156c2d575e570029c1c45bcf7f00698ed945c267a9560da0a293f1bfbabf0ae5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Size

60KB
MD5

e56aca95903d8e9b3cd4f6dcaddbdca0
SHA1

262a4aa4fac30fb4db6188493d08d4318a52fc52
SHA256

156c2d575e570029c1c45bcf7f00698ed945c267a9560da0a293f1bfbabf0ae5
SHA512

1cb92eed4156fb161cbc87914e7918937b18c7a3e61f7633c43531207873ce76821c4789d38d6f18f99b997b1af7b661f7ba1725581de83de09f3f413c21f59c
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrom4/CFsrdHWMZ:vvw9816vhKQLrom4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}\stubpath = "C:\\Windows\\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}.exe"	{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}	{81500F5D-D846-4c77-864D-33B72AC25212}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3090E2A7-2433-4488-9636-9AC25041E93F}\stubpath = "C:\\Windows\\{3090E2A7-2433-4488-9636-9AC25041E93F}.exe"	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}\stubpath = "C:\\Windows\\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe"	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4446142E-F0D2-45ff-AB9B-176C1557071A}	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B004E93-A405-48da-8C26-8F0E48AB7831}	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56F572C9-2B5F-4b32-A38C-13BAE830610C}\stubpath = "C:\\Windows\\{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe"	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF42187B-F7E3-451d-9853-FFEC16363FFB}	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}\stubpath = "C:\\Windows\\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe"	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81500F5D-D846-4c77-864D-33B72AC25212}	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}\stubpath = "C:\\Windows\\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe"	{81500F5D-D846-4c77-864D-33B72AC25212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}\stubpath = "C:\\Windows\\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe"	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B004E93-A405-48da-8C26-8F0E48AB7831}\stubpath = "C:\\Windows\\{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe"	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}\stubpath = "C:\\Windows\\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe"	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56F572C9-2B5F-4b32-A38C-13BAE830610C}	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81500F5D-D846-4c77-864D-33B72AC25212}\stubpath = "C:\\Windows\\{81500F5D-D846-4c77-864D-33B72AC25212}.exe"	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF42187B-F7E3-451d-9853-FFEC16363FFB}\stubpath = "C:\\Windows\\{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe"	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3090E2A7-2433-4488-9636-9AC25041E93F}	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4446142E-F0D2-45ff-AB9B-176C1557071A}\stubpath = "C:\\Windows\\{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe"	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}	{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe
2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe
3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe
1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe
2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe
4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe
1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe
2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe
1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe
456	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe
536	{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe
2612	{F8282392-BF8B-4815-BA64-7EA2712C6B4F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe
File created	C:\Windows\{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe
File created	C:\Windows\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe
File created	C:\Windows\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}.exe	{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe
File created	C:\Windows\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe
File created	C:\Windows\{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe
File created	C:\Windows\{81500F5D-D846-4c77-864D-33B72AC25212}.exe	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
File created	C:\Windows\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe	{81500F5D-D846-4c77-864D-33B72AC25212}.exe
File created	C:\Windows\{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe
File created	C:\Windows\{3090E2A7-2433-4488-9636-9AC25041E93F}.exe	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe
File created	C:\Windows\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe
File created	C:\Windows\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
Token: SeIncBasePriorityPrivilege	1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe
Token: SeIncBasePriorityPrivilege	2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe
Token: SeIncBasePriorityPrivilege	3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe
Token: SeIncBasePriorityPrivilege	1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe
Token: SeIncBasePriorityPrivilege	2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe
Token: SeIncBasePriorityPrivilege	4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe
Token: SeIncBasePriorityPrivilege	1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe
Token: SeIncBasePriorityPrivilege	2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe
Token: SeIncBasePriorityPrivilege	1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe
Token: SeIncBasePriorityPrivilege	456	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe
Token: SeIncBasePriorityPrivilege	536	{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1248	2356	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	95
PID 2356 wrote to memory of 1248	2356	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	95
PID 2356 wrote to memory of 1248	2356	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	95
PID 2356 wrote to memory of 4604	2356	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	96
PID 2356 wrote to memory of 4604	2356	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	96
PID 2356 wrote to memory of 4604	2356	NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe	96
PID 1248 wrote to memory of 2656	1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe	100
PID 1248 wrote to memory of 2656	1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe	100
PID 1248 wrote to memory of 2656	1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe	100
PID 1248 wrote to memory of 4588	1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe	101
PID 1248 wrote to memory of 4588	1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe	101
PID 1248 wrote to memory of 4588	1248	{81500F5D-D846-4c77-864D-33B72AC25212}.exe	101
PID 2656 wrote to memory of 3032	2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe	105
PID 2656 wrote to memory of 3032	2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe	105
PID 2656 wrote to memory of 3032	2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe	105
PID 2656 wrote to memory of 3348	2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe	104
PID 2656 wrote to memory of 3348	2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe	104
PID 2656 wrote to memory of 3348	2656	{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe	104
PID 3032 wrote to memory of 1804	3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe	109
PID 3032 wrote to memory of 1804	3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe	109
PID 3032 wrote to memory of 1804	3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe	109
PID 3032 wrote to memory of 4084	3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe	110
PID 3032 wrote to memory of 4084	3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe	110
PID 3032 wrote to memory of 4084	3032	{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe	110
PID 1804 wrote to memory of 2480	1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe	112
PID 1804 wrote to memory of 2480	1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe	112
PID 1804 wrote to memory of 2480	1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe	112
PID 1804 wrote to memory of 4360	1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe	113
PID 1804 wrote to memory of 4360	1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe	113
PID 1804 wrote to memory of 4360	1804	{3090E2A7-2433-4488-9636-9AC25041E93F}.exe	113
PID 2480 wrote to memory of 4416	2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe	114
PID 2480 wrote to memory of 4416	2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe	114
PID 2480 wrote to memory of 4416	2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe	114
PID 2480 wrote to memory of 4932	2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe	115
PID 2480 wrote to memory of 4932	2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe	115
PID 2480 wrote to memory of 4932	2480	{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe	115
PID 4416 wrote to memory of 1824	4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe	117
PID 4416 wrote to memory of 1824	4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe	117
PID 4416 wrote to memory of 1824	4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe	117
PID 4416 wrote to memory of 4784	4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe	118
PID 4416 wrote to memory of 4784	4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe	118
PID 4416 wrote to memory of 4784	4416	{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe	118
PID 1824 wrote to memory of 2856	1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe	120
PID 1824 wrote to memory of 2856	1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe	120
PID 1824 wrote to memory of 2856	1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe	120
PID 1824 wrote to memory of 4172	1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe	121
PID 1824 wrote to memory of 4172	1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe	121
PID 1824 wrote to memory of 4172	1824	{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe	121
PID 2856 wrote to memory of 1068	2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe	122
PID 2856 wrote to memory of 1068	2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe	122
PID 2856 wrote to memory of 1068	2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe	122
PID 2856 wrote to memory of 4144	2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe	123
PID 2856 wrote to memory of 4144	2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe	123
PID 2856 wrote to memory of 4144	2856	{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe	123
PID 1068 wrote to memory of 456	1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe	124
PID 1068 wrote to memory of 456	1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe	124
PID 1068 wrote to memory of 456	1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe	124
PID 1068 wrote to memory of 5072	1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe	125
PID 1068 wrote to memory of 5072	1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe	125
PID 1068 wrote to memory of 5072	1068	{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe	125
PID 456 wrote to memory of 536	456	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe	126
PID 456 wrote to memory of 536	456	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe	126
PID 456 wrote to memory of 536	456	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe	126
PID 456 wrote to memory of 3304	456	{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe	127

C:\Users\Admin\AppData\Local\Temp\NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e56aca95903d8e9b3cd4f6dcaddbdca0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{81500F5D-D846-4c77-864D-33B72AC25212}.exe
  C:\Windows\{81500F5D-D846-4c77-864D-33B72AC25212}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe
    C:\Windows\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA93A~1.EXE > nul
      4⤵
      PID:3348
  - - C:\Windows\{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe
      C:\Windows\{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\{3090E2A7-2433-4488-9636-9AC25041E93F}.exe
        
        C:\Windows\{3090E2A7-2433-4488-9636-9AC25041E93F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe
        
        C:\Windows\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe
        
        C:\Windows\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe
        
        C:\Windows\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe
        
        C:\Windows\{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe
        
        C:\Windows\{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe
        
        C:\Windows\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe
        
        C:\Windows\{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}.exe
        
        C:\Windows\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56F57~1.EXE > nul
        13⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2030~1.EXE > nul
        12⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B004~1.EXE > nul
        11⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44461~1.EXE > nul
        10⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FB2A~1.EXE > nul
        9⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79E69~1.EXE > nul
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4DAB~1.EXE > nul
        7⤵
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3090E~1.EXE > nul
        6⤵
        
        PID:4360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF421~1.EXE > nul
        5⤵
        
        PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{81500~1.EXE > nul
    3⤵
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASE5~1.EXE > nul
  2⤵
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3090E2A7-2433-4488-9636-9AC25041E93F}.exe

Filesize
60KB

MD5
7fe88ba56188a2a58d8f06833656cf08

SHA1
73b46dde8d1ac90f20944ee9c839895dd44a9ba8

SHA256
d95f635588f3bb866eee9b77078c5c3d97fc090f04f93aa9de0d32822644432f

SHA512
8be6e4148e6c2f45369c4e6fdabe3f333d42a10d58517aa93cdef7c86414e37cf1d90bca2b85ab7e7c77a4956934f6c1f008f60d8656eb1cbc2a6ace7ce7e4d4

Download Submit
C:\Windows\{3090E2A7-2433-4488-9636-9AC25041E93F}.exe

Filesize
60KB

MD5
7fe88ba56188a2a58d8f06833656cf08

SHA1
73b46dde8d1ac90f20944ee9c839895dd44a9ba8

SHA256
d95f635588f3bb866eee9b77078c5c3d97fc090f04f93aa9de0d32822644432f

SHA512
8be6e4148e6c2f45369c4e6fdabe3f333d42a10d58517aa93cdef7c86414e37cf1d90bca2b85ab7e7c77a4956934f6c1f008f60d8656eb1cbc2a6ace7ce7e4d4

Download Submit
C:\Windows\{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe

Filesize
60KB

MD5
8f998a28052313eff6dd5243cd242f92

SHA1
7a0f5bb7ee200eb6afa3b7c11e3b31957f2a54fd

SHA256
f12e1f770c00813f2be97b132a0a5e37ac7d49b234a8445f9dd4f397c5f59bc4

SHA512
d01db5e606d36154d3cda877d7568bbe635042d47efc231a9d0c81ec293bb7fa66cfd2a99097d24dddbbb50bfaa47419bb42ef105df717c5f3d846b318ad8e4f

Download Submit
C:\Windows\{4446142E-F0D2-45ff-AB9B-176C1557071A}.exe

Filesize
60KB

MD5
8f998a28052313eff6dd5243cd242f92

SHA1
7a0f5bb7ee200eb6afa3b7c11e3b31957f2a54fd

SHA256
f12e1f770c00813f2be97b132a0a5e37ac7d49b234a8445f9dd4f397c5f59bc4

SHA512
d01db5e606d36154d3cda877d7568bbe635042d47efc231a9d0c81ec293bb7fa66cfd2a99097d24dddbbb50bfaa47419bb42ef105df717c5f3d846b318ad8e4f

Download Submit
C:\Windows\{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe

Filesize
60KB

MD5
dbad9b883af8bd142df92ed05976a7e0

SHA1
7905f188db4067695a7586c27e5642f10097e9d0

SHA256
8a47a96209c2ec301c43c725e9556670d011cd09dc1dd3d563436cf2ef77ff04

SHA512
7ff96a4512e9657a651b7e93c9f2d108fca4b592151a03ce14e233dfa360cb025a2317bf3f8eb0da4d34ee635ae260a77d324d15661697af282d1918282b6c62

Download Submit
C:\Windows\{56F572C9-2B5F-4b32-A38C-13BAE830610C}.exe

Filesize
60KB

MD5
dbad9b883af8bd142df92ed05976a7e0

SHA1
7905f188db4067695a7586c27e5642f10097e9d0

SHA256
8a47a96209c2ec301c43c725e9556670d011cd09dc1dd3d563436cf2ef77ff04

SHA512
7ff96a4512e9657a651b7e93c9f2d108fca4b592151a03ce14e233dfa360cb025a2317bf3f8eb0da4d34ee635ae260a77d324d15661697af282d1918282b6c62

Download Submit
C:\Windows\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe

Filesize
60KB

MD5
d80a353722ade9abd54935472b7c7565

SHA1
7ffbe70c35e327c3e0d22936accfce62373509df

SHA256
106a039901ec8a9bf89a47d3575ac77f9cdd084fd15cb04d283e73a3f634077d

SHA512
fb25cc7f1b366a92a530175420f9d5e76bf7cc3fdd616257c94e4c3cedaa33245b22aacc874cdcc9989e9d2b1f871195b01bea4ffdf7b906f6b0afb29ad5e34e

Download Submit
C:\Windows\{5FB2A0FA-8280-4fc5-80A7-42DD24D94947}.exe

Filesize
60KB

MD5
d80a353722ade9abd54935472b7c7565

SHA1
7ffbe70c35e327c3e0d22936accfce62373509df

SHA256
106a039901ec8a9bf89a47d3575ac77f9cdd084fd15cb04d283e73a3f634077d

SHA512
fb25cc7f1b366a92a530175420f9d5e76bf7cc3fdd616257c94e4c3cedaa33245b22aacc874cdcc9989e9d2b1f871195b01bea4ffdf7b906f6b0afb29ad5e34e

Download Submit
C:\Windows\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe

Filesize
60KB

MD5
ddf236021e18e961924057b5a7e761ed

SHA1
c7cf114d5c2301fca2bbe0626987cd8bce5e0580

SHA256
58e6862c9f16a9b116a3ed526b5fbd4afdb49faa535ad6bb968241fa8689cd3c

SHA512
bc356b8c6065f6f6c9e0ea00d47c01fda99e3c9c997788ced69eee983610db77685f4746837c6af0eea24e33a731eb0f8ae06e2088eea73fe3d9a74a5dcc5e63

Download Submit
C:\Windows\{79E69DF0-C13A-4799-A6EB-7F41259FEB9B}.exe

Filesize
60KB

MD5
ddf236021e18e961924057b5a7e761ed

SHA1
c7cf114d5c2301fca2bbe0626987cd8bce5e0580

SHA256
58e6862c9f16a9b116a3ed526b5fbd4afdb49faa535ad6bb968241fa8689cd3c

SHA512
bc356b8c6065f6f6c9e0ea00d47c01fda99e3c9c997788ced69eee983610db77685f4746837c6af0eea24e33a731eb0f8ae06e2088eea73fe3d9a74a5dcc5e63

Download Submit
C:\Windows\{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe

Filesize
60KB

MD5
d8dce8db075db86edac2b7e5c5ce2f05

SHA1
1ed7db62bda90294c55e33b9c2732f3a4042041e

SHA256
192f290aefc1d100ad194b7b46529aa8730f6066c2a078317f84fbb273fc7f17

SHA512
ac88484d061d4f7ed45867464a05ef1518cef0ab4c97d75b422b7719b7763a5a640a72815c401758b09ff12bde8a645dc0d1ab8977188a4a7d032d5d605ab560

Download Submit
C:\Windows\{7B004E93-A405-48da-8C26-8F0E48AB7831}.exe

Filesize
60KB

MD5
d8dce8db075db86edac2b7e5c5ce2f05

SHA1
1ed7db62bda90294c55e33b9c2732f3a4042041e

SHA256
192f290aefc1d100ad194b7b46529aa8730f6066c2a078317f84fbb273fc7f17

SHA512
ac88484d061d4f7ed45867464a05ef1518cef0ab4c97d75b422b7719b7763a5a640a72815c401758b09ff12bde8a645dc0d1ab8977188a4a7d032d5d605ab560

Download Submit
C:\Windows\{81500F5D-D846-4c77-864D-33B72AC25212}.exe

Filesize
60KB

MD5
97e47437630b9ffbe17ffc3983f2a758

SHA1
e2f8d0702e1de003900e78bae19947e070d78d6d

SHA256
c9c2112a40bbee97361739643c07bf09afde9d8893f3a9420fd4a1124ea25a5c

SHA512
d983dcf5010ae4e0b178bf78449b03240021d3688a9cf678514129d13c50b9fcfb13ab65cbfced9604f66bbdf9eea3986a6933af2a93b73830c13f32ddc66519

Download Submit
C:\Windows\{81500F5D-D846-4c77-864D-33B72AC25212}.exe

Filesize
60KB

MD5
97e47437630b9ffbe17ffc3983f2a758

SHA1
e2f8d0702e1de003900e78bae19947e070d78d6d

SHA256
c9c2112a40bbee97361739643c07bf09afde9d8893f3a9420fd4a1124ea25a5c

SHA512
d983dcf5010ae4e0b178bf78449b03240021d3688a9cf678514129d13c50b9fcfb13ab65cbfced9604f66bbdf9eea3986a6933af2a93b73830c13f32ddc66519

Download Submit
C:\Windows\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe

Filesize
60KB

MD5
4432face5052b83220f3b91e73914027

SHA1
83346e4d47f9173eb4ffa02a21741245ba6a63d5

SHA256
c6066d4f0827dd925e776e5c4a48779f63965401d85525f0a22933908f2ef647

SHA512
596c3272f252d500a4e07c40710811772212665e20daa8807310686427cba5a4629ddd36991bd5d57723e6bde09f45f8f49f67cbf3c1e1947ab065572390fedd

Download Submit
C:\Windows\{A2030C90-E749-4c9f-8AF9-EADFFC3C1AF2}.exe

Filesize
60KB

MD5
4432face5052b83220f3b91e73914027

SHA1
83346e4d47f9173eb4ffa02a21741245ba6a63d5

SHA256
c6066d4f0827dd925e776e5c4a48779f63965401d85525f0a22933908f2ef647

SHA512
596c3272f252d500a4e07c40710811772212665e20daa8807310686427cba5a4629ddd36991bd5d57723e6bde09f45f8f49f67cbf3c1e1947ab065572390fedd

Download Submit
C:\Windows\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe

Filesize
60KB

MD5
f94d56f871a283e7e147c9c9426bd5d2

SHA1
6d467aaf8adecfa4227e58977db32c3a14fbe8fc

SHA256
641b9452d3e7010b73283559275017bbbd7cd63b96dd9df307f8352b6d8ab1f9

SHA512
d44df7066851fb60f902a33f1bbb41523e5e726b9e8e07668b4f90a1968a6a52694db3ee6e3ceedd7a2d9fefa2d80e4c969e4789259091be3bb48ae74ef13065

Download Submit
C:\Windows\{A4DABD60-CAD8-40c0-B62F-427CD943CE33}.exe

Filesize
60KB

MD5
f94d56f871a283e7e147c9c9426bd5d2

SHA1
6d467aaf8adecfa4227e58977db32c3a14fbe8fc

SHA256
641b9452d3e7010b73283559275017bbbd7cd63b96dd9df307f8352b6d8ab1f9

SHA512
d44df7066851fb60f902a33f1bbb41523e5e726b9e8e07668b4f90a1968a6a52694db3ee6e3ceedd7a2d9fefa2d80e4c969e4789259091be3bb48ae74ef13065

Download Submit
C:\Windows\{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe

Filesize
60KB

MD5
8acf2e509cf29d1d08da08d2c9622a85

SHA1
45af860107932c881c5e59ac0aa1a339587c67d7

SHA256
9670adee2e50a6d1b4d3d7d6e3389805ba23a49f59ebc37b592db735342fcbbd

SHA512
514be9ef33165fd96a1d7c1f467318f8dc34cd677a36a543b471b446f1bbe0e9e3d27e22f7d4edf7489c8685bd1ab95633d884393f05ed8b8cf5ab63598bfa94

Download Submit
C:\Windows\{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe

Filesize
60KB

MD5
8acf2e509cf29d1d08da08d2c9622a85

SHA1
45af860107932c881c5e59ac0aa1a339587c67d7

SHA256
9670adee2e50a6d1b4d3d7d6e3389805ba23a49f59ebc37b592db735342fcbbd

SHA512
514be9ef33165fd96a1d7c1f467318f8dc34cd677a36a543b471b446f1bbe0e9e3d27e22f7d4edf7489c8685bd1ab95633d884393f05ed8b8cf5ab63598bfa94

Download Submit
C:\Windows\{EF42187B-F7E3-451d-9853-FFEC16363FFB}.exe

Filesize
60KB

MD5
8acf2e509cf29d1d08da08d2c9622a85

SHA1
45af860107932c881c5e59ac0aa1a339587c67d7

SHA256
9670adee2e50a6d1b4d3d7d6e3389805ba23a49f59ebc37b592db735342fcbbd

SHA512
514be9ef33165fd96a1d7c1f467318f8dc34cd677a36a543b471b446f1bbe0e9e3d27e22f7d4edf7489c8685bd1ab95633d884393f05ed8b8cf5ab63598bfa94

Download Submit
C:\Windows\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}.exe

Filesize
60KB

MD5
3e58136fa9c178cd15d37030e25144db

SHA1
e0668f4f85e37b4793f47666f5381bf61f7413b8

SHA256
5b443279f35238496c39a7053ef4773face2616db6d93f038a3273ffe7dad5c0

SHA512
d3646dd018ba9235dfb24bd9b20d68b40067c441900aeca453aefa5273e20339852747f65212798606c0665c5460b9d2bce1f80c234dba6f345e57278570a417

Download Submit
C:\Windows\{F8282392-BF8B-4815-BA64-7EA2712C6B4F}.exe

Filesize
60KB

MD5
3e58136fa9c178cd15d37030e25144db

SHA1
e0668f4f85e37b4793f47666f5381bf61f7413b8

SHA256
5b443279f35238496c39a7053ef4773face2616db6d93f038a3273ffe7dad5c0

SHA512
d3646dd018ba9235dfb24bd9b20d68b40067c441900aeca453aefa5273e20339852747f65212798606c0665c5460b9d2bce1f80c234dba6f345e57278570a417

Download Submit
C:\Windows\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe

Filesize
60KB

MD5
5bf75f6db3c04788f8716712bec74b44

SHA1
1e8f686ebb420dc529ffc7b3191b6a1772ff56b7

SHA256
22860c30bd5c69341d2326cb01a315da91194b16c174271260832093875e6823

SHA512
506df6c51e70ef83d6297391a012af46ee92febec705f3df00e9156b31c95b568c2a7bc805ddfcd38667f4f1750ea67ad9bbc9b22101a9ab1f0cebfe5ccf1393

Download Submit
C:\Windows\{FA93AE5D-AAAD-431c-826F-AEC7E28ABCC1}.exe

Filesize
60KB

MD5
5bf75f6db3c04788f8716712bec74b44

SHA1
1e8f686ebb420dc529ffc7b3191b6a1772ff56b7

SHA256
22860c30bd5c69341d2326cb01a315da91194b16c174271260832093875e6823

SHA512
506df6c51e70ef83d6297391a012af46ee92febec705f3df00e9156b31c95b568c2a7bc805ddfcd38667f4f1750ea67ad9bbc9b22101a9ab1f0cebfe5ccf1393

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads