10796a1653fcd84c99a9db48dd7a67942e579670cc7fdabcfa892c75861a9a14

Analysis

max time kernel
156s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Size

192KB
MD5

9ea7d61a2c70ca3c5340135f25891c10
SHA1

54341a53119552ea28fb525dcf7ea2fc7f6cf9fa
SHA256

10796a1653fcd84c99a9db48dd7a67942e579670cc7fdabcfa892c75861a9a14
SHA512

ee28d1439341e158667d9614cde219f3b9da0bdca9dbd74d92819bfdc1e6d7aaf6b715e39eccd7dffcc083f51301e391f49f81667562c67e8efa903305d6af8e
SSDEEP

1536:1EGh0oOl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oOl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}\stubpath = "C:\\Windows\\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe"	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA49DF7D-6E3A-4977-B804-E171C992A779}	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}\stubpath = "C:\\Windows\\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe"	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}\stubpath = "C:\\Windows\\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe"	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D921600-522F-4d88-9F8B-6719372F9A4F}	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D921600-522F-4d88-9F8B-6719372F9A4F}\stubpath = "C:\\Windows\\{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe"	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}\stubpath = "C:\\Windows\\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe"	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}\stubpath = "C:\\Windows\\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe"	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA49DF7D-6E3A-4977-B804-E171C992A779}\stubpath = "C:\\Windows\\{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe"	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}\stubpath = "C:\\Windows\\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe"	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}\stubpath = "C:\\Windows\\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe"	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{328EA76D-3368-4edc-84B3-3984E59569D8}	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{328EA76D-3368-4edc-84B3-3984E59569D8}\stubpath = "C:\\Windows\\{328EA76D-3368-4edc-84B3-3984E59569D8}.exe"	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}\stubpath = "C:\\Windows\\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe"	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe

Executes dropped EXE 11 IoCs

pid	Process
3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe
4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe
3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe
1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe
4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe
3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe
4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe
416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe
3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe
4140	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe
2188	{328EA76D-3368-4edc-84B3-3984E59569D8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
File created	C:\Windows\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe
File created	C:\Windows\{328EA76D-3368-4edc-84B3-3984E59569D8}.exe	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe
File created	C:\Windows\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe
File created	C:\Windows\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe
File created	C:\Windows\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe
File created	C:\Windows\{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe
File created	C:\Windows\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe
File created	C:\Windows\{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe
File created	C:\Windows\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe
File created	C:\Windows\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3840	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Token: SeIncBasePriorityPrivilege	3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe
Token: SeIncBasePriorityPrivilege	4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe
Token: SeIncBasePriorityPrivilege	3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe
Token: SeIncBasePriorityPrivilege	1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe
Token: SeIncBasePriorityPrivilege	4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe
Token: SeIncBasePriorityPrivilege	3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe
Token: SeIncBasePriorityPrivilege	4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe
Token: SeIncBasePriorityPrivilege	416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe
Token: SeIncBasePriorityPrivilege	3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe
Token: SeIncBasePriorityPrivilege	4140	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 3860	3840	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	92
PID 3840 wrote to memory of 3860	3840	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	92
PID 3840 wrote to memory of 3860	3840	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	92
PID 3840 wrote to memory of 4272	3840	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	93
PID 3840 wrote to memory of 4272	3840	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	93
PID 3840 wrote to memory of 4272	3840	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	93
PID 3860 wrote to memory of 4780	3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe	94
PID 3860 wrote to memory of 4780	3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe	94
PID 3860 wrote to memory of 4780	3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe	94
PID 3860 wrote to memory of 2108	3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe	95
PID 3860 wrote to memory of 2108	3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe	95
PID 3860 wrote to memory of 2108	3860	{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe	95
PID 4780 wrote to memory of 3064	4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe	98
PID 4780 wrote to memory of 3064	4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe	98
PID 4780 wrote to memory of 3064	4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe	98
PID 4780 wrote to memory of 4224	4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe	97
PID 4780 wrote to memory of 4224	4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe	97
PID 4780 wrote to memory of 4224	4780	{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe	97
PID 3064 wrote to memory of 1144	3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe	99
PID 3064 wrote to memory of 1144	3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe	99
PID 3064 wrote to memory of 1144	3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe	99
PID 3064 wrote to memory of 4028	3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe	100
PID 3064 wrote to memory of 4028	3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe	100
PID 3064 wrote to memory of 4028	3064	{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe	100
PID 1144 wrote to memory of 4628	1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe	101
PID 1144 wrote to memory of 4628	1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe	101
PID 1144 wrote to memory of 4628	1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe	101
PID 1144 wrote to memory of 2644	1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe	102
PID 1144 wrote to memory of 2644	1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe	102
PID 1144 wrote to memory of 2644	1144	{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe	102
PID 4628 wrote to memory of 3216	4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe	103
PID 4628 wrote to memory of 3216	4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe	103
PID 4628 wrote to memory of 3216	4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe	103
PID 4628 wrote to memory of 4888	4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe	104
PID 4628 wrote to memory of 4888	4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe	104
PID 4628 wrote to memory of 4888	4628	{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe	104
PID 3216 wrote to memory of 4912	3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe	105
PID 3216 wrote to memory of 4912	3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe	105
PID 3216 wrote to memory of 4912	3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe	105
PID 3216 wrote to memory of 1504	3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe	106
PID 3216 wrote to memory of 1504	3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe	106
PID 3216 wrote to memory of 1504	3216	{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe	106
PID 4912 wrote to memory of 416	4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe	107
PID 4912 wrote to memory of 416	4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe	107
PID 4912 wrote to memory of 416	4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe	107
PID 4912 wrote to memory of 5024	4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe	108
PID 4912 wrote to memory of 5024	4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe	108
PID 4912 wrote to memory of 5024	4912	{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe	108
PID 416 wrote to memory of 3804	416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe	109
PID 416 wrote to memory of 3804	416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe	109
PID 416 wrote to memory of 3804	416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe	109
PID 416 wrote to memory of 4072	416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe	110
PID 416 wrote to memory of 4072	416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe	110
PID 416 wrote to memory of 4072	416	{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe	110
PID 3804 wrote to memory of 4140	3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe	111
PID 3804 wrote to memory of 4140	3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe	111
PID 3804 wrote to memory of 4140	3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe	111
PID 3804 wrote to memory of 2976	3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe	112
PID 3804 wrote to memory of 2976	3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe	112
PID 3804 wrote to memory of 2976	3804	{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe	112
PID 4140 wrote to memory of 2188	4140	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe	113
PID 4140 wrote to memory of 2188	4140	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe	113
PID 4140 wrote to memory of 2188	4140	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe	113
PID 4140 wrote to memory of 2136	4140	{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe
  C:\Windows\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe
    C:\Windows\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75AFA~1.EXE > nul
      4⤵
      PID:4224
  - - C:\Windows\{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe
      C:\Windows\{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe
        
        C:\Windows\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe
        
        C:\Windows\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe
        
        C:\Windows\{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe
        
        C:\Windows\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe
        
        C:\Windows\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe
        
        C:\Windows\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe
        
        C:\Windows\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\{328EA76D-3368-4edc-84B3-3984E59569D8}.exe
        
        C:\Windows\{328EA76D-3368-4edc-84B3-3984E59569D8}.exe
        12⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{185DC~1.EXE > nul
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1B96~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D978~1.EXE > nul
        10⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{642BE~1.EXE > nul
        9⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA49D~1.EXE > nul
        8⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62ACC~1.EXE > nul
        7⤵
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8020F~1.EXE > nul
        6⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D921~1.EXE > nul
        5⤵
        
        PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3BE07~1.EXE > nul
    3⤵
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS9E~1.EXE > nul
  2⤵
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe

Filesize
192KB

MD5
3999dd8fc3e336b47e12ac48422fe3e4

SHA1
3eea67b95664c06194e88c88bf20cb65fe5cfdae

SHA256
2742ce65958d0e0a03c5b42e69a1caa502b94db8ed66e88ca4c2f267aec2a341

SHA512
e90445df442669fd36e23df92599f1fd75354a735c6bf599415987d8735dff39bb6987dfa03a9ff7c175cd92695c2b3de1bd676ebc993cce2bf1e2e1d5805589

Download Submit
C:\Windows\{185DC032-0C7D-44ac-ABC9-AACD5368ABC7}.exe

Filesize
192KB

MD5
3999dd8fc3e336b47e12ac48422fe3e4

SHA1
3eea67b95664c06194e88c88bf20cb65fe5cfdae

SHA256
2742ce65958d0e0a03c5b42e69a1caa502b94db8ed66e88ca4c2f267aec2a341

SHA512
e90445df442669fd36e23df92599f1fd75354a735c6bf599415987d8735dff39bb6987dfa03a9ff7c175cd92695c2b3de1bd676ebc993cce2bf1e2e1d5805589

Download Submit
C:\Windows\{328EA76D-3368-4edc-84B3-3984E59569D8}.exe

Filesize
192KB

MD5
8755cb3bde7d792a66036b03253abcab

SHA1
606ac539420c7a86f750ae5158f82d7d2533c476

SHA256
c2fde7de6bcabd835caf343a641c05d6147a6782322cf8b7d70526eee501b94b

SHA512
25be28373af9f93e63ad59a8bf3a2da359082cba4b75955ab013d1b39fc9f91b8671bdd16eaa66732174aa740930b474e5a13c55365f1be949b2c22174edacda

Download Submit
C:\Windows\{328EA76D-3368-4edc-84B3-3984E59569D8}.exe

Filesize
192KB

MD5
8755cb3bde7d792a66036b03253abcab

SHA1
606ac539420c7a86f750ae5158f82d7d2533c476

SHA256
c2fde7de6bcabd835caf343a641c05d6147a6782322cf8b7d70526eee501b94b

SHA512
25be28373af9f93e63ad59a8bf3a2da359082cba4b75955ab013d1b39fc9f91b8671bdd16eaa66732174aa740930b474e5a13c55365f1be949b2c22174edacda

Download Submit
C:\Windows\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe

Filesize
192KB

MD5
c1d15df94b51dbe7df92d6a4c4a560dc

SHA1
c6f1216d5b0b84b5612bed1cceff10195d1fe7a6

SHA256
cf23636a4aca41dc4b1681dbc5f1343e990031799fbc144cef07e315a8450f4c

SHA512
ceed28f10627d18d4c1273fed10e609b1a1ff8194ad94472a299e7d6bf993d18d6088af9cb162d28b47e7e58cb4726b678b4f4d11212b9bd7595ef0c3c2375fc

Download Submit
C:\Windows\{3BE07DBB-C5B4-4312-8043-6F6824D3369E}.exe

Filesize
192KB

MD5
c1d15df94b51dbe7df92d6a4c4a560dc

SHA1
c6f1216d5b0b84b5612bed1cceff10195d1fe7a6

SHA256
cf23636a4aca41dc4b1681dbc5f1343e990031799fbc144cef07e315a8450f4c

SHA512
ceed28f10627d18d4c1273fed10e609b1a1ff8194ad94472a299e7d6bf993d18d6088af9cb162d28b47e7e58cb4726b678b4f4d11212b9bd7595ef0c3c2375fc

Download Submit
C:\Windows\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe

Filesize
192KB

MD5
18e2ccd1ee67731bb6148883bec04efb

SHA1
e77c1f6510fafd3ea680cf45cb4b881d98e84d48

SHA256
c25063bcd94a382787b0ade18a7fd84b44fd98d5ef31c3362eae83d59662f7d6

SHA512
357fe409411039c6a5598eaeade8094b013dd6653dc2e29a2136aecc9f4c78320d8cdfecbcdd09f5580ee567bd46304ed109e3162ec8a275f104dc475847653e

Download Submit
C:\Windows\{62ACCBFB-9687-4bb4-8ABC-6545FB0F00F7}.exe

Filesize
192KB

MD5
18e2ccd1ee67731bb6148883bec04efb

SHA1
e77c1f6510fafd3ea680cf45cb4b881d98e84d48

SHA256
c25063bcd94a382787b0ade18a7fd84b44fd98d5ef31c3362eae83d59662f7d6

SHA512
357fe409411039c6a5598eaeade8094b013dd6653dc2e29a2136aecc9f4c78320d8cdfecbcdd09f5580ee567bd46304ed109e3162ec8a275f104dc475847653e

Download Submit
C:\Windows\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe

Filesize
192KB

MD5
b95e710a273a0620fd197995e14b757e

SHA1
f3ab469b4ee82362af5de2bce641b9c45b43d129

SHA256
f5e7aa95c0b0a0b80095e4bd39ae1a4902ad6ec05278d69b05bd5270fb1f9459

SHA512
b3a228de5a9cfe39ed9408a000ccf40c65a0cb68ef823fd0af1f503dccfeee324ae9bf170e27046680282104891c06e9edbc56f7c5f805fcb94d74ac6441b4af

Download Submit
C:\Windows\{642BE61E-FA89-4cf5-8C5F-526A5B633BA2}.exe

Filesize
192KB

MD5
b95e710a273a0620fd197995e14b757e

SHA1
f3ab469b4ee82362af5de2bce641b9c45b43d129

SHA256
f5e7aa95c0b0a0b80095e4bd39ae1a4902ad6ec05278d69b05bd5270fb1f9459

SHA512
b3a228de5a9cfe39ed9408a000ccf40c65a0cb68ef823fd0af1f503dccfeee324ae9bf170e27046680282104891c06e9edbc56f7c5f805fcb94d74ac6441b4af

Download Submit
C:\Windows\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe

Filesize
192KB

MD5
12d1442cce713b012314686cf11bf8c5

SHA1
bb724467e307ec06fc4599b46e23820319467209

SHA256
1ed3510e0ed80e069b165751f297ee8831f05d65fb3ba40c60f525fca9986670

SHA512
c02580170198145ae64f8be83eaa18aa1f9c79fe90565679f6a14b351df3876da475519698c81d54a725be74eed13da35427bc7699f6ec71fa9729b524178f56

Download Submit
C:\Windows\{75AFA9F6-58CD-4c45-B78B-AE4926AC2D7B}.exe

Filesize
192KB

MD5
12d1442cce713b012314686cf11bf8c5

SHA1
bb724467e307ec06fc4599b46e23820319467209

SHA256
1ed3510e0ed80e069b165751f297ee8831f05d65fb3ba40c60f525fca9986670

SHA512
c02580170198145ae64f8be83eaa18aa1f9c79fe90565679f6a14b351df3876da475519698c81d54a725be74eed13da35427bc7699f6ec71fa9729b524178f56

Download Submit
C:\Windows\{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe

Filesize
192KB

MD5
155c0f1be456913c2763ae120c0ace38

SHA1
c0def8350814b9bdf5876009bf8079d13873b2c7

SHA256
afaef9e0d59ecb1ab3743f88d2cbc12a69a95ca1abe0514ca67790d719843654

SHA512
9eaa6f1307ee5688f564a275055fd9741a5e08a6086a1b0485a8aa4939895d8dbcbc8b867b6520235f5f12b801731e02b322ea0308b33c53e7ecdb1ad01e3a80

Download Submit
C:\Windows\{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe

Filesize
192KB

MD5
155c0f1be456913c2763ae120c0ace38

SHA1
c0def8350814b9bdf5876009bf8079d13873b2c7

SHA256
afaef9e0d59ecb1ab3743f88d2cbc12a69a95ca1abe0514ca67790d719843654

SHA512
9eaa6f1307ee5688f564a275055fd9741a5e08a6086a1b0485a8aa4939895d8dbcbc8b867b6520235f5f12b801731e02b322ea0308b33c53e7ecdb1ad01e3a80

Download Submit
C:\Windows\{7D921600-522F-4d88-9F8B-6719372F9A4F}.exe

Filesize
192KB

MD5
155c0f1be456913c2763ae120c0ace38

SHA1
c0def8350814b9bdf5876009bf8079d13873b2c7

SHA256
afaef9e0d59ecb1ab3743f88d2cbc12a69a95ca1abe0514ca67790d719843654

SHA512
9eaa6f1307ee5688f564a275055fd9741a5e08a6086a1b0485a8aa4939895d8dbcbc8b867b6520235f5f12b801731e02b322ea0308b33c53e7ecdb1ad01e3a80

Download Submit
C:\Windows\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe

Filesize
192KB

MD5
45947096a6e86240f72959056dfeadfe

SHA1
a776a9fee49b90a40bc395cf3c850dd314ab8f95

SHA256
9d4b993c9837122e2fbc5961d5f8e5059ed526351763796e4652f189293c8e22

SHA512
6398e3e1f4ec3ea7d955caf636bf3a3e6b5a31a653fdca508c6dd53fbd6b722ee29bde7dcce9a0d7bb1de778e4976e647a1e1a414c8e1465496ca8ee9b230225

Download Submit
C:\Windows\{8020FB35-9E4E-4ed7-90C6-C4140C412EE1}.exe

Filesize
192KB

MD5
45947096a6e86240f72959056dfeadfe

SHA1
a776a9fee49b90a40bc395cf3c850dd314ab8f95

SHA256
9d4b993c9837122e2fbc5961d5f8e5059ed526351763796e4652f189293c8e22

SHA512
6398e3e1f4ec3ea7d955caf636bf3a3e6b5a31a653fdca508c6dd53fbd6b722ee29bde7dcce9a0d7bb1de778e4976e647a1e1a414c8e1465496ca8ee9b230225

Download Submit
C:\Windows\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe

Filesize
192KB

MD5
a2eb6ab8ff76c925dcab79d2ae421849

SHA1
fee0a4123ff22eb76ba1911f535dbfd260b6b31d

SHA256
be6d8fbc81e0b979d7130c23f63a07190e00465162494c8510b1bbc50a9e4bb7

SHA512
b71034cea92113a91b18b90445788cc09d9a1e3e081c1741fb9a78e4197206bbc90c30b7a9e1d68c1ba57bdcc7fedb6e3aef70d61f77dd46f8f4c10b33e0faad

Download Submit
C:\Windows\{8D978DB1-3185-4cf8-81AF-C09201E9A6C1}.exe

Filesize
192KB

MD5
a2eb6ab8ff76c925dcab79d2ae421849

SHA1
fee0a4123ff22eb76ba1911f535dbfd260b6b31d

SHA256
be6d8fbc81e0b979d7130c23f63a07190e00465162494c8510b1bbc50a9e4bb7

SHA512
b71034cea92113a91b18b90445788cc09d9a1e3e081c1741fb9a78e4197206bbc90c30b7a9e1d68c1ba57bdcc7fedb6e3aef70d61f77dd46f8f4c10b33e0faad

Download Submit
C:\Windows\{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe

Filesize
192KB

MD5
8fae9ffef86c476d47b6648c38c1b173

SHA1
2081583e55fcf92a3d2f574e140432359306ae3f

SHA256
75f646dcf71c86e6f53a7544c344a35a0aef64fabe19c0cdbd930e8222ce17c7

SHA512
795f52f5d445410a6b5fdd12fe8185d2db5bea63c1aa0cc4ee3c439850a8f16f1f36c5166093acb3ab9108d43c87e01002266e36fc61b7ec2495614ed93aa0db

Download Submit
C:\Windows\{BA49DF7D-6E3A-4977-B804-E171C992A779}.exe

Filesize
192KB

MD5
8fae9ffef86c476d47b6648c38c1b173

SHA1
2081583e55fcf92a3d2f574e140432359306ae3f

SHA256
75f646dcf71c86e6f53a7544c344a35a0aef64fabe19c0cdbd930e8222ce17c7

SHA512
795f52f5d445410a6b5fdd12fe8185d2db5bea63c1aa0cc4ee3c439850a8f16f1f36c5166093acb3ab9108d43c87e01002266e36fc61b7ec2495614ed93aa0db

Download Submit
C:\Windows\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe

Filesize
192KB

MD5
64be7dc7a57519eff8ca555c3063eee0

SHA1
a0ebb2e4f0170fc37f8cc0aa5f1d7c4ad3ff355d

SHA256
155fdf7733a5c7aede287de73c9a3e4165461305eb16590850fe1e698a1c412d

SHA512
575c81e87cd9621dcdaa6dcb8165208c75a42d11d93c173f09b2b5bd4dbb0d1f3b92afecf943a86b9b51837a6ac6a3cc09e9b39102f5a82425ab83e366766162

Download Submit
C:\Windows\{E1B96E8B-85B8-4f11-A3F3-1455057BCE68}.exe

Filesize
192KB

MD5
64be7dc7a57519eff8ca555c3063eee0

SHA1
a0ebb2e4f0170fc37f8cc0aa5f1d7c4ad3ff355d

SHA256
155fdf7733a5c7aede287de73c9a3e4165461305eb16590850fe1e698a1c412d

SHA512
575c81e87cd9621dcdaa6dcb8165208c75a42d11d93c173f09b2b5bd4dbb0d1f3b92afecf943a86b9b51837a6ac6a3cc09e9b39102f5a82425ab83e366766162

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads