db1a793be2c91b32600fc3453370c75cff0ff3eaed676af1f769be84de964485

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Size

76KB
MD5

2c4900f6c7167ca8e4df3277fd0dfcd0
SHA1

c81c8b7b015334a85855a498ee12c1b7e9270798
SHA256

db1a793be2c91b32600fc3453370c75cff0ff3eaed676af1f769be84de964485
SHA512

946167a7a81eb069b44b1347afbf48e34f0d37e8a4f01d7ca6dd6199227d1530bccbd68678dd6756c52ca4b18b0b29c43abc000fefadfd237b0995d1b5049848
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroN4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroN4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4665939-DD25-4f99-A92F-C6A683D6928D}	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4665939-DD25-4f99-A92F-C6A683D6928D}\stubpath = "C:\\Windows\\{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe"	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}\stubpath = "C:\\Windows\\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe"	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}\stubpath = "C:\\Windows\\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe"	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}\stubpath = "C:\\Windows\\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe"	{262C07E1-7D5C-4740-A48B-777991296834}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{262C07E1-7D5C-4740-A48B-777991296834}	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}	{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}\stubpath = "C:\\Windows\\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}.exe"	{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}\stubpath = "C:\\Windows\\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe"	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}\stubpath = "C:\\Windows\\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe"	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}	{262C07E1-7D5C-4740-A48B-777991296834}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}\stubpath = "C:\\Windows\\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe"	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{262C07E1-7D5C-4740-A48B-777991296834}\stubpath = "C:\\Windows\\{262C07E1-7D5C-4740-A48B-777991296834}.exe"	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}\stubpath = "C:\\Windows\\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe"	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}\stubpath = "C:\\Windows\\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe"	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}\stubpath = "C:\\Windows\\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe"	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe
4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe
4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe
4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe
1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe
3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe
2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe
4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe
2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe
4456	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe
3344	{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe
3776	{C77B1362-A1AC-4dcc-A261-2921DD6F1924}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe
File created	C:\Windows\{262C07E1-7D5C-4740-A48B-777991296834}.exe	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe
File created	C:\Windows\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe
File created	C:\Windows\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe
File created	C:\Windows\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe
File created	C:\Windows\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}.exe	{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe
File created	C:\Windows\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe
File created	C:\Windows\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe	{262C07E1-7D5C-4740-A48B-777991296834}.exe
File created	C:\Windows\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe
File created	C:\Windows\{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe
File created	C:\Windows\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe
File created	C:\Windows\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4496	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Token: SeIncBasePriorityPrivilege	2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe
Token: SeIncBasePriorityPrivilege	4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe
Token: SeIncBasePriorityPrivilege	4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe
Token: SeIncBasePriorityPrivilege	4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe
Token: SeIncBasePriorityPrivilege	1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe
Token: SeIncBasePriorityPrivilege	3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe
Token: SeIncBasePriorityPrivilege	2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe
Token: SeIncBasePriorityPrivilege	4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe
Token: SeIncBasePriorityPrivilege	2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe
Token: SeIncBasePriorityPrivilege	4456	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe
Token: SeIncBasePriorityPrivilege	3344	{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 2592	4496	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	97
PID 4496 wrote to memory of 2592	4496	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	97
PID 4496 wrote to memory of 2592	4496	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	97
PID 4496 wrote to memory of 3924	4496	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	98
PID 4496 wrote to memory of 3924	4496	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	98
PID 4496 wrote to memory of 3924	4496	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	98
PID 2592 wrote to memory of 4420	2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe	100
PID 2592 wrote to memory of 4420	2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe	100
PID 2592 wrote to memory of 4420	2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe	100
PID 2592 wrote to memory of 4216	2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe	101
PID 2592 wrote to memory of 4216	2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe	101
PID 2592 wrote to memory of 4216	2592	{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe	101
PID 4420 wrote to memory of 4404	4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe	107
PID 4420 wrote to memory of 4404	4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe	107
PID 4420 wrote to memory of 4404	4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe	107
PID 4420 wrote to memory of 4780	4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe	106
PID 4420 wrote to memory of 4780	4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe	106
PID 4420 wrote to memory of 4780	4420	{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe	106
PID 4404 wrote to memory of 4692	4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe	113
PID 4404 wrote to memory of 4692	4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe	113
PID 4404 wrote to memory of 4692	4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe	113
PID 4404 wrote to memory of 1920	4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe	114
PID 4404 wrote to memory of 1920	4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe	114
PID 4404 wrote to memory of 1920	4404	{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe	114
PID 4692 wrote to memory of 1900	4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe	115
PID 4692 wrote to memory of 1900	4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe	115
PID 4692 wrote to memory of 1900	4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe	115
PID 4692 wrote to memory of 1932	4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe	116
PID 4692 wrote to memory of 1932	4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe	116
PID 4692 wrote to memory of 1932	4692	{262C07E1-7D5C-4740-A48B-777991296834}.exe	116
PID 1900 wrote to memory of 3560	1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe	117
PID 1900 wrote to memory of 3560	1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe	117
PID 1900 wrote to memory of 3560	1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe	117
PID 1900 wrote to memory of 4612	1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe	118
PID 1900 wrote to memory of 4612	1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe	118
PID 1900 wrote to memory of 4612	1900	{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe	118
PID 3560 wrote to memory of 2592	3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe	120
PID 3560 wrote to memory of 2592	3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe	120
PID 3560 wrote to memory of 2592	3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe	120
PID 3560 wrote to memory of 2152	3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe	121
PID 3560 wrote to memory of 2152	3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe	121
PID 3560 wrote to memory of 2152	3560	{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe	121
PID 2592 wrote to memory of 4728	2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe	122
PID 2592 wrote to memory of 4728	2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe	122
PID 2592 wrote to memory of 4728	2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe	122
PID 2592 wrote to memory of 1100	2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe	123
PID 2592 wrote to memory of 1100	2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe	123
PID 2592 wrote to memory of 1100	2592	{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe	123
PID 4728 wrote to memory of 2872	4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe	124
PID 4728 wrote to memory of 2872	4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe	124
PID 4728 wrote to memory of 2872	4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe	124
PID 4728 wrote to memory of 4700	4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe	125
PID 4728 wrote to memory of 4700	4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe	125
PID 4728 wrote to memory of 4700	4728	{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe	125
PID 2872 wrote to memory of 4456	2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe	126
PID 2872 wrote to memory of 4456	2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe	126
PID 2872 wrote to memory of 4456	2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe	126
PID 2872 wrote to memory of 2472	2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe	127
PID 2872 wrote to memory of 2472	2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe	127
PID 2872 wrote to memory of 2472	2872	{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe	127
PID 4456 wrote to memory of 3344	4456	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe	128
PID 4456 wrote to memory of 3344	4456	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe	128
PID 4456 wrote to memory of 3344	4456	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe	128
PID 4456 wrote to memory of 3864	4456	{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe	129

C:\Users\Admin\AppData\Local\Temp\NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe
  C:\Windows\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe
    C:\Windows\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2C5FD~1.EXE > nul
      4⤵
      PID:4780
  - - C:\Windows\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe
      C:\Windows\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\{262C07E1-7D5C-4740-A48B-777991296834}.exe
        
        C:\Windows\{262C07E1-7D5C-4740-A48B-777991296834}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe
        
        C:\Windows\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe
        
        C:\Windows\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe
        
        C:\Windows\{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe
        
        C:\Windows\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe
        
        C:\Windows\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe
        
        C:\Windows\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe
        
        C:\Windows\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}.exe
        
        C:\Windows\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}.exe
        13⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{297D9~1.EXE > nul
        13⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7F9A~1.EXE > nul
        12⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92EA7~1.EXE > nul
        11⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E92B2~1.EXE > nul
        10⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4665~1.EXE > nul
        9⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEFA9~1.EXE > nul
        8⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E49CA~1.EXE > nul
        7⤵
        
        PID:4612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{262C0~1.EXE > nul
        6⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B6A6~1.EXE > nul
        5⤵
        
        PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D260~1.EXE > nul
    3⤵
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS2C~1.EXE > nul
  2⤵
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe

Filesize
76KB

MD5
37e889eaa511ca609167b1c549c57316

SHA1
d1f95d560e42e863517785bbb85888e27ca23e05

SHA256
eb8edd71160102b462540d2db93c6ecd7fa5f8a54a142e4898c510dab4a8d85c

SHA512
aa745d2bd169be16597d83e5d845fde1a636710583d9b92e706eae937f9b644c72d929a37c613cef2f9d76dce95c08a4331924859cd0eda502a59176298de7c4

Download Submit
C:\Windows\{0D2604AA-6A21-4ae7-B56E-BE4FE5369D7C}.exe

Filesize
76KB

MD5
37e889eaa511ca609167b1c549c57316

SHA1
d1f95d560e42e863517785bbb85888e27ca23e05

SHA256
eb8edd71160102b462540d2db93c6ecd7fa5f8a54a142e4898c510dab4a8d85c

SHA512
aa745d2bd169be16597d83e5d845fde1a636710583d9b92e706eae937f9b644c72d929a37c613cef2f9d76dce95c08a4331924859cd0eda502a59176298de7c4

Download Submit
C:\Windows\{262C07E1-7D5C-4740-A48B-777991296834}.exe

Filesize
76KB

MD5
23fafa517cf3b05084e6a39c2cbfe1a3

SHA1
588e7b6549408d3303ec166cca397c648e236e21

SHA256
2989ed918d79c111773bf81364c898e8d9b45a300a12c2268a3a2ab414671c22

SHA512
84327c782e42c160fdd468b5f57f70765b3d144d70c8f0017c42af2db082c16032119b84fa1a6ecc604f0be6074c15482907a5a8fbce28bbd1a57b37c0d8a65c

Download Submit
C:\Windows\{262C07E1-7D5C-4740-A48B-777991296834}.exe

Filesize
76KB

MD5
23fafa517cf3b05084e6a39c2cbfe1a3

SHA1
588e7b6549408d3303ec166cca397c648e236e21

SHA256
2989ed918d79c111773bf81364c898e8d9b45a300a12c2268a3a2ab414671c22

SHA512
84327c782e42c160fdd468b5f57f70765b3d144d70c8f0017c42af2db082c16032119b84fa1a6ecc604f0be6074c15482907a5a8fbce28bbd1a57b37c0d8a65c

Download Submit
C:\Windows\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe

Filesize
76KB

MD5
cab71658e3b2740557b95491d4cb66cd

SHA1
26dead59b20f917a90180dafe99c63cc915ade5b

SHA256
07ab4c14d60d562245b154acee4303298da2577b494553e72ba093c3cc43f721

SHA512
26cf519a04117f021039b5507fec9f71ff08a5b45e65b3321d1f837897930922c5e48385fb3edbb68304da2980456568d54f0157039742e672f52c18df1d22b4

Download Submit
C:\Windows\{297D9F89-0D72-4d5a-8487-D52DEA4BE3A8}.exe

Filesize
76KB

MD5
cab71658e3b2740557b95491d4cb66cd

SHA1
26dead59b20f917a90180dafe99c63cc915ade5b

SHA256
07ab4c14d60d562245b154acee4303298da2577b494553e72ba093c3cc43f721

SHA512
26cf519a04117f021039b5507fec9f71ff08a5b45e65b3321d1f837897930922c5e48385fb3edbb68304da2980456568d54f0157039742e672f52c18df1d22b4

Download Submit
C:\Windows\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe

Filesize
76KB

MD5
fd194ce5bfb280788dc54eb605ea8bd9

SHA1
22c548400555dea95d46d62e5658de8ace289912

SHA256
2e97d4c7e0939c43ebd2e59bd62c7dc0912764dd18c2f299dff2e7332d27f9c6

SHA512
3056f1d9ed62dbb1e67a16717f83ca274f271fe19afdd6b21201e80d705103206f28cf011507e8d9809e3a9b4ecc1e6405ab02ae6e208176b65ae3cc6e7cb75c

Download Submit
C:\Windows\{2C5FD420-C284-4a67-A837-FC7A918B4D3B}.exe

Filesize
76KB

MD5
fd194ce5bfb280788dc54eb605ea8bd9

SHA1
22c548400555dea95d46d62e5658de8ace289912

SHA256
2e97d4c7e0939c43ebd2e59bd62c7dc0912764dd18c2f299dff2e7332d27f9c6

SHA512
3056f1d9ed62dbb1e67a16717f83ca274f271fe19afdd6b21201e80d705103206f28cf011507e8d9809e3a9b4ecc1e6405ab02ae6e208176b65ae3cc6e7cb75c

Download Submit
C:\Windows\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe

Filesize
76KB

MD5
8489110aed9617c111d6f314615660bc

SHA1
ec10b47f7decf7420c969031873968468a4d651f

SHA256
70ea087a7f4315e9b4887f06b6705cda060763254ae5c60b6aa2df464572b310

SHA512
b132ec6d0509d73aa39b9f202c6ee281694c36ae1db45ceab469e0e8f65330736900226541e8cfd865f964e21d883587ccacb89ca7ddb691e3e12b18ffa282e6

Download Submit
C:\Windows\{92EA74A3-C3DB-44d9-9991-608618FDD7CD}.exe

Filesize
76KB

MD5
8489110aed9617c111d6f314615660bc

SHA1
ec10b47f7decf7420c969031873968468a4d651f

SHA256
70ea087a7f4315e9b4887f06b6705cda060763254ae5c60b6aa2df464572b310

SHA512
b132ec6d0509d73aa39b9f202c6ee281694c36ae1db45ceab469e0e8f65330736900226541e8cfd865f964e21d883587ccacb89ca7ddb691e3e12b18ffa282e6

Download Submit
C:\Windows\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe

Filesize
76KB

MD5
1eeae781faed88ddd0c59771870b0fb2

SHA1
d421cbe37ad89dffaa6066fefe2545e12ee7d17a

SHA256
65605333d1dbdf0dcab083ddb534a9e5c840a6c6926aa06c107bec56f94d464a

SHA512
9e5559c53f1da72ac9796e975c69edcc709f34992f5d9a3558f6fc72c5d700e9c88cbfcc0a7e364d3e8c45a272dad3bb7672f9f5afe0bde40d35a7e8dc20a1e0

Download Submit
C:\Windows\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe

Filesize
76KB

MD5
1eeae781faed88ddd0c59771870b0fb2

SHA1
d421cbe37ad89dffaa6066fefe2545e12ee7d17a

SHA256
65605333d1dbdf0dcab083ddb534a9e5c840a6c6926aa06c107bec56f94d464a

SHA512
9e5559c53f1da72ac9796e975c69edcc709f34992f5d9a3558f6fc72c5d700e9c88cbfcc0a7e364d3e8c45a272dad3bb7672f9f5afe0bde40d35a7e8dc20a1e0

Download Submit
C:\Windows\{9B6A6282-DD45-4f15-9A8D-1173737D7D87}.exe

Filesize
76KB

MD5
1eeae781faed88ddd0c59771870b0fb2

SHA1
d421cbe37ad89dffaa6066fefe2545e12ee7d17a

SHA256
65605333d1dbdf0dcab083ddb534a9e5c840a6c6926aa06c107bec56f94d464a

SHA512
9e5559c53f1da72ac9796e975c69edcc709f34992f5d9a3558f6fc72c5d700e9c88cbfcc0a7e364d3e8c45a272dad3bb7672f9f5afe0bde40d35a7e8dc20a1e0

Download Submit
C:\Windows\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}.exe

Filesize
76KB

MD5
f163ee8d8f7733c729132a26ba4614e5

SHA1
e167753060b8b68840b8b2614622d68c2af11b53

SHA256
ad6f0f7479af297b1b0052d37c0845e6086eca7cc8ca3d66a0659f05e2a0e1f5

SHA512
54c26e3cc3e9764a5939cf170446c3df19545a804e0e74283a1d97e5936a07ae1a29cf904d6ecc65d1a7935b44d056dbb23498165a84f7c3a4c729af15198e55

Download Submit
C:\Windows\{C77B1362-A1AC-4dcc-A261-2921DD6F1924}.exe

Filesize
76KB

MD5
f163ee8d8f7733c729132a26ba4614e5

SHA1
e167753060b8b68840b8b2614622d68c2af11b53

SHA256
ad6f0f7479af297b1b0052d37c0845e6086eca7cc8ca3d66a0659f05e2a0e1f5

SHA512
54c26e3cc3e9764a5939cf170446c3df19545a804e0e74283a1d97e5936a07ae1a29cf904d6ecc65d1a7935b44d056dbb23498165a84f7c3a4c729af15198e55

Download Submit
C:\Windows\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe

Filesize
76KB

MD5
5e8ff421762dab9bc8fa2cd367663717

SHA1
4f506c343bba018be97025531ecdcbe9b5e33328

SHA256
216c4bfce897e272bade42e85eb0f5ca10c2ae952b325b937ace333aae252e9c

SHA512
2456373b0e0ce3bbfc50cc94b0428cf1098ad48ae4fc7a1d513899bd9d9f57eeba4b5a4921fcab16481696cad43a69f5172db29bf383a6b07231eb79a5f8c514

Download Submit
C:\Windows\{D7F9ADDD-D4FA-41e9-A7B8-B7C4FDEDD76C}.exe

Filesize
76KB

MD5
5e8ff421762dab9bc8fa2cd367663717

SHA1
4f506c343bba018be97025531ecdcbe9b5e33328

SHA256
216c4bfce897e272bade42e85eb0f5ca10c2ae952b325b937ace333aae252e9c

SHA512
2456373b0e0ce3bbfc50cc94b0428cf1098ad48ae4fc7a1d513899bd9d9f57eeba4b5a4921fcab16481696cad43a69f5172db29bf383a6b07231eb79a5f8c514

Download Submit
C:\Windows\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe

Filesize
76KB

MD5
011b5927f95ed9c786b4bdd367d23db6

SHA1
43a679f62369cf7f3533a9250915219496f6c387

SHA256
13c2c01c4f99a5e36742759b87c53a6eb7cf3a3ee78cd42c5d81242919abfb89

SHA512
f5a1497a9e95702a64bde2b67a54c4117fbe5d7b1d4313b8410508f3f0812c0685bab402689ed1680ff3ce9c15e0373c2e26d2b933bd584eb253b03001cb6f5e

Download Submit
C:\Windows\{DEFA97CD-6600-4a58-BE5E-80F3085AB910}.exe

Filesize
76KB

MD5
011b5927f95ed9c786b4bdd367d23db6

SHA1
43a679f62369cf7f3533a9250915219496f6c387

SHA256
13c2c01c4f99a5e36742759b87c53a6eb7cf3a3ee78cd42c5d81242919abfb89

SHA512
f5a1497a9e95702a64bde2b67a54c4117fbe5d7b1d4313b8410508f3f0812c0685bab402689ed1680ff3ce9c15e0373c2e26d2b933bd584eb253b03001cb6f5e

Download Submit
C:\Windows\{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe

Filesize
76KB

MD5
04050629791cec34103c2b5d72e2948f

SHA1
c29057011474575dded259c8b3dea8e4796a19e4

SHA256
5ddc55c88b5aeaf348c10d3f2f90ecafb382ce98fefd611f4cb60bdde741d6a9

SHA512
64e7ab46da231afff4c38e413d17f7e9d793b98bcbc37e0aef4d28409fef8f12eeefb9d8cfcd5e12c4529cf48648da95b055bc86c9d9a840e502413389902bf0

Download Submit
C:\Windows\{E4665939-DD25-4f99-A92F-C6A683D6928D}.exe

Filesize
76KB

MD5
04050629791cec34103c2b5d72e2948f

SHA1
c29057011474575dded259c8b3dea8e4796a19e4

SHA256
5ddc55c88b5aeaf348c10d3f2f90ecafb382ce98fefd611f4cb60bdde741d6a9

SHA512
64e7ab46da231afff4c38e413d17f7e9d793b98bcbc37e0aef4d28409fef8f12eeefb9d8cfcd5e12c4529cf48648da95b055bc86c9d9a840e502413389902bf0

Download Submit
C:\Windows\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe

Filesize
76KB

MD5
847b5534eef85f8f7f28447b34b66c40

SHA1
57e0785728c4b08d0e662852993ed4a17542ab2a

SHA256
91b9f09c713b8d34e1a681c382ca36898d42109bdf56ddaf29b2e0d1e44ec3f2

SHA512
c6c4895a848ddfb7577ccfa40c15d8cd69bd16a8a01ebf209666345fde4acf476e2199cb720f100ca0f6331896f87d7d85e4188f2fb5a0994835a8b46921ba2a

Download Submit
C:\Windows\{E49CA8E5-272D-46bf-A85E-8D7F58247B93}.exe

Filesize
76KB

MD5
847b5534eef85f8f7f28447b34b66c40

SHA1
57e0785728c4b08d0e662852993ed4a17542ab2a

SHA256
91b9f09c713b8d34e1a681c382ca36898d42109bdf56ddaf29b2e0d1e44ec3f2

SHA512
c6c4895a848ddfb7577ccfa40c15d8cd69bd16a8a01ebf209666345fde4acf476e2199cb720f100ca0f6331896f87d7d85e4188f2fb5a0994835a8b46921ba2a

Download Submit
C:\Windows\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe

Filesize
76KB

MD5
e6e3d4d7edd0debeaf438b06963dbb11

SHA1
e310e2240cbf00e404c59dd1a36de9067b9e20c7

SHA256
1fa6711c6e207e83ae4732bddf8bacc9a36ef438bb3e282f9357b992bf713e60

SHA512
6cc9e14dece2baf1fbfe33599629518e7f26bb93dc8620c5c92535772c9cc4f8d709c719788cf918e18cfee3433945fc2329f5d347f631ca929cbbf82e820a6b

Download Submit
C:\Windows\{E92B29C3-293D-4e9c-BA98-5C3C8B38BE1F}.exe

Filesize
76KB

MD5
e6e3d4d7edd0debeaf438b06963dbb11

SHA1
e310e2240cbf00e404c59dd1a36de9067b9e20c7

SHA256
1fa6711c6e207e83ae4732bddf8bacc9a36ef438bb3e282f9357b992bf713e60

SHA512
6cc9e14dece2baf1fbfe33599629518e7f26bb93dc8620c5c92535772c9cc4f8d709c719788cf918e18cfee3433945fc2329f5d347f631ca929cbbf82e820a6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads