe01ff87a2031685fce9519212d16736821c4e27730

SHA512
60451fec5c5e92e3bb78476c102d4bbdc08ffb6ed818dc4178c2e099869fae889d1e9faed3bc7d7b41031a1fb77445a2305335aa32aef8eb17ced972babb15ee

Download Submit
C:\Windows\{5702D928-DBA3-4299-8006-2594976DD070}.exe

Filesize
372KB

MD5
006361c0fe80446d2b02ddf671b77f55

SHA1
ad6fb5b260ec8415dfbdf7f96b99eb07de7ad992

SHA256
3ffaa7d6bd711c97a05a8fe01ff87a2031685fce9519212d16736821c4e27730

SHA512
60451fec5c5e92e3bb78476c102d4bbdc08ffb6ed818dc4178c2e099869fae889d1e9faed3bc7d7b41031a1fb77445a2305335aa32aef8eb17ced972babb15ee

Download Submit
C:\Windows\{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe

Filesize
372KB

MD5
524c3fc39867b360180b3e0c62c2c573

SHA1
5537361a5d8455d8660fdf9600a4626212332c45

SHA256
4bbf1fa84874426becfad2238d71107333e6dd3435b2d842a89acbbe38f2df66

SHA512
77efd7ef1a842a4e020e2d9e649f3da2a9407808f4c4b5670b36b980136ac33a58782d21cac9e86178f2893f5d819ace64b044e726aa71a90add1d50b4162066

Download Submit
C:\Windows\{60082460-DC0F-4073-9DAE-87DFE2C79B02}.exe

Filesize
372KB

MD5
524c3fc39867b360180b3e0c62c2c573

SHA1
5537361a5d8455d8660fdf9600a4626212332c45

SHA256
4bbf1fa84874426becfad2238d71107333e6dd3435b2d842a89acbbe38f2df66

SHA512
77efd7ef1a842a4e020e2d9e649f3da2a9407808f4c4b5670b36b980136ac33a58782d21cac9e86178f2893f5d819ace64b044e726aa71a90add1d50b4162066

Download Submit
C:\Windows\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe

Filesize
372KB

MD5
292f6c7a388a7b0e1e2e59c05d43961b

SHA1
8f4c1a80336e19cffa10490d17183642a97fd8e3

SHA256
32f96eb1fbf70d2bdedc597fe33db31afee99a0cb8ce2b81bdab90af6899003e

SHA512
31a3e397b4c174d597da74926db635a2052a40d323c88e756c303b087b902e4e50acd8942eb9d81bea7a00d569188f868cbcac3bdf6e6648ca5c0a6a8619b7d4

Download Submit
C:\Windows\{63EC6917-1927-4913-BBFF-3A0CEDC98CF0}.exe

Filesize
372KB

MD5
292f6c7a388a7b0e1e2e59c05d43961b

SHA1
8f4c1a80336e19cffa10490d17183642a97fd8e3

SHA256
32f96eb1fbf70d2bdedc597fe33db31afee99a0cb8ce2b81bdab90af6899003e

SHA512
31a3e397b4c174d597da74926db635a2052a40d323c88e756c303b087b902e4e50acd8942eb9d81bea7a00d569188f868cbcac3bdf6e6648ca5c0a6a8619b7d4

Download Submit
C:\Windows\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe

Filesize
372KB

MD5
e549a07d1349b9fbe9adb4e191f68f1d

SHA1
63ed8f4ab3bf065ab18ddc1d436e438aa4fc802b

SHA256
cb66eaa414ef5ebf1c3fab79257ea98b7f4723f38c73515f5f7fdee092e38b4d

SHA512
2c926b00096ada0be2605780315458f09790fce0eb1c1c9aca86316fcfd78540da26ce2ab302661c3ac44199225122c40e0c6003bbc340298b0ea269764543d1

Download Submit
C:\Windows\{7238348E-FDA7-4528-BCE6-C4DD0D5D0B04}.exe

Filesize
372KB

MD5
e549a07d1349b9fbe9adb4e191f68f1d

SHA1
63ed8f4ab3bf065ab18ddc1d436e438aa4fc802b

SHA256
cb66eaa414ef5ebf1c3fab79257ea98b7f4723f38c73515f5f7fdee092e38b4d

SHA512
2c926b00096ada0be2605780315458f09790fce0eb1c1c9aca86316fcfd78540da26ce2ab302661c3ac44199225122c40e0c6003bbc340298b0ea269764543d1

Download Submit
C:\Windows\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe

Filesize
372KB

MD5
ba46124a50ffd5cc4adf3a7b9d7ebbb3

SHA1
e2422df6b8c9c04ffc419bede60af498f19fd937

SHA256
805293b6bd179eb85de1da431a5ded8e2bccc69d81e32087fc51dcb29cd419a7

SHA512
1e55cf201f28057149927dc73ec9ad4dbe6fa10a60b46295734773d876873b6fa87183282c4e08ffe7605619a316538eaa981776157c2a2b98d423ab604b3414

Download Submit
C:\Windows\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe

Filesize
372KB

MD5
ba46124a50ffd5cc4adf3a7b9d7ebbb3

SHA1
e2422df6b8c9c04ffc419bede60af498f19fd937

SHA256
805293b6bd179eb85de1da431a5ded8e2bccc69d81e32087fc51dcb29cd419a7

SHA512
1e55cf201f28057149927dc73ec9ad4dbe6fa10a60b46295734773d876873b6fa87183282c4e08ffe7605619a316538eaa981776157c2a2b98d423ab604b3414

Download Submit
C:\Windows\{9E6D435D-ACF0-4c63-AE51-6F93E6434C15}.exe

Filesize
372KB

MD5
ba46124a50ffd5cc4adf3a7b9d7ebbb3

SHA1
e2422df6b8c9c04ffc419bede60af498f19fd937

SHA256
805293b6bd179eb85de1da431a5ded8e2bccc69d81e32087fc51dcb29cd419a7

SHA512
1e55cf201f28057149927dc73ec9ad4dbe6fa10a60b46295734773d876873b6fa87183282c4e08ffe7605619a316538eaa981776157c2a2b98d423ab604b3414

Download Submit
C:\Windows\{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe

Filesize
372KB

MD5
5bca94b47b2fda136890d895b48ca0b4

SHA1
f91da677368ae5ac936823c216acc0c111b79c52

SHA256
72d233f5d0c465f59e6b795fcbc702a730d402dfa200eb0c368bb725d7673cb7

SHA512
53b117df7ffe225862e110b32546f8cd8adbbfbed6de6084ebf50253874b74914d6633b0f38ec83a6a4fa89a07e35f68e87fbb0ca51bc7a5b5478647dcaa05ef

Download Submit
C:\Windows\{A5CF9BE4-7991-43d1-B44D-1D126374C459}.exe

Filesize
372KB

MD5
5bca94b47b2fda136890d895b48ca0b4

SHA1
f91da677368ae5ac936823c216acc0c111b79c52

SHA256
72d233f5d0c465f59e6b795fcbc702a730d402dfa200eb0c368bb725d7673cb7

SHA512
53b117df7ffe225862e110b32546f8cd8adbbfbed6de6084ebf50253874b74914d6633b0f38ec83a6a4fa89a07e35f68e87fbb0ca51bc7a5b5478647dcaa05ef

Download Submit
C:\Windows\{A791760D-C823-43a7-9E82-E042BEC7365B}.exe

Filesize
372KB

MD5
b1c1c2a1985873f0e902c5476bf45598

SHA1
df73e7b36bf2bee2c868f94f855590f6d2848ed3

SHA256
a6230e1fea8d853a0db0ff76c85a25904602fe44d8e35867328f0a525bccacf7

SHA512
ccf4f740a1545b8c722349320ea55cb8c41cda91aab2629a9c8935b26349ae602f261022da45254910f2c7d078b7be57ab4875ca7b52b7ad6993dde34a05e403

Download Submit
C:\Windows\{A791760D-C823-43a7-9E82-E042BEC7365B}.exe

Filesize
372KB

MD5
b1c1c2a1985873f0e902c5476bf45598

SHA1
df73e7b36bf2bee2c868f94f855590f6d2848ed3

SHA256
a6230e1fea8d853a0db0ff76c85a25904602fe44d8e35867328f0a525bccacf7

SHA512
ccf4f740a1545b8c722349320ea55cb8c41cda91aab2629a9c8935b26349ae602f261022da45254910f2c7d078b7be57ab4875ca7b52b7ad6993dde34a05e403

Download Submit
C:\Windows\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe

Filesize
372KB

MD5
c4bf540488a5d12718405f22e2587e45

SHA1
7baa175618c7800f8be7d85ce61ebb99bd3f2743

SHA256
b0a00572293cd28449835dcdd1d06ebccb732f1cde21c8bc4beca38c875e3d39

SHA512
b61202cbcb2e8cbbf414493f9531026e23c48ed20cb2b3190dd1969a67583695d08af942e7cca433693cb4e4cf73bf26df4eff1991e6e3a450f6bb33422c93e1

Download Submit
C:\Windows\{C006102B-F2DA-4533-B6CF-9C6CDDD1EE8B}.exe

Filesize
372KB

MD5
c4bf540488a5d12718405f22e2587e45

SHA1
7baa175618c7800f8be7d85ce61ebb99bd3f2743

SHA256
b0a00572293cd28449835dcdd1d06ebccb732f1cde21c8bc4beca38c875e3d39

SHA512
b61202cbcb2e8cbbf414493f9531026e23c48ed20cb2b3190dd1969a67583695d08af942e7cca433693cb4e4cf73bf26df4eff1991e6e3a450f6bb33422c93e1

Download Submit
C:\Windows\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe

Filesize
372KB

MD5
dd4c3830971e3cb33a1223cfcc733506

SHA1
e83826d18406c69732ef62e5d0dc47f29a876a0c

SHA256
4933b80c0d29dab451a7be79f678164ae06850c14e2531800ffe12e38743487c

SHA512
c3753d7d3a11802b88e8f6e757c75ab6a9e79cb7a0a2cf8ba578b5c628aeb1327772327e938da38075fdb60e1c43734b9b6ff58a7d604fa3b8ba18b7eaac5485

Download Submit
C:\Windows\{D83A5194-CFFD-4a8d-AC97-C32A8EECAFAF}.exe

Filesize
372KB

MD5
dd4c3830971e3cb33a1223cfcc733506

SHA1
e83826d18406c69732ef62e5d0dc47f29a876a0c

SHA256
4933b80c0d29dab451a7be79f678164ae06850c14e2531800ffe12e38743487c

SHA512
c3753d7d3a11802b88e8f6e757c75ab6a9e79cb7a0a2cf8ba578b5c628aeb1327772327e938da38075fdb60e1c43734b9b6ff58a7d604fa3b8ba18b7eaac5485

Download Submit
C:\Windows\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe

Filesize
372KB

MD5
0f9da85aea054190fa93892f6e4794fc

SHA1
2d3e8e50f2dc5a48cbdf3abd77a3a43e2c3e7acf

SHA256
8ed0401729842ef2c17360db471216ca3ad9b67fd0c0c2948e7a83f639ac1ae4

SHA512
a9bf702425f51089d0d6caf932a1d448af2886de9b1a7a6461c9393cdf3187c3c4237f8951545e9a1c2364d2574b1a4fa3f36cfefca42abf0fa73292d5c3ab33

Download Submit
C:\Windows\{D84204BD-B111-4bb0-91B9-33B2C6A8FB2C}.exe

Filesize
372KB

MD5
0f9da85aea054190fa93892f6e4794fc

SHA1
2d3e8e50f2dc5a48cbdf3abd77a3a43e2c3e7acf

SHA256
8ed0401729842ef2c17360db471216ca3ad9b67fd0c0c2948e7a83f639ac1ae4

SHA512
a9bf702425f51089d0d6caf932a1d448af2886de9b1a7a6461c9393cdf3187c3c4237f8951545e9a1c2364d2574b1a4fa3f36cfefca42abf0fa73292d5c3ab33

Download Submit
C:\Windows\{F56EAC72-40BE-4a29-B150-4449626F2962}.exe

Filesize
372KB

MD5
63a83ffd74665e8cbe4e699d8ff7b3a0

SHA1
f7070732db056afe72ea0d2da938f998c7631eaf

SHA256
2c964780be265fd72af3d77bbbb67a5af342e5f73a33bf0f8542922f73023938

SHA512
d7be9cb055db6902f48812f5c138a5c7210d985134a5af5118ac5cca9ac5b82469e022e96e897123f0862e6a32a086a163a8010fd1f2d7bbc64d95a0cbd0c3f8

Download Submit
C:\Windows\{F56EAC72-40BE-4a29-B150-4449626F2962}.exe

Filesize
372KB

MD5
63a83ffd74665e8cbe4e699d8ff7b3a0

SHA1
f7070732db056afe72ea0d2da938f998c7631eaf

SHA256
2c964780be265fd72af3d77bbbb67a5af342e5f73a33bf0f8542922f73023938

SHA512
d7be9cb055db6902f48812f5c138a5c7210d985134a5af5118ac5cca9ac5b82469e022e96e897123f0862e6a32a086a163a8010fd1f2d7bbc64d95a0cbd0c3f8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads