43536b79533a3aa341d14b34613c56b0371c12dbd8be0daecf4af3b1ac8c6242

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7aa41afedddd6217c13051795e082fc0.exe
Size

60KB
MD5

7aa41afedddd6217c13051795e082fc0
SHA1

8758c3840af3899576f6621d58d4c882580df73d
SHA256

43536b79533a3aa341d14b34613c56b0371c12dbd8be0daecf4af3b1ac8c6242
SHA512

a37f4dedefe1ebb9493269c4f61bdf900a65bc90c177afc7a9b66c40796f5f5adeb20eff25f56df4403089866ec3a09d6aff32a2bd2304dfdbfb87a6aedf6525
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroh4/CFsrdHWMZ:vvw9816vhKQLroh4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66292EE5-D4C2-406f-8082-866BA92EA1AB}\stubpath = "C:\\Windows\\{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe"	{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}\stubpath = "C:\\Windows\\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe"	{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}	{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D7C096-AC89-449b-8395-4FF9E335C0B3}	NEAS.7aa41afedddd6217c13051795e082fc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}\stubpath = "C:\\Windows\\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe"	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFF6467F-60F3-4ba9-861A-3F768121077A}\stubpath = "C:\\Windows\\{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe"	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}\stubpath = "C:\\Windows\\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe"	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFF6467F-60F3-4ba9-861A-3F768121077A}	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}\stubpath = "C:\\Windows\\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe"	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7238DDB5-446F-4c74-9AC8-26A675779958}	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{223BB3D0-A21D-4759-8135-FFC5798D3849}\stubpath = "C:\\Windows\\{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe"	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}\stubpath = "C:\\Windows\\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe"	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66292EE5-D4C2-406f-8082-866BA92EA1AB}	{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}\stubpath = "C:\\Windows\\{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}.exe"	{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7238DDB5-446F-4c74-9AC8-26A675779958}\stubpath = "C:\\Windows\\{7238DDB5-446F-4c74-9AC8-26A675779958}.exe"	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{223BB3D0-A21D-4759-8135-FFC5798D3849}	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}	{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D7C096-AC89-449b-8395-4FF9E335C0B3}\stubpath = "C:\\Windows\\{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe"	NEAS.7aa41afedddd6217c13051795e082fc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}\stubpath = "C:\\Windows\\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe"	{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}	{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe

Executes dropped EXE 12 IoCs

pid	Process
2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe
2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe
2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe
2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe
2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe
2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe
1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe
2880	{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe
1196	{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe
832	{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe
1040	{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe
2128	{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe
File created	C:\Windows\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe
File created	C:\Windows\{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}.exe	{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe
File created	C:\Windows\{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	NEAS.7aa41afedddd6217c13051795e082fc0.exe
File created	C:\Windows\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe
File created	C:\Windows\{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe
File created	C:\Windows\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe
File created	C:\Windows\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe	{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe
File created	C:\Windows\{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe	{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe
File created	C:\Windows\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe	{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe
File created	C:\Windows\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe
File created	C:\Windows\{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe
Token: SeIncBasePriorityPrivilege	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe
Token: SeIncBasePriorityPrivilege	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe
Token: SeIncBasePriorityPrivilege	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe
Token: SeIncBasePriorityPrivilege	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe
Token: SeIncBasePriorityPrivilege	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe
Token: SeIncBasePriorityPrivilege	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe
Token: SeIncBasePriorityPrivilege	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe
Token: SeIncBasePriorityPrivilege	2880	{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe
Token: SeIncBasePriorityPrivilege	1196	{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe
Token: SeIncBasePriorityPrivilege	832	{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe
Token: SeIncBasePriorityPrivilege	1040	{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2912	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	28
PID 2192 wrote to memory of 2912	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	28
PID 2192 wrote to memory of 2912	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	28
PID 2192 wrote to memory of 2912	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	28
PID 2192 wrote to memory of 2104	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	29
PID 2192 wrote to memory of 2104	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	29
PID 2192 wrote to memory of 2104	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	29
PID 2192 wrote to memory of 2104	2192	NEAS.7aa41afedddd6217c13051795e082fc0.exe	29
PID 2912 wrote to memory of 2756	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	31
PID 2912 wrote to memory of 2756	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	31
PID 2912 wrote to memory of 2756	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	31
PID 2912 wrote to memory of 2756	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	31
PID 2912 wrote to memory of 2792	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	30
PID 2912 wrote to memory of 2792	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	30
PID 2912 wrote to memory of 2792	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	30
PID 2912 wrote to memory of 2792	2912	{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe	30
PID 2756 wrote to memory of 2720	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	35
PID 2756 wrote to memory of 2720	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	35
PID 2756 wrote to memory of 2720	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	35
PID 2756 wrote to memory of 2720	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	35
PID 2756 wrote to memory of 1208	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	34
PID 2756 wrote to memory of 1208	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	34
PID 2756 wrote to memory of 1208	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	34
PID 2756 wrote to memory of 1208	2756	{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe	34
PID 2720 wrote to memory of 2488	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	36
PID 2720 wrote to memory of 2488	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	36
PID 2720 wrote to memory of 2488	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	36
PID 2720 wrote to memory of 2488	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	36
PID 2720 wrote to memory of 2544	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	37
PID 2720 wrote to memory of 2544	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	37
PID 2720 wrote to memory of 2544	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	37
PID 2720 wrote to memory of 2544	2720	{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe	37
PID 2488 wrote to memory of 2572	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	38
PID 2488 wrote to memory of 2572	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	38
PID 2488 wrote to memory of 2572	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	38
PID 2488 wrote to memory of 2572	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	38
PID 2488 wrote to memory of 2012	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	39
PID 2488 wrote to memory of 2012	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	39
PID 2488 wrote to memory of 2012	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	39
PID 2488 wrote to memory of 2012	2488	{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe	39
PID 2572 wrote to memory of 2292	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	40
PID 2572 wrote to memory of 2292	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	40
PID 2572 wrote to memory of 2292	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	40
PID 2572 wrote to memory of 2292	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	40
PID 2572 wrote to memory of 2000	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	41
PID 2572 wrote to memory of 2000	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	41
PID 2572 wrote to memory of 2000	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	41
PID 2572 wrote to memory of 2000	2572	{7238DDB5-446F-4c74-9AC8-26A675779958}.exe	41
PID 2292 wrote to memory of 1060	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	42
PID 2292 wrote to memory of 1060	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	42
PID 2292 wrote to memory of 1060	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	42
PID 2292 wrote to memory of 1060	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	42
PID 2292 wrote to memory of 2832	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	43
PID 2292 wrote to memory of 2832	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	43
PID 2292 wrote to memory of 2832	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	43
PID 2292 wrote to memory of 2832	2292	{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe	43
PID 1060 wrote to memory of 2880	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	44
PID 1060 wrote to memory of 2880	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	44
PID 1060 wrote to memory of 2880	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	44
PID 1060 wrote to memory of 2880	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	44
PID 1060 wrote to memory of 2984	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	45
PID 1060 wrote to memory of 2984	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	45
PID 1060 wrote to memory of 2984	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	45
PID 1060 wrote to memory of 2984	1060	{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.7aa41afedddd6217c13051795e082fc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7aa41afedddd6217c13051795e082fc0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe
  C:\Windows\{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23D7C~1.EXE > nul
    3⤵
    PID:2792
- - C:\Windows\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe
    C:\Windows\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{37C5A~1.EXE > nul
      4⤵
      PID:1208
  - - C:\Windows\{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe
      C:\Windows\{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe
        
        C:\Windows\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\{7238DDB5-446F-4c74-9AC8-26A675779958}.exe
        
        C:\Windows\{7238DDB5-446F-4c74-9AC8-26A675779958}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe
        
        C:\Windows\{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe
        
        C:\Windows\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe
        
        C:\Windows\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe
        
        C:\Windows\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe
        
        C:\Windows\{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe
        
        C:\Windows\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E814~1.EXE > nul
        13⤵
        
        PID:524
        
        C:\Windows\{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}.exe
        
        C:\Windows\{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66292~1.EXE > nul
        12⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E195~1.EXE > nul
        11⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF191~1.EXE > nul
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB8C4~1.EXE > nul
        9⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{223BB~1.EXE > nul
        8⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7238D~1.EXE > nul
        7⤵
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59220~1.EXE > nul
        6⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFF64~1.EXE > nul
        5⤵
        
        PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS7A~1.EXE > nul
  2⤵
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe

Filesize
60KB

MD5
e5fcf52297ecabc25575337633beaf0b

SHA1
c9aeff5439587816fc03479d04c3f918fa0649b4

SHA256
2f85e7263d9e6f6d99dea778fbb264c490ac7175909fbc57a4d74195698f2463

SHA512
73429d4ef79d3bdd6accc1f0dbc59705d06ca3c888463b6ccc7369d621c989741cecbcbdbd67d53e4e12cefbe65d3f26548e295f650d5d4f515e3b1202abdd6a

Download Submit
C:\Windows\{223BB3D0-A21D-4759-8135-FFC5798D3849}.exe

Filesize
60KB

MD5
e5fcf52297ecabc25575337633beaf0b

SHA1
c9aeff5439587816fc03479d04c3f918fa0649b4

SHA256
2f85e7263d9e6f6d99dea778fbb264c490ac7175909fbc57a4d74195698f2463

SHA512
73429d4ef79d3bdd6accc1f0dbc59705d06ca3c888463b6ccc7369d621c989741cecbcbdbd67d53e4e12cefbe65d3f26548e295f650d5d4f515e3b1202abdd6a

Download Submit
C:\Windows\{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe

Filesize
60KB

MD5
25a9f9c272c33fa90331f68436369576

SHA1
2c95e123bf8df7c6b0809604bce1752383c70fc6

SHA256
a985e1574ac3602818922606c3417624ffb6ee1083d32168e502d1dffe9a1a73

SHA512
2d3dcb6cc11ba97a98643f8349730b3a7435a0aea7ec5d00150c6b701bcc1285f1678351fcc2e485028a5c0aef424c7fe51a1437e62f74b51da6fbfa164391d2

Download Submit
C:\Windows\{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe

Filesize
60KB

MD5
25a9f9c272c33fa90331f68436369576

SHA1
2c95e123bf8df7c6b0809604bce1752383c70fc6

SHA256
a985e1574ac3602818922606c3417624ffb6ee1083d32168e502d1dffe9a1a73

SHA512
2d3dcb6cc11ba97a98643f8349730b3a7435a0aea7ec5d00150c6b701bcc1285f1678351fcc2e485028a5c0aef424c7fe51a1437e62f74b51da6fbfa164391d2

Download Submit
C:\Windows\{23D7C096-AC89-449b-8395-4FF9E335C0B3}.exe

Filesize
60KB

MD5
25a9f9c272c33fa90331f68436369576

SHA1
2c95e123bf8df7c6b0809604bce1752383c70fc6

SHA256
a985e1574ac3602818922606c3417624ffb6ee1083d32168e502d1dffe9a1a73

SHA512
2d3dcb6cc11ba97a98643f8349730b3a7435a0aea7ec5d00150c6b701bcc1285f1678351fcc2e485028a5c0aef424c7fe51a1437e62f74b51da6fbfa164391d2

Download Submit
C:\Windows\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe

Filesize
60KB

MD5
d66e56f8eedf6b85aa53b90435975f2e

SHA1
a5bdcd34bfdc9ed8c0301cbf28603b6123a43e87

SHA256
9b3927d74e6849a92d48771390c1bb319c4b836c1ee55f0fff6761486954e420

SHA512
8eb39c244705416f97d828fd6b7d913e839938210720f0fc2a744cfe275321ef77576a7fe2c8a282d9fab26cfcae9b3a2be173ad71499c1d3880d772dfe73def

Download Submit
C:\Windows\{2E195D89-6356-414b-B68F-3F6B32AEBA7D}.exe

Filesize
60KB

MD5
d66e56f8eedf6b85aa53b90435975f2e

SHA1
a5bdcd34bfdc9ed8c0301cbf28603b6123a43e87

SHA256
9b3927d74e6849a92d48771390c1bb319c4b836c1ee55f0fff6761486954e420

SHA512
8eb39c244705416f97d828fd6b7d913e839938210720f0fc2a744cfe275321ef77576a7fe2c8a282d9fab26cfcae9b3a2be173ad71499c1d3880d772dfe73def

Download Submit
C:\Windows\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe

Filesize
60KB

MD5
5a6a55f1d7774cb98615147ca1aecef4

SHA1
cbf1517c07d16b12a182c4d049d6b3268c26a597

SHA256
2933eb2d0e020f2ff28f1bebc5b93c9b1b2d46aa7b10e4e0571a677bd2730103

SHA512
009cb1ef1baa2ae525723cd4099a07816d0fb1befa3b377dd4c35c43e5596ec203010fc31c8c84a4c91e2db2aa4400407ab1ab26d99d220e04a04c4309a69cb1

Download Submit
C:\Windows\{2E8143D9-81E0-4c4f-B316-368EBC403BFA}.exe

Filesize
60KB

MD5
5a6a55f1d7774cb98615147ca1aecef4

SHA1
cbf1517c07d16b12a182c4d049d6b3268c26a597

SHA256
2933eb2d0e020f2ff28f1bebc5b93c9b1b2d46aa7b10e4e0571a677bd2730103

SHA512
009cb1ef1baa2ae525723cd4099a07816d0fb1befa3b377dd4c35c43e5596ec203010fc31c8c84a4c91e2db2aa4400407ab1ab26d99d220e04a04c4309a69cb1

Download Submit
C:\Windows\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe

Filesize
60KB

MD5
28effa014475d280135d3d11ad0803d2

SHA1
e8f90e874c41dfa1801902076de0016d9e7267f8

SHA256
0f7d305fef622db0379567eb059046a435986634ff4bf1d2a7fd3adc84f2cf19

SHA512
4651a6a69e62546d1e7d20133bc8831f2740b78084df722356359dd1ca7585ff2be7d403095088781122d38b998046ff6b1691bda93aadf274aa930ec5f2d328

Download Submit
C:\Windows\{37C5A7D0-C6AE-4f94-805A-B383E82F88EF}.exe

Filesize
60KB

MD5
28effa014475d280135d3d11ad0803d2

SHA1
e8f90e874c41dfa1801902076de0016d9e7267f8

SHA256
0f7d305fef622db0379567eb059046a435986634ff4bf1d2a7fd3adc84f2cf19

SHA512
4651a6a69e62546d1e7d20133bc8831f2740b78084df722356359dd1ca7585ff2be7d403095088781122d38b998046ff6b1691bda93aadf274aa930ec5f2d328

Download Submit
C:\Windows\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe

Filesize
60KB

MD5
8ce958157dbb5ad3d6891aad8eb6acdd

SHA1
02290ae7a9cc980845d8497fa8309213f70f7106

SHA256
2b8ebaa7cf2f6607e2d935be42c95ea38f24f02fab9520369c482f6f5c9fcf7a

SHA512
239756b41fb95843d1c4a8f911fd8713b90e9e24879a0b2a881e78739f4fcedcc1fb74ecbf4407860051e0ed8f9beb97e7c4e5b6d0db46046f441492442f5689

Download Submit
C:\Windows\{59220065-D4FB-4f93-8EBC-BB5073B39E9F}.exe

Filesize
60KB

MD5
8ce958157dbb5ad3d6891aad8eb6acdd

SHA1
02290ae7a9cc980845d8497fa8309213f70f7106

SHA256
2b8ebaa7cf2f6607e2d935be42c95ea38f24f02fab9520369c482f6f5c9fcf7a

SHA512
239756b41fb95843d1c4a8f911fd8713b90e9e24879a0b2a881e78739f4fcedcc1fb74ecbf4407860051e0ed8f9beb97e7c4e5b6d0db46046f441492442f5689

Download Submit
C:\Windows\{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe

Filesize
60KB

MD5
f9b3b7c633064f00319f6984e58b47f6

SHA1
4e4786956aeab7019b8eb5b9d1c96bacc5cab103

SHA256
17a830b2e73f98f14aea13904b7801a779435fa43d7be866d2fb9620446057f3

SHA512
fbdcbfd3160bb1d8091a1581c50f917a696e37ac494933cb76297dbced478581e175c8eed04303d8104e217bc319c231913de69ef9bb8dcba81bf6f22c5449ff

Download Submit
C:\Windows\{66292EE5-D4C2-406f-8082-866BA92EA1AB}.exe

Filesize
60KB

MD5
f9b3b7c633064f00319f6984e58b47f6

SHA1
4e4786956aeab7019b8eb5b9d1c96bacc5cab103

SHA256
17a830b2e73f98f14aea13904b7801a779435fa43d7be866d2fb9620446057f3

SHA512
fbdcbfd3160bb1d8091a1581c50f917a696e37ac494933cb76297dbced478581e175c8eed04303d8104e217bc319c231913de69ef9bb8dcba81bf6f22c5449ff

Download Submit
C:\Windows\{7238DDB5-446F-4c74-9AC8-26A675779958}.exe

Filesize
60KB

MD5
6d0f7dd9c34410b9fd9216e12f2012af

SHA1
0b308bb196b55e54b760f79c5d18904abad83f22

SHA256
350cee4206d405583c606d78b3f845b7039c562c836f0f4aa735fcb602f0412f

SHA512
0ba713cac3c0ad8fcb40ac642d6e966229039b48a337605b653362c588eb19435678444e5e0559aceb965200a7c6d11dbf7eced63d67534ac3b2f49573c09d35

Download Submit
C:\Windows\{7238DDB5-446F-4c74-9AC8-26A675779958}.exe

Filesize
60KB

MD5
6d0f7dd9c34410b9fd9216e12f2012af

SHA1
0b308bb196b55e54b760f79c5d18904abad83f22

SHA256
350cee4206d405583c606d78b3f845b7039c562c836f0f4aa735fcb602f0412f

SHA512
0ba713cac3c0ad8fcb40ac642d6e966229039b48a337605b653362c588eb19435678444e5e0559aceb965200a7c6d11dbf7eced63d67534ac3b2f49573c09d35

Download Submit
C:\Windows\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe

Filesize
60KB

MD5
33851806090164540d2b5a731389e10d

SHA1
1dcede9f23204e16b70b1d30197bb2ce365a1838

SHA256
f5eae7aa727e6707e25802e31e47ec23bc467a16d09dc579ba25e267bd9a9e33

SHA512
b8fa45cf363028890b5b3e7c3be96880dbbfc002e6c733b627a810770d88fce87791980ef6c9394ba43efe314746b0708979db340812302df8cb8a5518f13680

Download Submit
C:\Windows\{AF1914E1-22BF-4d3c-AE51-F2739C848B6E}.exe

Filesize
60KB

MD5
33851806090164540d2b5a731389e10d

SHA1
1dcede9f23204e16b70b1d30197bb2ce365a1838

SHA256
f5eae7aa727e6707e25802e31e47ec23bc467a16d09dc579ba25e267bd9a9e33

SHA512
b8fa45cf363028890b5b3e7c3be96880dbbfc002e6c733b627a810770d88fce87791980ef6c9394ba43efe314746b0708979db340812302df8cb8a5518f13680

Download Submit
C:\Windows\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe

Filesize
60KB

MD5
03765a8c9e0ef77642241e95123d543d

SHA1
bb49dc02b41f61911b80cd120953a2bc99c52cae

SHA256
f07b7e9240ace89ec046fc9b976f7a02a4f80baf3ba5c38f5d1530cac0f0a1c1

SHA512
fe65ca77e93e9dc78b534059fbfe112565c6cbed6acb6ab3b07e803524d0c9383d82ba23e0eb5fcbe3dc4c55308baf43957fd228c699e9796fb126de65a2d702

Download Submit
C:\Windows\{BB8C4176-4CB4-4077-9C2A-20B60FB7BD27}.exe

Filesize
60KB

MD5
03765a8c9e0ef77642241e95123d543d

SHA1
bb49dc02b41f61911b80cd120953a2bc99c52cae

SHA256
f07b7e9240ace89ec046fc9b976f7a02a4f80baf3ba5c38f5d1530cac0f0a1c1

SHA512
fe65ca77e93e9dc78b534059fbfe112565c6cbed6acb6ab3b07e803524d0c9383d82ba23e0eb5fcbe3dc4c55308baf43957fd228c699e9796fb126de65a2d702

Download Submit
C:\Windows\{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe

Filesize
60KB

MD5
96edb48084f472308e2c19b0bce8d3cb

SHA1
7a88c4111d539f69e97a9e6b48aedb7c9ebd148f

SHA256
9d50e255a269376c53a047a770af7c0a6326274120e96e2fe55b867bc3b762dc

SHA512
45ce96ace8e7b1e666ccec194c586984893b48ef17adbf3cc1e63aee3bcff533cea25213fddc48b0822955abd05674ae6690a88b12ce052df3b0a774fa9bb902

Download Submit
C:\Windows\{BFF6467F-60F3-4ba9-861A-3F768121077A}.exe

Filesize
60KB

MD5
96edb48084f472308e2c19b0bce8d3cb

SHA1
7a88c4111d539f69e97a9e6b48aedb7c9ebd148f

SHA256
9d50e255a269376c53a047a770af7c0a6326274120e96e2fe55b867bc3b762dc

SHA512
45ce96ace8e7b1e666ccec194c586984893b48ef17adbf3cc1e63aee3bcff533cea25213fddc48b0822955abd05674ae6690a88b12ce052df3b0a774fa9bb902

Download Submit
C:\Windows\{E142C7AD-5F94-4302-AF8D-08A84BD1A2D0}.exe

Filesize
60KB

MD5
7ce5368237764633dc48e1fea8b3fc13

SHA1
3c9dd2bcb8a39ce6b483b8896bcad1f4ea83f282

SHA256
44cf9ce8c700709230db6e79c1c5c2d2277f5676a21114e57d125bafc11c8dd8

SHA512
23ca4794e844eb779da809193fb9dcba261994a14bdc8e79928b6abb1690e3be771d5377a9bb55313af634a746a8f7667f5c97b594f59979f240f7c6d27665b8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads