156c2d575e570029c1c45bcf7f00698ed945c267a9560da0a293f1bfbabf0ae5

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Size

60KB
MD5

e56aca95903d8e9b3cd4f6dcaddbdca0
SHA1

262a4aa4fac30fb4db6188493d08d4318a52fc52
SHA256

156c2d575e570029c1c45bcf7f00698ed945c267a9560da0a293f1bfbabf0ae5
SHA512

1cb92eed4156fb161cbc87914e7918937b18c7a3e61f7633c43531207873ce76821c4789d38d6f18f99b997b1af7b661f7ba1725581de83de09f3f413c21f59c
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrom4/CFsrdHWMZ:vvw9816vhKQLrom4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4609B91A-7946-4b83-A32F-62BB7623F04D}	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5FDE11-D1B3-4de9-8308-53963201860A}\stubpath = "C:\\Windows\\{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe"	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}\stubpath = "C:\\Windows\\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe"	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D497129-6EEA-478c-8E10-B9A950161F68}\stubpath = "C:\\Windows\\{8D497129-6EEA-478c-8E10-B9A950161F68}.exe"	{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D67A764-E71F-4919-AE3F-976859B733E0}	{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4609B91A-7946-4b83-A32F-62BB7623F04D}\stubpath = "C:\\Windows\\{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe"	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D497129-6EEA-478c-8E10-B9A950161F68}	{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}\stubpath = "C:\\Windows\\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe"	{8D497129-6EEA-478c-8E10-B9A950161F68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D67A764-E71F-4919-AE3F-976859B733E0}\stubpath = "C:\\Windows\\{6D67A764-E71F-4919-AE3F-976859B733E0}.exe"	{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}\stubpath = "C:\\Windows\\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe"	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7582C316-8680-4701-BD13-5BA932BF1402}\stubpath = "C:\\Windows\\{7582C316-8680-4701-BD13-5BA932BF1402}.exe"	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}	{7582C316-8680-4701-BD13-5BA932BF1402}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}	{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}\stubpath = "C:\\Windows\\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe"	{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}	{8D497129-6EEA-478c-8E10-B9A950161F68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}\stubpath = "C:\\Windows\\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe"	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5FDE11-D1B3-4de9-8308-53963201860A}	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7582C316-8680-4701-BD13-5BA932BF1402}	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}\stubpath = "C:\\Windows\\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe"	{7582C316-8680-4701-BD13-5BA932BF1402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}\stubpath = "C:\\Windows\\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe"	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe
2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe
2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe
2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe
2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe
2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe
2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe
1716	{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe
3060	{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe
2728	{8D497129-6EEA-478c-8E10-B9A950161F68}.exe
2884	{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe
2868	{6D67A764-E71F-4919-AE3F-976859B733E0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe	{8D497129-6EEA-478c-8E10-B9A950161F68}.exe
File created	C:\Windows\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
File created	C:\Windows\{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe
File created	C:\Windows\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe
File created	C:\Windows\{7582C316-8680-4701-BD13-5BA932BF1402}.exe	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe
File created	C:\Windows\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe
File created	C:\Windows\{6D67A764-E71F-4919-AE3F-976859B733E0}.exe	{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe
File created	C:\Windows\{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe
File created	C:\Windows\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	{7582C316-8680-4701-BD13-5BA932BF1402}.exe
File created	C:\Windows\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe
File created	C:\Windows\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe	{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe
File created	C:\Windows\{8D497129-6EEA-478c-8E10-B9A950161F68}.exe	{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Token: SeIncBasePriorityPrivilege	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe
Token: SeIncBasePriorityPrivilege	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe
Token: SeIncBasePriorityPrivilege	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe
Token: SeIncBasePriorityPrivilege	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe
Token: SeIncBasePriorityPrivilege	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe
Token: SeIncBasePriorityPrivilege	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe
Token: SeIncBasePriorityPrivilege	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe
Token: SeIncBasePriorityPrivilege	1716	{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe
Token: SeIncBasePriorityPrivilege	3060	{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe
Token: SeIncBasePriorityPrivilege	2728	{8D497129-6EEA-478c-8E10-B9A950161F68}.exe
Token: SeIncBasePriorityPrivilege	2884	{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2296	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	28
PID 2388 wrote to memory of 2296	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	28
PID 2388 wrote to memory of 2296	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	28
PID 2388 wrote to memory of 2296	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	28
PID 2388 wrote to memory of 2104	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	29
PID 2388 wrote to memory of 2104	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	29
PID 2388 wrote to memory of 2104	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	29
PID 2388 wrote to memory of 2104	2388	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	29
PID 2296 wrote to memory of 2344	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	30
PID 2296 wrote to memory of 2344	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	30
PID 2296 wrote to memory of 2344	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	30
PID 2296 wrote to memory of 2344	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	30
PID 2296 wrote to memory of 2656	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	31
PID 2296 wrote to memory of 2656	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	31
PID 2296 wrote to memory of 2656	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	31
PID 2296 wrote to memory of 2656	2296	{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe	31
PID 2344 wrote to memory of 2044	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	34
PID 2344 wrote to memory of 2044	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	34
PID 2344 wrote to memory of 2044	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	34
PID 2344 wrote to memory of 2044	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	34
PID 2344 wrote to memory of 2752	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	35
PID 2344 wrote to memory of 2752	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	35
PID 2344 wrote to memory of 2752	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	35
PID 2344 wrote to memory of 2752	2344	{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe	35
PID 2044 wrote to memory of 2900	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	36
PID 2044 wrote to memory of 2900	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	36
PID 2044 wrote to memory of 2900	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	36
PID 2044 wrote to memory of 2900	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	36
PID 2044 wrote to memory of 2876	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	37
PID 2044 wrote to memory of 2876	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	37
PID 2044 wrote to memory of 2876	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	37
PID 2044 wrote to memory of 2876	2044	{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe	37
PID 2900 wrote to memory of 2672	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	38
PID 2900 wrote to memory of 2672	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	38
PID 2900 wrote to memory of 2672	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	38
PID 2900 wrote to memory of 2672	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	38
PID 2900 wrote to memory of 2504	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	39
PID 2900 wrote to memory of 2504	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	39
PID 2900 wrote to memory of 2504	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	39
PID 2900 wrote to memory of 2504	2900	{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe	39
PID 2672 wrote to memory of 2556	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	40
PID 2672 wrote to memory of 2556	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	40
PID 2672 wrote to memory of 2556	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	40
PID 2672 wrote to memory of 2556	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	40
PID 2672 wrote to memory of 756	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	41
PID 2672 wrote to memory of 756	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	41
PID 2672 wrote to memory of 756	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	41
PID 2672 wrote to memory of 756	2672	{7582C316-8680-4701-BD13-5BA932BF1402}.exe	41
PID 2556 wrote to memory of 2564	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	42
PID 2556 wrote to memory of 2564	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	42
PID 2556 wrote to memory of 2564	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	42
PID 2556 wrote to memory of 2564	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	42
PID 2556 wrote to memory of 848	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	43
PID 2556 wrote to memory of 848	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	43
PID 2556 wrote to memory of 848	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	43
PID 2556 wrote to memory of 848	2556	{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe	43
PID 2564 wrote to memory of 1716	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	44
PID 2564 wrote to memory of 1716	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	44
PID 2564 wrote to memory of 1716	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	44
PID 2564 wrote to memory of 1716	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	44
PID 2564 wrote to memory of 3048	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	45
PID 2564 wrote to memory of 3048	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	45
PID 2564 wrote to memory of 3048	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	45
PID 2564 wrote to memory of 3048	2564	{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe
  C:\Windows\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe
    C:\Windows\{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe
      C:\Windows\{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe
        
        C:\Windows\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\{7582C316-8680-4701-BD13-5BA932BF1402}.exe
        
        C:\Windows\{7582C316-8680-4701-BD13-5BA932BF1402}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe
        
        C:\Windows\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe
        
        C:\Windows\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe
        
        C:\Windows\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe
        
        C:\Windows\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{8D497129-6EEA-478c-8E10-B9A950161F68}.exe
        
        C:\Windows\{8D497129-6EEA-478c-8E10-B9A950161F68}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe
        
        C:\Windows\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{6D67A764-E71F-4919-AE3F-976859B733E0}.exe
        
        C:\Windows\{6D67A764-E71F-4919-AE3F-976859B733E0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64A71~1.EXE > nul
        13⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D497~1.EXE > nul
        12⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5B41~1.EXE > nul
        11⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD795~1.EXE > nul
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FAEF~1.EXE > nul
        9⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E0D4~1.EXE > nul
        8⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7582C~1.EXE > nul
        7⤵
        
        PID:756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9500~1.EXE > nul
        6⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D5FD~1.EXE > nul
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4609B~1.EXE > nul
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D79A~1.EXE > nul
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASE5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe

Filesize
60KB

MD5
45a25e5cfcb0642f0fabd748fda785df

SHA1
d968233e5503917900090aec31c19ecca3a1b071

SHA256
4cc1d848028fc4c3cb0ce5953c6efa16cc91199cd1abd7f00f3255ad5ff42303

SHA512
8eafb9ee1e07021fbe514c75d8f22f98ba207faeb83b90adf29c431174f214608901c93aa1a854814cd627b039183ca2e7833565ec915899f4ac4269e25bf971

Download Submit
C:\Windows\{0FAEF20D-1DA5-4fec-8997-AA623E2A2E1A}.exe

Filesize
60KB

MD5
45a25e5cfcb0642f0fabd748fda785df

SHA1
d968233e5503917900090aec31c19ecca3a1b071

SHA256
4cc1d848028fc4c3cb0ce5953c6efa16cc91199cd1abd7f00f3255ad5ff42303

SHA512
8eafb9ee1e07021fbe514c75d8f22f98ba207faeb83b90adf29c431174f214608901c93aa1a854814cd627b039183ca2e7833565ec915899f4ac4269e25bf971

Download Submit
C:\Windows\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe

Filesize
60KB

MD5
d933469b3f9969829e4ebe07ded9e66e

SHA1
ee5a9511683212cef6959c72d14f714a8452b0aa

SHA256
008ee13b78b7d9fba3ce43603476b349e9ce505b834504cdc6df2b9c4c7560df

SHA512
f39c8c207bbda7e7b68d7e5c0da6f73264eff44457c478c4d282e67e61b86d9f38a9715b829afbb8969bcd0e77c7b3090f6fe028a841d206025242a53f0df1a0

Download Submit
C:\Windows\{3E0D4BDB-B9B0-409d-9C71-AA696EFB472C}.exe

Filesize
60KB

MD5
d933469b3f9969829e4ebe07ded9e66e

SHA1
ee5a9511683212cef6959c72d14f714a8452b0aa

SHA256
008ee13b78b7d9fba3ce43603476b349e9ce505b834504cdc6df2b9c4c7560df

SHA512
f39c8c207bbda7e7b68d7e5c0da6f73264eff44457c478c4d282e67e61b86d9f38a9715b829afbb8969bcd0e77c7b3090f6fe028a841d206025242a53f0df1a0

Download Submit
C:\Windows\{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe

Filesize
60KB

MD5
e433e8f4cfeebb5f66e163d68f198331

SHA1
4286d583eb7b8eda6a4bb74f5f4737ed489a1b73

SHA256
7d5ed2db888cdb0796c408643e9b8b720f3693bc2388b05245ea0f78126ff5ad

SHA512
d5edbb8625c1cbb70ba48bc7320806674b8bc843dd800d51cfb53d97abbf469bc72203719110280c846d0fcee5a5f2258cfb549239e49989535825045d9ca5fe

Download Submit
C:\Windows\{4609B91A-7946-4b83-A32F-62BB7623F04D}.exe

Filesize
60KB

MD5
e433e8f4cfeebb5f66e163d68f198331

SHA1
4286d583eb7b8eda6a4bb74f5f4737ed489a1b73

SHA256
7d5ed2db888cdb0796c408643e9b8b720f3693bc2388b05245ea0f78126ff5ad

SHA512
d5edbb8625c1cbb70ba48bc7320806674b8bc843dd800d51cfb53d97abbf469bc72203719110280c846d0fcee5a5f2258cfb549239e49989535825045d9ca5fe

Download Submit
C:\Windows\{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe

Filesize
60KB

MD5
b731071d394a8723b8b43bf4b7d3bbb9

SHA1
c07f2a600f8ef05cbb4b4a1eaa7d78f9a6e5b6cd

SHA256
5d9a011f83858248085fe478351d4dbd0f92f3dad82b517186af869321f05cc7

SHA512
26bcf6fa825f9279e24686cfa34054cdba5f09c8e4ae2ad9daf0a54c03c7fb8fa668de2ab2cf0f6590983eb68c021418500a8c5198c51c1e626ac6da3a5185e5

Download Submit
C:\Windows\{5D5FDE11-D1B3-4de9-8308-53963201860A}.exe

Filesize
60KB

MD5
b731071d394a8723b8b43bf4b7d3bbb9

SHA1
c07f2a600f8ef05cbb4b4a1eaa7d78f9a6e5b6cd

SHA256
5d9a011f83858248085fe478351d4dbd0f92f3dad82b517186af869321f05cc7

SHA512
26bcf6fa825f9279e24686cfa34054cdba5f09c8e4ae2ad9daf0a54c03c7fb8fa668de2ab2cf0f6590983eb68c021418500a8c5198c51c1e626ac6da3a5185e5

Download Submit
C:\Windows\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe

Filesize
60KB

MD5
2acd22138d8403212ea95390dd1f35ed

SHA1
52d36dcb3b9e4727dfd33f6483589fda3c8382f8

SHA256
32d8223b6e1c55984ed63ed683dc3553236d2a3b2544fd19991d4cdea97211ca

SHA512
3ce22460a5758a08a407f699417a1d161e4be9b45d723889e37218d7b16a3700cf454bb8dda683ad6398359c4f34d52d5a5f27c170967b55d70c0576fc6b262a

Download Submit
C:\Windows\{64A71686-A340-4aa8-AF59-46A73D2CE2FD}.exe

Filesize
60KB

MD5
2acd22138d8403212ea95390dd1f35ed

SHA1
52d36dcb3b9e4727dfd33f6483589fda3c8382f8

SHA256
32d8223b6e1c55984ed63ed683dc3553236d2a3b2544fd19991d4cdea97211ca

SHA512
3ce22460a5758a08a407f699417a1d161e4be9b45d723889e37218d7b16a3700cf454bb8dda683ad6398359c4f34d52d5a5f27c170967b55d70c0576fc6b262a

Download Submit
C:\Windows\{6D67A764-E71F-4919-AE3F-976859B733E0}.exe

Filesize
60KB

MD5
d506ef50d38dc9a8c9bb7e78b0fc8e4b

SHA1
a1fc78d9adcf0cebf3313a5e9eaac32195e497aa

SHA256
1b8a45beb6f4da63dc679d73ef241808753563e33672a89439736f67d328ee0a

SHA512
0c0461fb0ef43cdda116dfbb342ffb6bb5aceed2946410ed50e14ab38ba20f17196a26eba2e63772762b9aebb80840e1d1c3e64f068159a350e4741b16e0b2b4

Download Submit
C:\Windows\{7582C316-8680-4701-BD13-5BA932BF1402}.exe

Filesize
60KB

MD5
d17e64fd517eb143547f6932eef68fa6

SHA1
1bf5a1feb68ff1ad37623464d6ef78a759460904

SHA256
e9bf434683882544426f3daf96f9ea417bdb02dfc7ae1e4b5ec7cd491aeb305c

SHA512
18e3c398aa7c3d574f63cded39186ca58970caa6ea088826cb08b205f3989042a588a5d4bc9c46ae516dfdee08144f6da22c238eaf4af56b422cd3e9ddd03a50

Download Submit
C:\Windows\{7582C316-8680-4701-BD13-5BA932BF1402}.exe

Filesize
60KB

MD5
d17e64fd517eb143547f6932eef68fa6

SHA1
1bf5a1feb68ff1ad37623464d6ef78a759460904

SHA256
e9bf434683882544426f3daf96f9ea417bdb02dfc7ae1e4b5ec7cd491aeb305c

SHA512
18e3c398aa7c3d574f63cded39186ca58970caa6ea088826cb08b205f3989042a588a5d4bc9c46ae516dfdee08144f6da22c238eaf4af56b422cd3e9ddd03a50

Download Submit
C:\Windows\{8D497129-6EEA-478c-8E10-B9A950161F68}.exe

Filesize
60KB

MD5
622571670fbd1f903e50e2e8638026eb

SHA1
99e0474d45147dd3b911c899c89b3557eb889000

SHA256
c4d56aeec04c7e097534967e8523db8e7e369ae884fb509f9aee1d48928933c4

SHA512
beba82d53e3c27841cc2eb6c22fe8a62c92992f07ba0d8d50ce3679f3484c0eadc24bdd46c5eef8a9797f387c38fe0aafbca06c4d61f85443c7a1e80b3e1157d

Download Submit
C:\Windows\{8D497129-6EEA-478c-8E10-B9A950161F68}.exe

Filesize
60KB

MD5
622571670fbd1f903e50e2e8638026eb

SHA1
99e0474d45147dd3b911c899c89b3557eb889000

SHA256
c4d56aeec04c7e097534967e8523db8e7e369ae884fb509f9aee1d48928933c4

SHA512
beba82d53e3c27841cc2eb6c22fe8a62c92992f07ba0d8d50ce3679f3484c0eadc24bdd46c5eef8a9797f387c38fe0aafbca06c4d61f85443c7a1e80b3e1157d

Download Submit
C:\Windows\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe

Filesize
60KB

MD5
1d96a83a765d7c43a81f67bed7dd4204

SHA1
41bd98107f3ef6fecb018fe0e9d320ca324a50be

SHA256
1b848276e99a7df8a564d7ad1e85466387c25c4aa00bc51879135d6a4f3c551b

SHA512
b00a83a911fa855588c92600c3f862facc7f9fce0c8dae5b65ca83eccdc24f04db4f93c8acf74f1b340e42bb8490fcff894eac3c7a75ebfd7e73ae6c6d9fbbfa

Download Submit
C:\Windows\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe

Filesize
60KB

MD5
1d96a83a765d7c43a81f67bed7dd4204

SHA1
41bd98107f3ef6fecb018fe0e9d320ca324a50be

SHA256
1b848276e99a7df8a564d7ad1e85466387c25c4aa00bc51879135d6a4f3c551b

SHA512
b00a83a911fa855588c92600c3f862facc7f9fce0c8dae5b65ca83eccdc24f04db4f93c8acf74f1b340e42bb8490fcff894eac3c7a75ebfd7e73ae6c6d9fbbfa

Download Submit
C:\Windows\{9D79A19E-C505-4a55-9B57-F54C4DCEB975}.exe

Filesize
60KB

MD5
1d96a83a765d7c43a81f67bed7dd4204

SHA1
41bd98107f3ef6fecb018fe0e9d320ca324a50be

SHA256
1b848276e99a7df8a564d7ad1e85466387c25c4aa00bc51879135d6a4f3c551b

SHA512
b00a83a911fa855588c92600c3f862facc7f9fce0c8dae5b65ca83eccdc24f04db4f93c8acf74f1b340e42bb8490fcff894eac3c7a75ebfd7e73ae6c6d9fbbfa

Download Submit
C:\Windows\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe

Filesize
60KB

MD5
8184d51b055f2d222c40e105a4a92a97

SHA1
d29fc3a06579939773afd858589a0c3c2b9f0577

SHA256
9d853bcf88bdf5cf817663cd052cf2a07ad83bc44d8dc6a49b69dcf2553a24b5

SHA512
f2b78f3b21462cffe95e4d4dacad8abd2430df40b011711bfcb9e54394be196c6eacb70838a2449f43ecc8e43e3665ae6441d5d854a57786663fcb27aededc9c

Download Submit
C:\Windows\{AD795B5F-B676-4395-8E62-3B544EF2DC5D}.exe

Filesize
60KB

MD5
8184d51b055f2d222c40e105a4a92a97

SHA1
d29fc3a06579939773afd858589a0c3c2b9f0577

SHA256
9d853bcf88bdf5cf817663cd052cf2a07ad83bc44d8dc6a49b69dcf2553a24b5

SHA512
f2b78f3b21462cffe95e4d4dacad8abd2430df40b011711bfcb9e54394be196c6eacb70838a2449f43ecc8e43e3665ae6441d5d854a57786663fcb27aededc9c

Download Submit
C:\Windows\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe

Filesize
60KB

MD5
99913a216f93769beb43064c35ddb6fc

SHA1
b7598aeaf45216fc35b5a0819f6b6ac477d35beb

SHA256
91b0fed5b53f8d7c538976cb7f3b26933143557d2714c68c977e8401a6a20ef0

SHA512
8d78cf0f226bfd8b55d21caa0943bbfe96848b99858ec9cd49d74efda47f4d86d57bba0c38fee94fa265f4975def0c0f21b478d233cf349df2541b2ccd7b22ca

Download Submit
C:\Windows\{B5B41B5A-EB7A-4fc4-9B1F-A49EE48CB2AF}.exe

Filesize
60KB

MD5
99913a216f93769beb43064c35ddb6fc

SHA1
b7598aeaf45216fc35b5a0819f6b6ac477d35beb

SHA256
91b0fed5b53f8d7c538976cb7f3b26933143557d2714c68c977e8401a6a20ef0

SHA512
8d78cf0f226bfd8b55d21caa0943bbfe96848b99858ec9cd49d74efda47f4d86d57bba0c38fee94fa265f4975def0c0f21b478d233cf349df2541b2ccd7b22ca

Download Submit
C:\Windows\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe

Filesize
60KB

MD5
76b1dbd0b975905c73c8e7091874eeb8

SHA1
90b557d870c84086e2d1825a4fee39c1488ce4b1

SHA256
5bc44a2fbf4383eb4188a7f401687ac36742b4ce52ade76a64be6eef43d24426

SHA512
ea32e494433f5bc46cc506a9086a37a466e626353b44a5e569ac654652d629e46e54f2f54dfb2a2b447ff1cff3feb639866f0a9c5353b4a5acef61ca97499725

Download Submit
C:\Windows\{B9500422-5F0F-4bdc-AC3D-C9634CA39B99}.exe

Filesize
60KB

MD5
76b1dbd0b975905c73c8e7091874eeb8

SHA1
90b557d870c84086e2d1825a4fee39c1488ce4b1

SHA256
5bc44a2fbf4383eb4188a7f401687ac36742b4ce52ade76a64be6eef43d24426

SHA512
ea32e494433f5bc46cc506a9086a37a466e626353b44a5e569ac654652d629e46e54f2f54dfb2a2b447ff1cff3feb639866f0a9c5353b4a5acef61ca97499725

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads