5585a95d70402b9123cfc5641067d8017209bf6e6b2a9372febc706cef1ba249

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 06:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
Size

116KB
MD5

86873eba3ae5e13c7e53948b06bda9a0
SHA1

49cb44e6909fdb438cd55b54d827f940a39117d2
SHA256

5585a95d70402b9123cfc5641067d8017209bf6e6b2a9372febc706cef1ba249
SHA512

686225f00109f3a8ef58cd5b58c2dd2252256e68b620a8dffd7f99f610110260c824e02a9807b43328244cd50c20126c89183a5c0cde367137e6896fcad9b4af
SSDEEP

768:Qvw9816vhKQLro54/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0o5l2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6158F8E-5F98-41f8-87B8-70460040E67A}\stubpath = "C:\\Windows\\{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe"	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF5E6249-0885-494a-9E9F-574628B021A1}\stubpath = "C:\\Windows\\{AF5E6249-0885-494a-9E9F-574628B021A1}.exe"	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}\stubpath = "C:\\Windows\\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe"	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D07E707B-4984-4355-ACCB-E4AF4767304F}\stubpath = "C:\\Windows\\{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe"	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}\stubpath = "C:\\Windows\\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe"	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}\stubpath = "C:\\Windows\\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe"	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B79D691-210B-4015-9692-5794D5ACD5C5}\stubpath = "C:\\Windows\\{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe"	{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC937025-7AEB-436a-8871-AACC4BB010C2}\stubpath = "C:\\Windows\\{AC937025-7AEB-436a-8871-AACC4BB010C2}.exe"	{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6158F8E-5F98-41f8-87B8-70460040E67A}	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}\stubpath = "C:\\Windows\\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe"	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D07E707B-4984-4355-ACCB-E4AF4767304F}	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B79D691-210B-4015-9692-5794D5ACD5C5}	{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}	{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}\stubpath = "C:\\Windows\\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe"	{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00230C72-3C04-47d3-8396-B048F569B0F0}	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF5E6249-0885-494a-9E9F-574628B021A1}	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC937025-7AEB-436a-8871-AACC4BB010C2}	{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00230C72-3C04-47d3-8396-B048F569B0F0}\stubpath = "C:\\Windows\\{00230C72-3C04-47d3-8396-B048F569B0F0}.exe"	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe
2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe
2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe
2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe
2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe
2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe
2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe
3016	{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe
2656	{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe
2688	{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe
1412	{AC937025-7AEB-436a-8871-AACC4BB010C2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe	{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe
File created	C:\Windows\{AC937025-7AEB-436a-8871-AACC4BB010C2}.exe	{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe
File created	C:\Windows\{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
File created	C:\Windows\{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe
File created	C:\Windows\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe
File created	C:\Windows\{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe	{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe
File created	C:\Windows\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe
File created	C:\Windows\{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe
File created	C:\Windows\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe
File created	C:\Windows\{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe
File created	C:\Windows\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
Token: SeIncBasePriorityPrivilege	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe
Token: SeIncBasePriorityPrivilege	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe
Token: SeIncBasePriorityPrivilege	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe
Token: SeIncBasePriorityPrivilege	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe
Token: SeIncBasePriorityPrivilege	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe
Token: SeIncBasePriorityPrivilege	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe
Token: SeIncBasePriorityPrivilege	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe
Token: SeIncBasePriorityPrivilege	3016	{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe
Token: SeIncBasePriorityPrivilege	2656	{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe
Token: SeIncBasePriorityPrivilege	2688	{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2964	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	28
PID 2036 wrote to memory of 2964	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	28
PID 2036 wrote to memory of 2964	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	28
PID 2036 wrote to memory of 2964	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	28
PID 2036 wrote to memory of 2984	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	29
PID 2036 wrote to memory of 2984	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	29
PID 2036 wrote to memory of 2984	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	29
PID 2036 wrote to memory of 2984	2036	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	29
PID 2964 wrote to memory of 2828	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	30
PID 2964 wrote to memory of 2828	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	30
PID 2964 wrote to memory of 2828	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	30
PID 2964 wrote to memory of 2828	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	30
PID 2964 wrote to memory of 1944	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	31
PID 2964 wrote to memory of 1944	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	31
PID 2964 wrote to memory of 1944	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	31
PID 2964 wrote to memory of 1944	2964	{00230C72-3C04-47d3-8396-B048F569B0F0}.exe	31
PID 2828 wrote to memory of 2228	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	32
PID 2828 wrote to memory of 2228	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	32
PID 2828 wrote to memory of 2228	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	32
PID 2828 wrote to memory of 2228	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	32
PID 2828 wrote to memory of 2604	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	33
PID 2828 wrote to memory of 2604	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	33
PID 2828 wrote to memory of 2604	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	33
PID 2828 wrote to memory of 2604	2828	{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe	33
PID 2228 wrote to memory of 2764	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	36
PID 2228 wrote to memory of 2764	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	36
PID 2228 wrote to memory of 2764	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	36
PID 2228 wrote to memory of 2764	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	36
PID 2228 wrote to memory of 2920	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	37
PID 2228 wrote to memory of 2920	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	37
PID 2228 wrote to memory of 2920	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	37
PID 2228 wrote to memory of 2920	2228	{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe	37
PID 2764 wrote to memory of 2904	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	38
PID 2764 wrote to memory of 2904	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	38
PID 2764 wrote to memory of 2904	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	38
PID 2764 wrote to memory of 2904	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	38
PID 2764 wrote to memory of 2612	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	39
PID 2764 wrote to memory of 2612	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	39
PID 2764 wrote to memory of 2612	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	39
PID 2764 wrote to memory of 2612	2764	{AF5E6249-0885-494a-9E9F-574628B021A1}.exe	39
PID 2904 wrote to memory of 2752	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	41
PID 2904 wrote to memory of 2752	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	41
PID 2904 wrote to memory of 2752	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	41
PID 2904 wrote to memory of 2752	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	41
PID 2904 wrote to memory of 2496	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	40
PID 2904 wrote to memory of 2496	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	40
PID 2904 wrote to memory of 2496	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	40
PID 2904 wrote to memory of 2496	2904	{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe	40
PID 2752 wrote to memory of 2648	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	42
PID 2752 wrote to memory of 2648	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	42
PID 2752 wrote to memory of 2648	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	42
PID 2752 wrote to memory of 2648	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	42
PID 2752 wrote to memory of 3044	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	43
PID 2752 wrote to memory of 3044	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	43
PID 2752 wrote to memory of 3044	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	43
PID 2752 wrote to memory of 3044	2752	{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe	43
PID 2648 wrote to memory of 3016	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	44
PID 2648 wrote to memory of 3016	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	44
PID 2648 wrote to memory of 3016	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	44
PID 2648 wrote to memory of 3016	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	44
PID 2648 wrote to memory of 2364	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	45
PID 2648 wrote to memory of 2364	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	45
PID 2648 wrote to memory of 2364	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	45
PID 2648 wrote to memory of 2364	2648	{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\{00230C72-3C04-47d3-8396-B048F569B0F0}.exe
  C:\Windows\{00230C72-3C04-47d3-8396-B048F569B0F0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe
    C:\Windows\{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe
      C:\Windows\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\{AF5E6249-0885-494a-9E9F-574628B021A1}.exe
        
        C:\Windows\{AF5E6249-0885-494a-9E9F-574628B021A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe
        
        C:\Windows\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0CEE~1.EXE > nul
        7⤵
        
        PID:2496
        
        C:\Windows\{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe
        
        C:\Windows\{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe
        
        C:\Windows\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe
        
        C:\Windows\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe
        
        C:\Windows\{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe
        
        C:\Windows\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\{AC937025-7AEB-436a-8871-AACC4BB010C2}.exe
        
        C:\Windows\{AC937025-7AEB-436a-8871-AACC4BB010C2}.exe
        12⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B77CC~1.EXE > nul
        12⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B79D~1.EXE > nul
        11⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79D6A~1.EXE > nul
        10⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63ADB~1.EXE > nul
        9⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D07E7~1.EXE > nul
        8⤵
        
        PID:3044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF5E6~1.EXE > nul
        6⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A256B~1.EXE > nul
        5⤵
        
        PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D6158~1.EXE > nul
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{00230~1.EXE > nul
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS86~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00230C72-3C04-47d3-8396-B048F569B0F0}.exe

Filesize
116KB

MD5
9cc3b79e3ebfbc5665ff3567653b0ec6

SHA1
2cc716b4010199a324688ae1140c0a2a3b3491df

SHA256
43f114294652db0d2d286c1008ee6b386f7bd71fd2b8eaa3773f46594c1a6569

SHA512
6549edd20f3a50bbcd8ffdc35a141b9d07119c4d2db05c0dc2354933880f0f85a756a5a9d7a9985a0d357a4634d19418262e014909fe524e59bbd457b1ae73d7

Download Submit
C:\Windows\{00230C72-3C04-47d3-8396-B048F569B0F0}.exe

Filesize
116KB

MD5
9cc3b79e3ebfbc5665ff3567653b0ec6

SHA1
2cc716b4010199a324688ae1140c0a2a3b3491df

SHA256
43f114294652db0d2d286c1008ee6b386f7bd71fd2b8eaa3773f46594c1a6569

SHA512
6549edd20f3a50bbcd8ffdc35a141b9d07119c4d2db05c0dc2354933880f0f85a756a5a9d7a9985a0d357a4634d19418262e014909fe524e59bbd457b1ae73d7

Download Submit
C:\Windows\{00230C72-3C04-47d3-8396-B048F569B0F0}.exe

Filesize
116KB

MD5
9cc3b79e3ebfbc5665ff3567653b0ec6

SHA1
2cc716b4010199a324688ae1140c0a2a3b3491df

SHA256
43f114294652db0d2d286c1008ee6b386f7bd71fd2b8eaa3773f46594c1a6569

SHA512
6549edd20f3a50bbcd8ffdc35a141b9d07119c4d2db05c0dc2354933880f0f85a756a5a9d7a9985a0d357a4634d19418262e014909fe524e59bbd457b1ae73d7

Download Submit
C:\Windows\{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe

Filesize
116KB

MD5
c28b30483b6148a3f9551a264bf2316d

SHA1
f425613e721f7cabfe30af6636b6bfd188a76585

SHA256
9da57362c75389dfba1099405b4b05f9eff37a58f50b811c67deb01a8f570cad

SHA512
4957c0d5e5a9dd3e78accc08726fcfe65a8a1e160962b20c40035c50ddf03ec844ebf0471ef9b7a82993b4406aa98f40e3c4e7b3b419f68a314cbc10567fcce0

Download Submit
C:\Windows\{2B79D691-210B-4015-9692-5794D5ACD5C5}.exe

Filesize
116KB

MD5
c28b30483b6148a3f9551a264bf2316d

SHA1
f425613e721f7cabfe30af6636b6bfd188a76585

SHA256
9da57362c75389dfba1099405b4b05f9eff37a58f50b811c67deb01a8f570cad

SHA512
4957c0d5e5a9dd3e78accc08726fcfe65a8a1e160962b20c40035c50ddf03ec844ebf0471ef9b7a82993b4406aa98f40e3c4e7b3b419f68a314cbc10567fcce0

Download Submit
C:\Windows\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe

Filesize
116KB

MD5
cf6863a8ba545cbe741dc6f109edc0c7

SHA1
a18bbf0121853fb3970f03a09c8614e6d92a48cd

SHA256
f93e49f63f14c4165078e17f53aa3366f55ea225df6b6f3380873b361fa494e9

SHA512
4ef7aa220b47e98f2e059742d3efac05ceb3471d7acfadfaa60ae0496301ab4968c16b0af755cc1f925b162fb52009a0f9966631f9984da1cdb2cf0b234b7632

Download Submit
C:\Windows\{63ADB9BD-6AD9-4b3e-BB44-E19E10C9027C}.exe

Filesize
116KB

MD5
cf6863a8ba545cbe741dc6f109edc0c7

SHA1
a18bbf0121853fb3970f03a09c8614e6d92a48cd

SHA256
f93e49f63f14c4165078e17f53aa3366f55ea225df6b6f3380873b361fa494e9

SHA512
4ef7aa220b47e98f2e059742d3efac05ceb3471d7acfadfaa60ae0496301ab4968c16b0af755cc1f925b162fb52009a0f9966631f9984da1cdb2cf0b234b7632

Download Submit
C:\Windows\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe

Filesize
116KB

MD5
00c82aca7156272751385e2fa3ad3ba6

SHA1
8bbd321be2fa8cce8ff2456d84980806da8c6d3c

SHA256
aa3ad35f672dc46eb70eb855fcddfcb7662a6457354ea41cf490afb6739c04cc

SHA512
9bb582467e3989b66221f270bdd66eb6fe69447cbd8f74ee8b3464d7393fe615a0071be89c50e277c28adbf0e128277fb15f1bcbb814c4bfcf3008e2d43ab31b

Download Submit
C:\Windows\{79D6AD0A-8F84-484c-A2B8-A52B8BA0260D}.exe

Filesize
116KB

MD5
00c82aca7156272751385e2fa3ad3ba6

SHA1
8bbd321be2fa8cce8ff2456d84980806da8c6d3c

SHA256
aa3ad35f672dc46eb70eb855fcddfcb7662a6457354ea41cf490afb6739c04cc

SHA512
9bb582467e3989b66221f270bdd66eb6fe69447cbd8f74ee8b3464d7393fe615a0071be89c50e277c28adbf0e128277fb15f1bcbb814c4bfcf3008e2d43ab31b

Download Submit
C:\Windows\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe

Filesize
116KB

MD5
8b13dbd8dabb2f1325bdc27ddfe57c58

SHA1
e7f0632d62fe3303acce7b435f6a409b8605e473

SHA256
adcfc70edbb2f9a9ec14ac7aca7a1a51192ea74c27e8e73f1a3fa073da7b4675

SHA512
efbc344e91ccf19b1caca6353dbf12412e9600b74cccb0175594bb944ce1cacc4a8964caec3cdd8c9c355f4b3fb271e085a6914fb0820d5a7d3c012e2fa9a1c2

Download Submit
C:\Windows\{A256B2DD-9D2F-437e-80AA-4FE95B8294CB}.exe

Filesize
116KB

MD5
8b13dbd8dabb2f1325bdc27ddfe57c58

SHA1
e7f0632d62fe3303acce7b435f6a409b8605e473

SHA256
adcfc70edbb2f9a9ec14ac7aca7a1a51192ea74c27e8e73f1a3fa073da7b4675

SHA512
efbc344e91ccf19b1caca6353dbf12412e9600b74cccb0175594bb944ce1cacc4a8964caec3cdd8c9c355f4b3fb271e085a6914fb0820d5a7d3c012e2fa9a1c2

Download Submit
C:\Windows\{AC937025-7AEB-436a-8871-AACC4BB010C2}.exe

Filesize
116KB

MD5
aa9a0c09f1b34edb967c0fc81e038dc6

SHA1
a3ac74213ccad4ee61b0639a5b34691df36731c8

SHA256
11b4fd3b3f71aa89579985afd62bce10cf18391fc0b33f7007abd8689a40c32c

SHA512
4dad8263491e9a52301be493c5e09cbed2eeed9b63c61e778d42ba553754aadfce8b01d9e04beea3d70aa7b3dcd85ce55a2af1a10020208c3a1cd1f784cab166

Download Submit
C:\Windows\{AF5E6249-0885-494a-9E9F-574628B021A1}.exe

Filesize
116KB

MD5
c3b6372bf518f182873b5b15dfb25753

SHA1
4cdcda4a3b8eca7f5ecbf6f56a16e4ad63a3f8c2

SHA256
045364a950e511debfef85e9e0599dbc2dcffa470340a3d94333eb70d88eb4a7

SHA512
e60499c4e2658aa4a51b7ebee9cf7beab9bd6bad571c8fca5519e371eddd8d331fa64250032326cf946dd3e31bc189e437eaa007c7bc50dc2113405c6b4d6e70

Download Submit
C:\Windows\{AF5E6249-0885-494a-9E9F-574628B021A1}.exe

Filesize
116KB

MD5
c3b6372bf518f182873b5b15dfb25753

SHA1
4cdcda4a3b8eca7f5ecbf6f56a16e4ad63a3f8c2

SHA256
045364a950e511debfef85e9e0599dbc2dcffa470340a3d94333eb70d88eb4a7

SHA512
e60499c4e2658aa4a51b7ebee9cf7beab9bd6bad571c8fca5519e371eddd8d331fa64250032326cf946dd3e31bc189e437eaa007c7bc50dc2113405c6b4d6e70

Download Submit
C:\Windows\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe

Filesize
116KB

MD5
2120c437623c83d07ced7ae82efd7983

SHA1
5bdd04426f0ae0e05fe92fb70dd467ca7e423a52

SHA256
0d8c862f53a4684a38c1c4d54abe3684b7e3391a0b150b2a003aa3a228af4adb

SHA512
9ae1991bd84f8fee017b8d70dc49fc7867c46cc2ff7f6275462d268b48284f3a6c23a2552d6839770a53aae3a7e2bf01926d5575fac1e132d25fccc17e680485

Download Submit
C:\Windows\{B77CCE4F-08BB-4aa1-996C-E6E29D227AE0}.exe

Filesize
116KB

MD5
2120c437623c83d07ced7ae82efd7983

SHA1
5bdd04426f0ae0e05fe92fb70dd467ca7e423a52

SHA256
0d8c862f53a4684a38c1c4d54abe3684b7e3391a0b150b2a003aa3a228af4adb

SHA512
9ae1991bd84f8fee017b8d70dc49fc7867c46cc2ff7f6275462d268b48284f3a6c23a2552d6839770a53aae3a7e2bf01926d5575fac1e132d25fccc17e680485

Download Submit
C:\Windows\{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe

Filesize
116KB

MD5
1a5f8cdc09ecac0c450741fa41135eb3

SHA1
f25581f6f6def244d4d4d132277fd25cb092c5da

SHA256
b1c4ac7f8ca4f56d55d51cbe71f5aedcfbb7c4f2ffbf9ebea368710e752d3287

SHA512
bd2f5f846870fd4b38961d20e9142144560812eb132044528323b151b812fb71b7dc6313739d2d2de92b2a6c544166a62b433342ed33425c9b1a9fbce8d5abfa

Download Submit
C:\Windows\{D07E707B-4984-4355-ACCB-E4AF4767304F}.exe

Filesize
116KB

MD5
1a5f8cdc09ecac0c450741fa41135eb3

SHA1
f25581f6f6def244d4d4d132277fd25cb092c5da

SHA256
b1c4ac7f8ca4f56d55d51cbe71f5aedcfbb7c4f2ffbf9ebea368710e752d3287

SHA512
bd2f5f846870fd4b38961d20e9142144560812eb132044528323b151b812fb71b7dc6313739d2d2de92b2a6c544166a62b433342ed33425c9b1a9fbce8d5abfa

Download Submit
C:\Windows\{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe

Filesize
116KB

MD5
f727d157a81c1bebe7d02620426aed26

SHA1
1fc9e0d8a046a3a0f10ab957e38000b8c17ba257

SHA256
be104ba28f6a4888b32539d01786bd2c99ac9c779305d3b12c01c0676a72ad19

SHA512
7a2b0ca1c0a89f45258b70389f58e6ac43c76fa26ccf2c3e7268ab968b09d65f93fb5c1ad0ee6192faa0f20e21d1e12384676ec72c351af983b76ff9003da8ad

Download Submit
C:\Windows\{D6158F8E-5F98-41f8-87B8-70460040E67A}.exe

Filesize
116KB

MD5
f727d157a81c1bebe7d02620426aed26

SHA1
1fc9e0d8a046a3a0f10ab957e38000b8c17ba257

SHA256
be104ba28f6a4888b32539d01786bd2c99ac9c779305d3b12c01c0676a72ad19

SHA512
7a2b0ca1c0a89f45258b70389f58e6ac43c76fa26ccf2c3e7268ab968b09d65f93fb5c1ad0ee6192faa0f20e21d1e12384676ec72c351af983b76ff9003da8ad

Download Submit
C:\Windows\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe

Filesize
116KB

MD5
d81915214cf89811ce3fcd3fe5298060

SHA1
386b738df2951ccb20928bb14a853d183559ca0a

SHA256
cf01afb5a515cc69d5697680f33b8076771f84dc770483c32b1cea13b3e9d3a1

SHA512
7b0076062dd442a69a41a39c15888f1a6bc39117afce9c307665caf5be06c5d95b7731901e1e0a01c5c4d2d7ea78518e93a1c95b2d59876e0514d2a3c6d9063f

Download Submit
C:\Windows\{E0CEEEFB-4F67-45e9-830F-1412D75C92AD}.exe

Filesize
116KB

MD5
d81915214cf89811ce3fcd3fe5298060

SHA1
386b738df2951ccb20928bb14a853d183559ca0a

SHA256
cf01afb5a515cc69d5697680f33b8076771f84dc770483c32b1cea13b3e9d3a1

SHA512
7b0076062dd442a69a41a39c15888f1a6bc39117afce9c307665caf5be06c5d95b7731901e1e0a01c5c4d2d7ea78518e93a1c95b2d59876e0514d2a3c6d9063f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads