9fa0af75c5fd7b52b808374a9f9720c22a50bcbc13c7e9bcebcdde5e5843a00a

Analysis

max time kernel
162s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Size

103KB
MD5

458bb20a23a7271dcaf806b09b31ac20
SHA1

4856b0b56430b132f2b951ef91172273db7701cb
SHA256

9fa0af75c5fd7b52b808374a9f9720c22a50bcbc13c7e9bcebcdde5e5843a00a
SHA512

9ce6235d8bad3f862d412001cfc57011b8395b3ec5421bd3a7fcb82ae287c8a47a92ebd32042b643e6217926e5e7967f2ff3b3d8255c9b0e719d144dab245100
SSDEEP

768:Qvw9816vhKQLroGlu4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0onl2unMxVS3Hgdor

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54DB24A6-4711-4b00-8D89-BF7209774EC9}	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}\stubpath = "C:\\Windows\\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe"	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E250C628-29E0-475a-8CE4-9FED8792B2D3}	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}\stubpath = "C:\\Windows\\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe"	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F271B60-99D5-4873-A608-CC53294424B6}	{890F1407-689F-4811-9CD9-40A2237F6562}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54DB24A6-4711-4b00-8D89-BF7209774EC9}\stubpath = "C:\\Windows\\{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe"	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}\stubpath = "C:\\Windows\\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}.exe"	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}\stubpath = "C:\\Windows\\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe"	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}\stubpath = "C:\\Windows\\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe"	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F271B60-99D5-4873-A608-CC53294424B6}\stubpath = "C:\\Windows\\{3F271B60-99D5-4873-A608-CC53294424B6}.exe"	{890F1407-689F-4811-9CD9-40A2237F6562}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8070D4F6-C6D6-439d-A129-5415F89CDF94}	{3F271B60-99D5-4873-A608-CC53294424B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890F1407-689F-4811-9CD9-40A2237F6562}\stubpath = "C:\\Windows\\{890F1407-689F-4811-9CD9-40A2237F6562}.exe"	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8070D4F6-C6D6-439d-A129-5415F89CDF94}\stubpath = "C:\\Windows\\{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe"	{3F271B60-99D5-4873-A608-CC53294424B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}\stubpath = "C:\\Windows\\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe"	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E250C628-29E0-475a-8CE4-9FED8792B2D3}\stubpath = "C:\\Windows\\{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe"	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890F1407-689F-4811-9CD9-40A2237F6562}	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe

Executes dropped EXE 11 IoCs

pid	Process
2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe
4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe
3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe
1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe
2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe
964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe
3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe
3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe
3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe
5108	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe
4692	{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
File created	C:\Windows\{3F271B60-99D5-4873-A608-CC53294424B6}.exe	{890F1407-689F-4811-9CD9-40A2237F6562}.exe
File created	C:\Windows\{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe	{3F271B60-99D5-4873-A608-CC53294424B6}.exe
File created	C:\Windows\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}.exe	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe
File created	C:\Windows\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe
File created	C:\Windows\{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe
File created	C:\Windows\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe
File created	C:\Windows\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe
File created	C:\Windows\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe
File created	C:\Windows\{890F1407-689F-4811-9CD9-40A2237F6562}.exe	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe
File created	C:\Windows\{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4288	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Token: SeIncBasePriorityPrivilege	2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe
Token: SeIncBasePriorityPrivilege	4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe
Token: SeIncBasePriorityPrivilege	3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe
Token: SeIncBasePriorityPrivilege	1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe
Token: SeIncBasePriorityPrivilege	2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe
Token: SeIncBasePriorityPrivilege	964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe
Token: SeIncBasePriorityPrivilege	3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe
Token: SeIncBasePriorityPrivilege	3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe
Token: SeIncBasePriorityPrivilege	3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe
Token: SeIncBasePriorityPrivilege	5108	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 2116	4288	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	91
PID 4288 wrote to memory of 2116	4288	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	91
PID 4288 wrote to memory of 2116	4288	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	91
PID 4288 wrote to memory of 4988	4288	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	92
PID 4288 wrote to memory of 4988	4288	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	92
PID 4288 wrote to memory of 4988	4288	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	92
PID 2116 wrote to memory of 4428	2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe	98
PID 2116 wrote to memory of 4428	2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe	98
PID 2116 wrote to memory of 4428	2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe	98
PID 2116 wrote to memory of 4080	2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe	99
PID 2116 wrote to memory of 4080	2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe	99
PID 2116 wrote to memory of 4080	2116	{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe	99
PID 4428 wrote to memory of 3356	4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe	104
PID 4428 wrote to memory of 3356	4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe	104
PID 4428 wrote to memory of 3356	4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe	104
PID 4428 wrote to memory of 4220	4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe	105
PID 4428 wrote to memory of 4220	4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe	105
PID 4428 wrote to memory of 4220	4428	{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe	105
PID 3356 wrote to memory of 1508	3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe	112
PID 3356 wrote to memory of 1508	3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe	112
PID 3356 wrote to memory of 1508	3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe	112
PID 3356 wrote to memory of 3380	3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe	113
PID 3356 wrote to memory of 3380	3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe	113
PID 3356 wrote to memory of 3380	3356	{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe	113
PID 1508 wrote to memory of 2248	1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe	114
PID 1508 wrote to memory of 2248	1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe	114
PID 1508 wrote to memory of 2248	1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe	114
PID 1508 wrote to memory of 2076	1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe	115
PID 1508 wrote to memory of 2076	1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe	115
PID 1508 wrote to memory of 2076	1508	{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe	115
PID 2248 wrote to memory of 964	2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe	116
PID 2248 wrote to memory of 964	2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe	116
PID 2248 wrote to memory of 964	2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe	116
PID 2248 wrote to memory of 4428	2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe	117
PID 2248 wrote to memory of 4428	2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe	117
PID 2248 wrote to memory of 4428	2248	{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe	117
PID 964 wrote to memory of 3928	964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe	119
PID 964 wrote to memory of 3928	964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe	119
PID 964 wrote to memory of 3928	964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe	119
PID 964 wrote to memory of 1400	964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe	120
PID 964 wrote to memory of 1400	964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe	120
PID 964 wrote to memory of 1400	964	{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe	120
PID 3928 wrote to memory of 3808	3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe	121
PID 3928 wrote to memory of 3808	3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe	121
PID 3928 wrote to memory of 3808	3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe	121
PID 3928 wrote to memory of 2876	3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe	122
PID 3928 wrote to memory of 2876	3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe	122
PID 3928 wrote to memory of 2876	3928	{890F1407-689F-4811-9CD9-40A2237F6562}.exe	122
PID 3808 wrote to memory of 3280	3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe	123
PID 3808 wrote to memory of 3280	3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe	123
PID 3808 wrote to memory of 3280	3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe	123
PID 3808 wrote to memory of 112	3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe	124
PID 3808 wrote to memory of 112	3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe	124
PID 3808 wrote to memory of 112	3808	{3F271B60-99D5-4873-A608-CC53294424B6}.exe	124
PID 3280 wrote to memory of 5108	3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe	125
PID 3280 wrote to memory of 5108	3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe	125
PID 3280 wrote to memory of 5108	3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe	125
PID 3280 wrote to memory of 4188	3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe	126
PID 3280 wrote to memory of 4188	3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe	126
PID 3280 wrote to memory of 4188	3280	{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe	126
PID 5108 wrote to memory of 4692	5108	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe	127
PID 5108 wrote to memory of 4692	5108	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe	127
PID 5108 wrote to memory of 4692	5108	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe	127
PID 5108 wrote to memory of 2044	5108	{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe	128

C:\Users\Admin\AppData\Local\Temp\NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.458bb20a23a7271dcaf806b09b31ac20.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe
  C:\Windows\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe
    C:\Windows\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe
      C:\Windows\{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe
        
        C:\Windows\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe
        
        C:\Windows\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe
        
        C:\Windows\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\{890F1407-689F-4811-9CD9-40A2237F6562}.exe
        
        C:\Windows\{890F1407-689F-4811-9CD9-40A2237F6562}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{3F271B60-99D5-4873-A608-CC53294424B6}.exe
        
        C:\Windows\{3F271B60-99D5-4873-A608-CC53294424B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe
        
        C:\Windows\{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe
        
        C:\Windows\{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}.exe
        
        C:\Windows\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}.exe
        12⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54DB2~1.EXE > nul
        12⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8070D~1.EXE > nul
        11⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F271~1.EXE > nul
        10⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{890F1~1.EXE > nul
        9⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{522ED~1.EXE > nul
        8⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFB09~1.EXE > nul
        7⤵
        
        PID:4428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40BAE~1.EXE > nul
        6⤵
        
        PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E250C~1.EXE > nul
        5⤵
        
        PID:3380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA3C~1.EXE > nul
      4⤵
      PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD46A~1.EXE > nul
    3⤵
    PID:4080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS45~1.EXE > nul
  2⤵
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe

Filesize
103KB

MD5
6707b7c2d950567f995d5c9b0e3bdfcf

SHA1
8ed7752b5847cab25d847275d7abacf57c47c038

SHA256
a25e9a1bd37a7f2ffe80765fb3237484c316432317cd1b75146923899ef736f4

SHA512
360cb4c64a6549d6c09c55462780f54b806fd32b84fd737603e8b3113138fa880ecaa88de2d17c81de6862021c9d6db89b551d35f4a9c6bfc56596fb1d7d386c

Download Submit
C:\Windows\{3CA3C4DE-4825-4022-8555-779D0DCDC1B9}.exe

Filesize
103KB

MD5
6707b7c2d950567f995d5c9b0e3bdfcf

SHA1
8ed7752b5847cab25d847275d7abacf57c47c038

SHA256
a25e9a1bd37a7f2ffe80765fb3237484c316432317cd1b75146923899ef736f4

SHA512
360cb4c64a6549d6c09c55462780f54b806fd32b84fd737603e8b3113138fa880ecaa88de2d17c81de6862021c9d6db89b551d35f4a9c6bfc56596fb1d7d386c

Download Submit
C:\Windows\{3F271B60-99D5-4873-A608-CC53294424B6}.exe

Filesize
103KB

MD5
f4a6cb58cf56d82ff951d17673494b34

SHA1
a117d55ea046911968e530bb64716820cb2e7f7d

SHA256
8f4da9459531101604faf2b175e63916cb5d49de72ab4163c6a64c1e81e54cf0

SHA512
56d9bfb2dc227d11b85e27615d6256f5b13ec1bcce4ca1dde6323f960b309f1b832ec1e5e500038a3164903595763be022954fe27df5d37a773dd5272db0a361

Download Submit
C:\Windows\{3F271B60-99D5-4873-A608-CC53294424B6}.exe

Filesize
103KB

MD5
f4a6cb58cf56d82ff951d17673494b34

SHA1
a117d55ea046911968e530bb64716820cb2e7f7d

SHA256
8f4da9459531101604faf2b175e63916cb5d49de72ab4163c6a64c1e81e54cf0

SHA512
56d9bfb2dc227d11b85e27615d6256f5b13ec1bcce4ca1dde6323f960b309f1b832ec1e5e500038a3164903595763be022954fe27df5d37a773dd5272db0a361

Download Submit
C:\Windows\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe

Filesize
103KB

MD5
0aee6be8d305a703412ced4ae06261ad

SHA1
6b09e678f45d4697f72e74a22df9d2f84e8feefb

SHA256
d0bea4cfd38c86bad1c47d0316f46d2c716c70195c7633ea929a6faafed14658

SHA512
2c8701c50228f511acbffc95e05a04121e84e09d5f126e2427d4e7e99a0cf2b1683f9911da4279948a0760bdda441d18ddc5ccf4aec9b1d572d14e780c58dc84

Download Submit
C:\Windows\{40BAE2BE-0F47-47d7-BE63-71D4DD206416}.exe

Filesize
103KB

MD5
0aee6be8d305a703412ced4ae06261ad

SHA1
6b09e678f45d4697f72e74a22df9d2f84e8feefb

SHA256
d0bea4cfd38c86bad1c47d0316f46d2c716c70195c7633ea929a6faafed14658

SHA512
2c8701c50228f511acbffc95e05a04121e84e09d5f126e2427d4e7e99a0cf2b1683f9911da4279948a0760bdda441d18ddc5ccf4aec9b1d572d14e780c58dc84

Download Submit
C:\Windows\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe

Filesize
103KB

MD5
3543d1e4613149ea6fc1d3516a9dbe52

SHA1
73855fdfce857e7c52e5ab1c72818e1dc86c2594

SHA256
6995d4e7a3d1377eaae3e2abd2d87a96b53db1b7f43a4689eb56c02c0b27aa74

SHA512
7bdaa3a0903a937e08ffb38f4510473855ec4f3b3217d930a8f9ba8ee83cfbe577ddb577dc642c0c763ed5a44abe1fca628dfa8d1e93b4b818ba48d169cbf8ea

Download Submit
C:\Windows\{522ED2EA-1D2D-4374-94F2-AB953FB1B5BE}.exe

Filesize
103KB

MD5
3543d1e4613149ea6fc1d3516a9dbe52

SHA1
73855fdfce857e7c52e5ab1c72818e1dc86c2594

SHA256
6995d4e7a3d1377eaae3e2abd2d87a96b53db1b7f43a4689eb56c02c0b27aa74

SHA512
7bdaa3a0903a937e08ffb38f4510473855ec4f3b3217d930a8f9ba8ee83cfbe577ddb577dc642c0c763ed5a44abe1fca628dfa8d1e93b4b818ba48d169cbf8ea

Download Submit
C:\Windows\{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe

Filesize
103KB

MD5
1a7e4aeec8a7cc4ab5b1fa2cfd2963b3

SHA1
85f624caa46fd9f065f4284f5702783a84b3a697

SHA256
49b41cf03b4ca157d229ef5cd0fed995d24a6eafbb6b238ed4fa989690c72f65

SHA512
cab982bff6c7da9bae9f7c7006e5147bc035b517449776ff687c13afb3e7a123be2680c52b63a757c5efaeb87544864daf7353fe293c0388869570838a7256dd

Download Submit
C:\Windows\{54DB24A6-4711-4b00-8D89-BF7209774EC9}.exe

Filesize
103KB

MD5
1a7e4aeec8a7cc4ab5b1fa2cfd2963b3

SHA1
85f624caa46fd9f065f4284f5702783a84b3a697

SHA256
49b41cf03b4ca157d229ef5cd0fed995d24a6eafbb6b238ed4fa989690c72f65

SHA512
cab982bff6c7da9bae9f7c7006e5147bc035b517449776ff687c13afb3e7a123be2680c52b63a757c5efaeb87544864daf7353fe293c0388869570838a7256dd

Download Submit
C:\Windows\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}.exe

Filesize
103KB

MD5
80b100a5be2e5a30da527bcda7412a01

SHA1
bc2b39fe675739034f678920bd8bd1fd10883a95

SHA256
f226e64fa47a403f18ae96476503d71761affb9a6501cab16e9f5ab496718f8a

SHA512
e4ad4627cdbbce82bf87e56a2cae2a1896494c997a4a41a285373bd19de93d5417c9c21ded8320a9589b1782b2793e186a7145fa4b4b1e6470eae15585d1bd75

Download Submit
C:\Windows\{66CD012F-5C1A-4175-A3BD-26D5C2377BCB}.exe

Filesize
103KB

MD5
80b100a5be2e5a30da527bcda7412a01

SHA1
bc2b39fe675739034f678920bd8bd1fd10883a95

SHA256
f226e64fa47a403f18ae96476503d71761affb9a6501cab16e9f5ab496718f8a

SHA512
e4ad4627cdbbce82bf87e56a2cae2a1896494c997a4a41a285373bd19de93d5417c9c21ded8320a9589b1782b2793e186a7145fa4b4b1e6470eae15585d1bd75

Download Submit
C:\Windows\{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe

Filesize
103KB

MD5
92784e2636ae51e1b9d075700cce3b68

SHA1
e20db1fda7ac90f7ed7e094cb2fdc65a7912ac4b

SHA256
349e1343a4bb8f0f0925c5d0a1681a5a617146f52e5cbe721dc2add9870d9ca2

SHA512
5310d7623d053eee1fe2eb3df3a1ded37f056c7ff91fe0934af729ab0e2ec4f3094ac8e9f53012c53acf772cd7747140f08cc39f0e5b4b428174ae599a96c359

Download Submit
C:\Windows\{8070D4F6-C6D6-439d-A129-5415F89CDF94}.exe

Filesize
103KB

MD5
92784e2636ae51e1b9d075700cce3b68

SHA1
e20db1fda7ac90f7ed7e094cb2fdc65a7912ac4b

SHA256
349e1343a4bb8f0f0925c5d0a1681a5a617146f52e5cbe721dc2add9870d9ca2

SHA512
5310d7623d053eee1fe2eb3df3a1ded37f056c7ff91fe0934af729ab0e2ec4f3094ac8e9f53012c53acf772cd7747140f08cc39f0e5b4b428174ae599a96c359

Download Submit
C:\Windows\{890F1407-689F-4811-9CD9-40A2237F6562}.exe

Filesize
103KB

MD5
88c57cb9406a74af638933bbc39e917b

SHA1
5393a6331955a42c9686c7ffe244ed0825d3070a

SHA256
53d6fa667daa2d627d9bb3ce06a8643c17947c726e96e619ad599d9251889d1a

SHA512
b3aa293284e749264c1e562e9e2b74a4e05a380becdf91b58a52de7d81187e5c9150b1078d862f06078228fefe56169b07226b988b6e9f7293b2f6dd442f1df9

Download Submit
C:\Windows\{890F1407-689F-4811-9CD9-40A2237F6562}.exe

Filesize
103KB

MD5
88c57cb9406a74af638933bbc39e917b

SHA1
5393a6331955a42c9686c7ffe244ed0825d3070a

SHA256
53d6fa667daa2d627d9bb3ce06a8643c17947c726e96e619ad599d9251889d1a

SHA512
b3aa293284e749264c1e562e9e2b74a4e05a380becdf91b58a52de7d81187e5c9150b1078d862f06078228fefe56169b07226b988b6e9f7293b2f6dd442f1df9

Download Submit
C:\Windows\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe

Filesize
103KB

MD5
6999f5a76cada2b64e4bd2ccaf0978e1

SHA1
8bbd25c4dfda3dc86b28cc80184682a3c6c66030

SHA256
d757aecca1c2b2a514a26626daab995748c85bb823c5a6beabf5364759d64182

SHA512
0b619329adcfc464b7d3f520a73de6f4f154ccc2c8a49aa4ef5d96a62752f6fa2fb41a5bb0e85f911a895630c9a6942d4e129ff3c19505a6cfde0a4ab1687037

Download Submit
C:\Windows\{BD46AA31-062C-4d11-9AD5-679E0C2ADBF8}.exe

Filesize
103KB

MD5
6999f5a76cada2b64e4bd2ccaf0978e1

SHA1
8bbd25c4dfda3dc86b28cc80184682a3c6c66030

SHA256
d757aecca1c2b2a514a26626daab995748c85bb823c5a6beabf5364759d64182

SHA512
0b619329adcfc464b7d3f520a73de6f4f154ccc2c8a49aa4ef5d96a62752f6fa2fb41a5bb0e85f911a895630c9a6942d4e129ff3c19505a6cfde0a4ab1687037

Download Submit
C:\Windows\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe

Filesize
103KB

MD5
c0e3b6ad95c4b0469af049e386012452

SHA1
5dcf80240d54810c683121c7e514c442ade0fd59

SHA256
0b5200bad0c6ea8563b0f4589749c43dd0eb56451c79c92a929177405e0960de

SHA512
5015734296f6da36899d07f8f01fecf4e4c9c6485c45f61de67ee374017e971e8f0f9fb773378d5be1d128204b28559f802960bad6b982fb83842651d69514b7

Download Submit
C:\Windows\{CFB09671-CF0D-4ad3-9D6E-95E7AB59CB28}.exe

Filesize
103KB

MD5
c0e3b6ad95c4b0469af049e386012452

SHA1
5dcf80240d54810c683121c7e514c442ade0fd59

SHA256
0b5200bad0c6ea8563b0f4589749c43dd0eb56451c79c92a929177405e0960de

SHA512
5015734296f6da36899d07f8f01fecf4e4c9c6485c45f61de67ee374017e971e8f0f9fb773378d5be1d128204b28559f802960bad6b982fb83842651d69514b7

Download Submit
C:\Windows\{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe

Filesize
103KB

MD5
d83b9bb1c458d5fad3bc82058e56cf4f

SHA1
cd2a58b794cd6fd26aa2925cb028548645111738

SHA256
df9b46b782f8ac5c2ef5bbbe405af657e92d20ff7c3ab857ceee33fbcacfb783

SHA512
819ec4f2797bb0acc388fd2eaa08625ed287ae1b2399d5af406a7d35e7f7f571982fb301a5b792ea2f899267616be3364abe6b75c351a80dfb3fbe5d0bb8d5c2

Download Submit
C:\Windows\{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe

Filesize
103KB

MD5
d83b9bb1c458d5fad3bc82058e56cf4f

SHA1
cd2a58b794cd6fd26aa2925cb028548645111738

SHA256
df9b46b782f8ac5c2ef5bbbe405af657e92d20ff7c3ab857ceee33fbcacfb783

SHA512
819ec4f2797bb0acc388fd2eaa08625ed287ae1b2399d5af406a7d35e7f7f571982fb301a5b792ea2f899267616be3364abe6b75c351a80dfb3fbe5d0bb8d5c2

Download Submit
C:\Windows\{E250C628-29E0-475a-8CE4-9FED8792B2D3}.exe

Filesize
103KB

MD5
d83b9bb1c458d5fad3bc82058e56cf4f

SHA1
cd2a58b794cd6fd26aa2925cb028548645111738

SHA256
df9b46b782f8ac5c2ef5bbbe405af657e92d20ff7c3ab857ceee33fbcacfb783

SHA512
819ec4f2797bb0acc388fd2eaa08625ed287ae1b2399d5af406a7d35e7f7f571982fb301a5b792ea2f899267616be3364abe6b75c351a80dfb3fbe5d0bb8d5c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads