6edbd7ecfa40c136f6b86dcb516d020bfbc52a8ff3a00b18709485d8f6462b94

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bcee8b8a61069170ded5351e4adcd830.exe
Size

80KB
MD5

bcee8b8a61069170ded5351e4adcd830
SHA1

3c986fa047b6db8318d4adfb312c358417b66843
SHA256

6edbd7ecfa40c136f6b86dcb516d020bfbc52a8ff3a00b18709485d8f6462b94
SHA512

9e171be13b47ec533cdae329b685ac5249d6fa2225e53feefac52a1d972a804fefdf6bd1036431930905ec099c4ef186d12cfb04e57548b2ff170653ee2edf54
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroB4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroB4/wQRNrfrunMxVFAi

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A853481-E112-448c-9FC9-C52E260E4257}	{5D47189D-C6DC-4094-8009-4B904326430E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41A2767C-C741-45bd-9F66-F974C56E5B16}	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7216F571-D736-46f0-B484-D65C6E0D3E8E}\stubpath = "C:\\Windows\\{7216F571-D736-46f0-B484-D65C6E0D3E8E}.exe"	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A853481-E112-448c-9FC9-C52E260E4257}\stubpath = "C:\\Windows\\{4A853481-E112-448c-9FC9-C52E260E4257}.exe"	{5D47189D-C6DC-4094-8009-4B904326430E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02E4B563-ACFE-4213-86AE-97045D8B683C}\stubpath = "C:\\Windows\\{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe"	{4A853481-E112-448c-9FC9-C52E260E4257}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}	{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7216F571-D736-46f0-B484-D65C6E0D3E8E}	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9405B7-69C4-4090-9474-BFE62F896992}\stubpath = "C:\\Windows\\{3A9405B7-69C4-4090-9474-BFE62F896992}.exe"	NEAS.bcee8b8a61069170ded5351e4adcd830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}\stubpath = "C:\\Windows\\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe"	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D47189D-C6DC-4094-8009-4B904326430E}	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D47189D-C6DC-4094-8009-4B904326430E}\stubpath = "C:\\Windows\\{5D47189D-C6DC-4094-8009-4B904326430E}.exe"	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FFA174-547D-4889-935D-97AD69796743}	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41A2767C-C741-45bd-9F66-F974C56E5B16}\stubpath = "C:\\Windows\\{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe"	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9405B7-69C4-4090-9474-BFE62F896992}	NEAS.bcee8b8a61069170ded5351e4adcd830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}\stubpath = "C:\\Windows\\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe"	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}\stubpath = "C:\\Windows\\{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe"	{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00FFA174-547D-4889-935D-97AD69796743}\stubpath = "C:\\Windows\\{00FFA174-547D-4889-935D-97AD69796743}.exe"	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E79774DF-B235-4daa-9654-F07A0C0D16B4}	{00FFA174-547D-4889-935D-97AD69796743}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E79774DF-B235-4daa-9654-F07A0C0D16B4}\stubpath = "C:\\Windows\\{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe"	{00FFA174-547D-4889-935D-97AD69796743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02E4B563-ACFE-4213-86AE-97045D8B683C}	{4A853481-E112-448c-9FC9-C52E260E4257}.exe

Executes dropped EXE 10 IoCs

pid	Process
4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe
4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe
3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe
2204	{00FFA174-547D-4889-935D-97AD69796743}.exe
736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe
3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe
2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe
1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe
2748	{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe
1488	{7216F571-D736-46f0-B484-D65C6E0D3E8E}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{3A9405B7-69C4-4090-9474-BFE62F896992}.exe	NEAS.bcee8b8a61069170ded5351e4adcd830.exe
File created	C:\Windows\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe
File created	C:\Windows\{5D47189D-C6DC-4094-8009-4B904326430E}.exe	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe
File created	C:\Windows\{4A853481-E112-448c-9FC9-C52E260E4257}.exe	{5D47189D-C6DC-4094-8009-4B904326430E}.exe
File created	C:\Windows\{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe
File created	C:\Windows\{7216F571-D736-46f0-B484-D65C6E0D3E8E}.exe	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe
File created	C:\Windows\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe
File created	C:\Windows\{00FFA174-547D-4889-935D-97AD69796743}.exe	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe
File created	C:\Windows\{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe	{00FFA174-547D-4889-935D-97AD69796743}.exe
File created	C:\Windows\{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe	{4A853481-E112-448c-9FC9-C52E260E4257}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2896	NEAS.bcee8b8a61069170ded5351e4adcd830.exe
Token: SeIncBasePriorityPrivilege	4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe
Token: SeIncBasePriorityPrivilege	4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe
Token: SeIncBasePriorityPrivilege	3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe
Token: SeIncBasePriorityPrivilege	2204	{00FFA174-547D-4889-935D-97AD69796743}.exe
Token: SeIncBasePriorityPrivilege	736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe
Token: SeIncBasePriorityPrivilege	3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe
Token: SeIncBasePriorityPrivilege	2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe
Token: SeIncBasePriorityPrivilege	1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe
Token: SeManageVolumePrivilege	2620	svchost.exe
Token: SeIncBasePriorityPrivilege	1508	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 4900	2896	NEAS.bcee8b8a61069170ded5351e4adcd830.exe	93
PID 2896 wrote to memory of 4900	2896	NEAS.bcee8b8a61069170ded5351e4adcd830.exe	93
PID 2896 wrote to memory of 4900	2896	NEAS.bcee8b8a61069170ded5351e4adcd830.exe	93
PID 2896 wrote to memory of 2340	2896	NEAS.bcee8b8a61069170ded5351e4adcd830.exe	94
PID 2896 wrote to memory of 2340	2896	NEAS.bcee8b8a61069170ded5351e4adcd830.exe	94
PID 2896 wrote to memory of 2340	2896	NEAS.bcee8b8a61069170ded5351e4adcd830.exe	94
PID 4900 wrote to memory of 4676	4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe	98
PID 4900 wrote to memory of 4676	4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe	98
PID 4900 wrote to memory of 4676	4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe	98
PID 4900 wrote to memory of 1916	4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe	99
PID 4900 wrote to memory of 1916	4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe	99
PID 4900 wrote to memory of 1916	4900	{3A9405B7-69C4-4090-9474-BFE62F896992}.exe	99
PID 4676 wrote to memory of 3304	4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe	104
PID 4676 wrote to memory of 3304	4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe	104
PID 4676 wrote to memory of 3304	4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe	104
PID 4676 wrote to memory of 2708	4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe	103
PID 4676 wrote to memory of 2708	4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe	103
PID 4676 wrote to memory of 2708	4676	{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe	103
PID 3304 wrote to memory of 2204	3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe	111
PID 3304 wrote to memory of 2204	3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe	111
PID 3304 wrote to memory of 2204	3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe	111
PID 3304 wrote to memory of 4876	3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe	112
PID 3304 wrote to memory of 4876	3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe	112
PID 3304 wrote to memory of 4876	3304	{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe	112
PID 2204 wrote to memory of 736	2204	{00FFA174-547D-4889-935D-97AD69796743}.exe	114
PID 2204 wrote to memory of 736	2204	{00FFA174-547D-4889-935D-97AD69796743}.exe	114
PID 2204 wrote to memory of 736	2204	{00FFA174-547D-4889-935D-97AD69796743}.exe	114
PID 2204 wrote to memory of 4876	2204	{00FFA174-547D-4889-935D-97AD69796743}.exe	113
PID 2204 wrote to memory of 4876	2204	{00FFA174-547D-4889-935D-97AD69796743}.exe	113
PID 2204 wrote to memory of 4876	2204	{00FFA174-547D-4889-935D-97AD69796743}.exe	113
PID 736 wrote to memory of 3472	736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe	115
PID 736 wrote to memory of 3472	736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe	115
PID 736 wrote to memory of 3472	736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe	115
PID 736 wrote to memory of 4968	736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe	116
PID 736 wrote to memory of 4968	736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe	116
PID 736 wrote to memory of 4968	736	{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe	116
PID 3472 wrote to memory of 2236	3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe	118
PID 3472 wrote to memory of 2236	3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe	118
PID 3472 wrote to memory of 2236	3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe	118
PID 3472 wrote to memory of 4356	3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe	119
PID 3472 wrote to memory of 4356	3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe	119
PID 3472 wrote to memory of 4356	3472	{5D47189D-C6DC-4094-8009-4B904326430E}.exe	119
PID 2236 wrote to memory of 1616	2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe	121
PID 2236 wrote to memory of 1616	2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe	121
PID 2236 wrote to memory of 1616	2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe	121
PID 2236 wrote to memory of 4544	2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe	120
PID 2236 wrote to memory of 4544	2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe	120
PID 2236 wrote to memory of 4544	2236	{4A853481-E112-448c-9FC9-C52E260E4257}.exe	120
PID 1616 wrote to memory of 2748	1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe	122
PID 1616 wrote to memory of 2748	1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe	122
PID 1616 wrote to memory of 2748	1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe	122
PID 1616 wrote to memory of 3792	1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe	123
PID 1616 wrote to memory of 3792	1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe	123
PID 1616 wrote to memory of 3792	1616	{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe	123
PID 1508 wrote to memory of 1488	1508	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe	132
PID 1508 wrote to memory of 1488	1508	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe	132
PID 1508 wrote to memory of 1488	1508	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe	132
PID 1508 wrote to memory of 1624	1508	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe	131
PID 1508 wrote to memory of 1624	1508	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe	131
PID 1508 wrote to memory of 1624	1508	{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe	131

C:\Users\Admin\AppData\Local\Temp\NEAS.bcee8b8a61069170ded5351e4adcd830.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bcee8b8a61069170ded5351e4adcd830.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\{3A9405B7-69C4-4090-9474-BFE62F896992}.exe
  C:\Windows\{3A9405B7-69C4-4090-9474-BFE62F896992}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe
    C:\Windows\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D02A1~1.EXE > nul
      4⤵
      PID:2708
  - - C:\Windows\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe
      C:\Windows\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\{00FFA174-547D-4889-935D-97AD69796743}.exe
        
        C:\Windows\{00FFA174-547D-4889-935D-97AD69796743}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00FFA~1.EXE > nul
        6⤵
        
        PID:4876
      - C:\Windows\{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe
        
        C:\Windows\{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\{5D47189D-C6DC-4094-8009-4B904326430E}.exe
        
        C:\Windows\{5D47189D-C6DC-4094-8009-4B904326430E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{4A853481-E112-448c-9FC9-C52E260E4257}.exe
        
        C:\Windows\{4A853481-E112-448c-9FC9-C52E260E4257}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A853~1.EXE > nul
        9⤵
        
        PID:4544
        
        C:\Windows\{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe
        
        C:\Windows\{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe
        
        C:\Windows\{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41A27~1.EXE > nul
        11⤵
        
        PID:5076
        
        C:\Windows\{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe
        
        C:\Windows\{97DCBF8F-DB58-4ab6-8739-3D6A29739E20}.exe
        11⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97DCB~1.EXE > nul
        12⤵
        
        PID:1624
        
        C:\Windows\{7216F571-D736-46f0-B484-D65C6E0D3E8E}.exe
        
        C:\Windows\{7216F571-D736-46f0-B484-D65C6E0D3E8E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02E4B~1.EXE > nul
        10⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D471~1.EXE > nul
        8⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7977~1.EXE > nul
        7⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D92~1.EXE > nul
        5⤵
        
        PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A940~1.EXE > nul
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASBC~1.EXE > nul
  2⤵
  PID:2340

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
e992990d6e68b72e8788f060e58de678

SHA1
f582827df8d000cf35aef408fbb7b8c6c50ddb1c

SHA256
34260a98306536377c6710a7447c4ce88aa03da1bc5026de2981a89becc299cb

SHA512
57ce7afe1ca740c7a3df6a5cd5127624c42adadd8dfa6ec5766168b75ebb3ce91cde0967d57b75a73b7e098241e0a054f9d3b553a4e875573fa779bfbb418722

Download Submit
C:\Windows\{00FFA174-547D-4889-935D-97AD69796743}.exe

Filesize
80KB

MD5
0d5ccff8896f03f495022588037924e8

SHA1
89acd80c394a886efc621b95bb7b8ad2f51a7f47

SHA256
e77e0a31e72c0bd6f7d92506e5e2dfc97d0c6d41c5456e8e8b28277a8262a27c

SHA512
a58a9c726dece840078ee600abc2d1208abb67810b7bb905e41f57e296849c61c57fbd6a87d0216a9c3d90f004fca95e0ccf609da0de7802261df7501d9559d6

Download Submit
C:\Windows\{00FFA174-547D-4889-935D-97AD69796743}.exe

Filesize
80KB

MD5
0d5ccff8896f03f495022588037924e8

SHA1
89acd80c394a886efc621b95bb7b8ad2f51a7f47

SHA256
e77e0a31e72c0bd6f7d92506e5e2dfc97d0c6d41c5456e8e8b28277a8262a27c

SHA512
a58a9c726dece840078ee600abc2d1208abb67810b7bb905e41f57e296849c61c57fbd6a87d0216a9c3d90f004fca95e0ccf609da0de7802261df7501d9559d6

Download Submit
C:\Windows\{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe

Filesize
80KB

MD5
e4e63f8ee7ef176f25a9b9f2d3092ee6

SHA1
cc472d270466167140e7bf36f01afb9fc76e3931

SHA256
2c568001847645f3305be9fde9f4fa60c786714555ab8a44946d0cb58fb8b281

SHA512
3bb2f2fd6085eed044ff354673a1316e56d814f81e2595834a5182dbafc627a37c24e29c1fff78682e4d9cc23ddcb375dcf012afaceef400f59300515db07494

Download Submit
C:\Windows\{02E4B563-ACFE-4213-86AE-97045D8B683C}.exe

Filesize
80KB

MD5
e4e63f8ee7ef176f25a9b9f2d3092ee6

SHA1
cc472d270466167140e7bf36f01afb9fc76e3931

SHA256
2c568001847645f3305be9fde9f4fa60c786714555ab8a44946d0cb58fb8b281

SHA512
3bb2f2fd6085eed044ff354673a1316e56d814f81e2595834a5182dbafc627a37c24e29c1fff78682e4d9cc23ddcb375dcf012afaceef400f59300515db07494

Download Submit
C:\Windows\{3A9405B7-69C4-4090-9474-BFE62F896992}.exe

Filesize
80KB

MD5
8a5d08d5a3a5798bbf41687e6ea96558

SHA1
ce919c0df58734dd07acf602bec751c3f8c07b33

SHA256
36df5f122e0d3a3aa768b8b4f45933dd87e0697f7081082c55aa3a2a28f39cb1

SHA512
b7ff0fd0ee2d7226e77377a20ed93c967b53e358547d1c8e9ce4975518ae0c35878969c76aaed73813654f136ca0bdd4fd6d777eefb34adc3fa2e5c3876584f4

Download Submit
C:\Windows\{3A9405B7-69C4-4090-9474-BFE62F896992}.exe

Filesize
80KB

MD5
8a5d08d5a3a5798bbf41687e6ea96558

SHA1
ce919c0df58734dd07acf602bec751c3f8c07b33

SHA256
36df5f122e0d3a3aa768b8b4f45933dd87e0697f7081082c55aa3a2a28f39cb1

SHA512
b7ff0fd0ee2d7226e77377a20ed93c967b53e358547d1c8e9ce4975518ae0c35878969c76aaed73813654f136ca0bdd4fd6d777eefb34adc3fa2e5c3876584f4

Download Submit
C:\Windows\{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe

Filesize
80KB

MD5
10cf4a54e5bbf950a1f05095248f0fe2

SHA1
28c77599cafe24392cba9952127d7f6accd53232

SHA256
17ad0aac8c9064cfb80ba57f3e1a840405657bd9669c3a8a951abdea017812d3

SHA512
bc9a35b8e7ded7d0a78895cd3f5918b8d4ba2997cb29edabe700b2a97020b93deb8e63ebe92ccc8a0a7c34e6fbe9b944edbd1956c03ce382479c007526e0fe7b

Download Submit
C:\Windows\{41A2767C-C741-45bd-9F66-F974C56E5B16}.exe

Filesize
80KB

MD5
10cf4a54e5bbf950a1f05095248f0fe2

SHA1
28c77599cafe24392cba9952127d7f6accd53232

SHA256
17ad0aac8c9064cfb80ba57f3e1a840405657bd9669c3a8a951abdea017812d3

SHA512
bc9a35b8e7ded7d0a78895cd3f5918b8d4ba2997cb29edabe700b2a97020b93deb8e63ebe92ccc8a0a7c34e6fbe9b944edbd1956c03ce382479c007526e0fe7b

Download Submit
C:\Windows\{4A853481-E112-448c-9FC9-C52E260E4257}.exe

Filesize
80KB

MD5
2f74c96988c721089866839b81bee930

SHA1
d12c3afaf76f79333ea340c758f8dc4cff573088

SHA256
73a34438a530de38e32a444c30c4fc98b10cc88346c8bbb8e3675a9a138320d6

SHA512
7c331406c80175336b373f859d6698ac7aea43693b0e007b6974ad2fc3f8e2a5e37462093c851e89d704e5b9fd89af7ff0220d726f59c4971af62c0422acbda9

Download Submit
C:\Windows\{4A853481-E112-448c-9FC9-C52E260E4257}.exe

Filesize
80KB

MD5
2f74c96988c721089866839b81bee930

SHA1
d12c3afaf76f79333ea340c758f8dc4cff573088

SHA256
73a34438a530de38e32a444c30c4fc98b10cc88346c8bbb8e3675a9a138320d6

SHA512
7c331406c80175336b373f859d6698ac7aea43693b0e007b6974ad2fc3f8e2a5e37462093c851e89d704e5b9fd89af7ff0220d726f59c4971af62c0422acbda9

Download Submit
C:\Windows\{5D47189D-C6DC-4094-8009-4B904326430E}.exe

Filesize
80KB

MD5
9f4071b56e9f0f9db537e7538a28a616

SHA1
e93cbcb2c6b4fe3f6c2a81af2c469041a90e9b28

SHA256
627b16498aeeb0f60c273f278187c839c0d51a80f2fdddb58317c9c09981bc59

SHA512
4f8540564818341c1dfb8fac8af267904c9f280cd1496521f63c71e4921f10733fe8446a5a6c3ebef14b1bee6fb3f211d078b1ae96548d1cf1b4b8bc8df0e291

Download Submit
C:\Windows\{5D47189D-C6DC-4094-8009-4B904326430E}.exe

Filesize
80KB

MD5
9f4071b56e9f0f9db537e7538a28a616

SHA1
e93cbcb2c6b4fe3f6c2a81af2c469041a90e9b28

SHA256
627b16498aeeb0f60c273f278187c839c0d51a80f2fdddb58317c9c09981bc59

SHA512
4f8540564818341c1dfb8fac8af267904c9f280cd1496521f63c71e4921f10733fe8446a5a6c3ebef14b1bee6fb3f211d078b1ae96548d1cf1b4b8bc8df0e291

Download Submit
C:\Windows\{7216F571-D736-46f0-B484-D65C6E0D3E8E}.exe

Filesize
80KB

MD5
807547a0b69cd9b6e06cb7333acc2393

SHA1
100d3236b5651f290e5fd95b78ee8efed1e0d8d0

SHA256
f84680545eb874ea96f57f8c88d9fd1e4a14b3e83c1ac1a96d11fd4fc746100f

SHA512
808d1a2a644b32dc8d99bcf1b81e28cdbd2232da1c4a1f496e2c9365d1c1e606eff520ca30ce11a269d2b9c071c9f7d79840353e0e058718618d8e060bb9acfd

Download Submit
C:\Windows\{7216F571-D736-46f0-B484-D65C6E0D3E8E}.exe

Filesize
80KB

MD5
807547a0b69cd9b6e06cb7333acc2393

SHA1
100d3236b5651f290e5fd95b78ee8efed1e0d8d0

SHA256
f84680545eb874ea96f57f8c88d9fd1e4a14b3e83c1ac1a96d11fd4fc746100f

SHA512
808d1a2a644b32dc8d99bcf1b81e28cdbd2232da1c4a1f496e2c9365d1c1e606eff520ca30ce11a269d2b9c071c9f7d79840353e0e058718618d8e060bb9acfd

Download Submit
C:\Windows\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe

Filesize
80KB

MD5
6f46c0ae312756e0d0a6f50b50c560cc

SHA1
09b80ff7fb930ffd76500cca56ed0ba7bd4ded8d

SHA256
febf01ef832ced10743c828ac532f2ad1a5e1c9912a592f1e813d415ccf5211c

SHA512
81933000dcb151721f3dfd6c8a5549343696a7a28e8a3d0f44a01fa76d9b9b1d951152e45e69b71c204ced50a7e0d7375f3d1e3572ecdf67381346a11c4a2be5

Download Submit
C:\Windows\{D02A1ACE-5D69-4e79-95E5-D5DFD200A462}.exe

Filesize
80KB

MD5
6f46c0ae312756e0d0a6f50b50c560cc

SHA1
09b80ff7fb930ffd76500cca56ed0ba7bd4ded8d

SHA256
febf01ef832ced10743c828ac532f2ad1a5e1c9912a592f1e813d415ccf5211c

SHA512
81933000dcb151721f3dfd6c8a5549343696a7a28e8a3d0f44a01fa76d9b9b1d951152e45e69b71c204ced50a7e0d7375f3d1e3572ecdf67381346a11c4a2be5

Download Submit
C:\Windows\{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe

Filesize
80KB

MD5
c0b3479579e20d3f5c38ad7c28cfad7f

SHA1
dbcb62c1fe662da5a9156f3a3f0c8a6d985ce293

SHA256
34ee4dfc34b39963cdb797d0a5aa5c732a9e2dd783fb23890eee04806e474fa2

SHA512
4e4ea844a4c3e7ef1314ca03ecd864b24cae7a2a4eae8151301f8145f28028ff8922c9fe45d31b1e21fe912fdcfcbe395a3be308a8228e540612d78933cc8066

Download Submit
C:\Windows\{E79774DF-B235-4daa-9654-F07A0C0D16B4}.exe

Filesize
80KB

MD5
c0b3479579e20d3f5c38ad7c28cfad7f

SHA1
dbcb62c1fe662da5a9156f3a3f0c8a6d985ce293

SHA256
34ee4dfc34b39963cdb797d0a5aa5c732a9e2dd783fb23890eee04806e474fa2

SHA512
4e4ea844a4c3e7ef1314ca03ecd864b24cae7a2a4eae8151301f8145f28028ff8922c9fe45d31b1e21fe912fdcfcbe395a3be308a8228e540612d78933cc8066

Download Submit
C:\Windows\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe

Filesize
80KB

MD5
204ecd56d31449dbb3f67fe71296a314

SHA1
97448ae3d22f16a6343b6a35859a3965cc5495f0

SHA256
0a1e4089e032fbafe3575b3dd4c8381557e636f92df8cced42dfa9439bb6ddd9

SHA512
24307f77b2e86d2ce9863d141056bd709e8d6d957f824c3aca4af2ae54bc9c075e517ca1166a281d223d754cd91bbd3c0612cb0b8ec43c90f916a8aecb2b2b00

Download Submit
C:\Windows\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe

Filesize
80KB

MD5
204ecd56d31449dbb3f67fe71296a314

SHA1
97448ae3d22f16a6343b6a35859a3965cc5495f0

SHA256
0a1e4089e032fbafe3575b3dd4c8381557e636f92df8cced42dfa9439bb6ddd9

SHA512
24307f77b2e86d2ce9863d141056bd709e8d6d957f824c3aca4af2ae54bc9c075e517ca1166a281d223d754cd91bbd3c0612cb0b8ec43c90f916a8aecb2b2b00

Download Submit
C:\Windows\{F5D92CA1-8E22-47af-A65D-7A8B1EADFE09}.exe

Filesize
80KB

MD5
204ecd56d31449dbb3f67fe71296a314

SHA1
97448ae3d22f16a6343b6a35859a3965cc5495f0

SHA256
0a1e4089e032fbafe3575b3dd4c8381557e636f92df8cced42dfa9439bb6ddd9

SHA512
24307f77b2e86d2ce9863d141056bd709e8d6d957f824c3aca4af2ae54bc9c075e517ca1166a281d223d754cd91bbd3c0612cb0b8ec43c90f916a8aecb2b2b00

Download Submit
memory/2620-70-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-71-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-72-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-73-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-74-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-75-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-76-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-77-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-78-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-79-0x000001E3FE450000-0x000001E3FE451000-memory.dmp

Filesize
4KB

Download
memory/2620-80-0x000001E3FE070000-0x000001E3FE071000-memory.dmp

Filesize
4KB

Download
memory/2620-81-0x000001E3FE060000-0x000001E3FE061000-memory.dmp

Filesize
4KB

Download
memory/2620-83-0x000001E3FE070000-0x000001E3FE071000-memory.dmp

Filesize
4KB

Download
memory/2620-86-0x000001E3FE060000-0x000001E3FE061000-memory.dmp

Filesize
4KB

Download
memory/2620-89-0x000001E3FDFA0000-0x000001E3FDFA1000-memory.dmp

Filesize
4KB

Download
memory/2620-69-0x000001E3FE420000-0x000001E3FE421000-memory.dmp

Filesize
4KB

Download
memory/2620-101-0x000001E3FE1A0000-0x000001E3FE1A1000-memory.dmp

Filesize
4KB

Download
memory/2620-103-0x000001E3FE1B0000-0x000001E3FE1B1000-memory.dmp

Filesize
4KB

Download
memory/2620-104-0x000001E3FE1B0000-0x000001E3FE1B1000-memory.dmp

Filesize
4KB

Download
memory/2620-105-0x000001E3FE2C0000-0x000001E3FE2C1000-memory.dmp

Filesize
4KB

Download
memory/2620-53-0x000001E3F5E40000-0x000001E3F5E50000-memory.dmp

Filesize
64KB

Download
memory/2620-37-0x000001E3F5D40000-0x000001E3F5D50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads