5585a95d70402b9123cfc5641067d8017209bf6e6b2a9372febc706cef1ba249

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
Size

116KB
MD5

86873eba3ae5e13c7e53948b06bda9a0
SHA1

49cb44e6909fdb438cd55b54d827f940a39117d2
SHA256

5585a95d70402b9123cfc5641067d8017209bf6e6b2a9372febc706cef1ba249
SHA512

686225f00109f3a8ef58cd5b58c2dd2252256e68b620a8dffd7f99f610110260c824e02a9807b43328244cd50c20126c89183a5c0cde367137e6896fcad9b4af
SSDEEP

768:Qvw9816vhKQLro54/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0o5l2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}	{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}\stubpath = "C:\\Windows\\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe"	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}	{406FD451-5318-46d5-9965-21B19A2D0392}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}\stubpath = "C:\\Windows\\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe"	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D15A038-0A67-40a0-9812-7044B59D52D2}	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D15A038-0A67-40a0-9812-7044B59D52D2}\stubpath = "C:\\Windows\\{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe"	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{406FD451-5318-46d5-9965-21B19A2D0392}	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34E55058-3313-44f0-9EA4-23CDA412F860}	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34E55058-3313-44f0-9EA4-23CDA412F860}\stubpath = "C:\\Windows\\{34E55058-3313-44f0-9EA4-23CDA412F860}.exe"	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}\stubpath = "C:\\Windows\\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe"	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}\stubpath = "C:\\Windows\\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe"	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}\stubpath = "C:\\Windows\\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}.exe"	{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}\stubpath = "C:\\Windows\\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe"	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CA314C2-8507-40d3-B2F5-501374C5802F}\stubpath = "C:\\Windows\\{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe"	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{406FD451-5318-46d5-9965-21B19A2D0392}\stubpath = "C:\\Windows\\{406FD451-5318-46d5-9965-21B19A2D0392}.exe"	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}\stubpath = "C:\\Windows\\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe"	{406FD451-5318-46d5-9965-21B19A2D0392}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}\stubpath = "C:\\Windows\\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe"	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CA314C2-8507-40d3-B2F5-501374C5802F}	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe

Executes dropped EXE 12 IoCs

pid	Process
2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe
860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe
4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe
2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe
2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe
3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe
3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe
4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe
2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe
600	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe
3992	{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe
4968	{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe
File created	C:\Windows\{34E55058-3313-44f0-9EA4-23CDA412F860}.exe	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe
File created	C:\Windows\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe
File created	C:\Windows\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe
File created	C:\Windows\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
File created	C:\Windows\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe
File created	C:\Windows\{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe
File created	C:\Windows\{406FD451-5318-46d5-9965-21B19A2D0392}.exe	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe
File created	C:\Windows\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe	{406FD451-5318-46d5-9965-21B19A2D0392}.exe
File created	C:\Windows\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe
File created	C:\Windows\{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe
File created	C:\Windows\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}.exe	{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1400	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
Token: SeIncBasePriorityPrivilege	2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe
Token: SeIncBasePriorityPrivilege	860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe
Token: SeIncBasePriorityPrivilege	4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe
Token: SeIncBasePriorityPrivilege	2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe
Token: SeIncBasePriorityPrivilege	2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe
Token: SeIncBasePriorityPrivilege	3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe
Token: SeIncBasePriorityPrivilege	3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe
Token: SeIncBasePriorityPrivilege	4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe
Token: SeIncBasePriorityPrivilege	2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe
Token: SeIncBasePriorityPrivilege	600	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe
Token: SeIncBasePriorityPrivilege	3992	{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2668	1400	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	94
PID 1400 wrote to memory of 2668	1400	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	94
PID 1400 wrote to memory of 2668	1400	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	94
PID 1400 wrote to memory of 840	1400	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	95
PID 1400 wrote to memory of 840	1400	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	95
PID 1400 wrote to memory of 840	1400	NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe	95
PID 2668 wrote to memory of 860	2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe	97
PID 2668 wrote to memory of 860	2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe	97
PID 2668 wrote to memory of 860	2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe	97
PID 2668 wrote to memory of 4064	2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe	98
PID 2668 wrote to memory of 4064	2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe	98
PID 2668 wrote to memory of 4064	2668	{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe	98
PID 860 wrote to memory of 4164	860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe	108
PID 860 wrote to memory of 4164	860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe	108
PID 860 wrote to memory of 4164	860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe	108
PID 860 wrote to memory of 3548	860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe	107
PID 860 wrote to memory of 3548	860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe	107
PID 860 wrote to memory of 3548	860	{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe	107
PID 4164 wrote to memory of 2352	4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe	110
PID 4164 wrote to memory of 2352	4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe	110
PID 4164 wrote to memory of 2352	4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe	110
PID 4164 wrote to memory of 4676	4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe	111
PID 4164 wrote to memory of 4676	4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe	111
PID 4164 wrote to memory of 4676	4164	{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe	111
PID 2352 wrote to memory of 2604	2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe	112
PID 2352 wrote to memory of 2604	2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe	112
PID 2352 wrote to memory of 2604	2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe	112
PID 2352 wrote to memory of 1432	2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe	113
PID 2352 wrote to memory of 1432	2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe	113
PID 2352 wrote to memory of 1432	2352	{406FD451-5318-46d5-9965-21B19A2D0392}.exe	113
PID 2604 wrote to memory of 3624	2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe	115
PID 2604 wrote to memory of 3624	2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe	115
PID 2604 wrote to memory of 3624	2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe	115
PID 2604 wrote to memory of 3520	2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe	116
PID 2604 wrote to memory of 3520	2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe	116
PID 2604 wrote to memory of 3520	2604	{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe	116
PID 3624 wrote to memory of 3952	3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe	117
PID 3624 wrote to memory of 3952	3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe	117
PID 3624 wrote to memory of 3952	3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe	117
PID 3624 wrote to memory of 984	3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe	118
PID 3624 wrote to memory of 984	3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe	118
PID 3624 wrote to memory of 984	3624	{34E55058-3313-44f0-9EA4-23CDA412F860}.exe	118
PID 3952 wrote to memory of 4532	3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe	119
PID 3952 wrote to memory of 4532	3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe	119
PID 3952 wrote to memory of 4532	3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe	119
PID 3952 wrote to memory of 3884	3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe	120
PID 3952 wrote to memory of 3884	3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe	120
PID 3952 wrote to memory of 3884	3952	{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe	120
PID 4532 wrote to memory of 2868	4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe	121
PID 4532 wrote to memory of 2868	4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe	121
PID 4532 wrote to memory of 2868	4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe	121
PID 4532 wrote to memory of 1720	4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe	122
PID 4532 wrote to memory of 1720	4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe	122
PID 4532 wrote to memory of 1720	4532	{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe	122
PID 2868 wrote to memory of 600	2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe	123
PID 2868 wrote to memory of 600	2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe	123
PID 2868 wrote to memory of 600	2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe	123
PID 2868 wrote to memory of 3648	2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe	124
PID 2868 wrote to memory of 3648	2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe	124
PID 2868 wrote to memory of 3648	2868	{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe	124
PID 600 wrote to memory of 3992	600	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe	125
PID 600 wrote to memory of 3992	600	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe	125
PID 600 wrote to memory of 3992	600	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe	125
PID 600 wrote to memory of 500	600	{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe	126

C:\Users\Admin\AppData\Local\Temp\NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.86873eba3ae5e13c7e53948b06bda9a0_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe
  C:\Windows\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe
    C:\Windows\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{18BD5~1.EXE > nul
      4⤵
      PID:3548
  - - C:\Windows\{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe
      C:\Windows\{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\{406FD451-5318-46d5-9965-21B19A2D0392}.exe
        
        C:\Windows\{406FD451-5318-46d5-9965-21B19A2D0392}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe
        
        C:\Windows\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{34E55058-3313-44f0-9EA4-23CDA412F860}.exe
        
        C:\Windows\{34E55058-3313-44f0-9EA4-23CDA412F860}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe
        
        C:\Windows\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe
        
        C:\Windows\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe
        
        C:\Windows\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe
        
        C:\Windows\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe
        
        C:\Windows\{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D15A~1.EXE > nul
        13⤵
        
        PID:4572
        
        C:\Windows\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}.exe
        
        C:\Windows\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}.exe
        13⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC64C~1.EXE > nul
        12⤵
        
        PID:500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17BF5~1.EXE > nul
        11⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{888C4~1.EXE > nul
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEA87~1.EXE > nul
        9⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34E55~1.EXE > nul
        8⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9ED6~1.EXE > nul
        7⤵
        
        PID:3520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{406FD~1.EXE > nul
        6⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CA31~1.EXE > nul
        5⤵
        
        PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E3A~1.EXE > nul
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS86~1.EXE > nul
  2⤵
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe

Filesize
116KB

MD5
8ebce8a06158412637e431362c834935

SHA1
91ffd16f41fe277f46c26dd8a6e1e4cd33690531

SHA256
fe853ecb88518931b2e11b93935f0d6e75e0929478913e249907108fb3cc3a82

SHA512
8d28b77471d217d144ef1d8b1415ea1834cae9bb5398c2193f051be68c06505c2716668778e306d8610c569c3b5750f794085ac0d0d2f23347a2b001099682fa

Download Submit
C:\Windows\{17BF559A-BBB6-4c9e-A935-CFD1D3B833EA}.exe

Filesize
116KB

MD5
8ebce8a06158412637e431362c834935

SHA1
91ffd16f41fe277f46c26dd8a6e1e4cd33690531

SHA256
fe853ecb88518931b2e11b93935f0d6e75e0929478913e249907108fb3cc3a82

SHA512
8d28b77471d217d144ef1d8b1415ea1834cae9bb5398c2193f051be68c06505c2716668778e306d8610c569c3b5750f794085ac0d0d2f23347a2b001099682fa

Download Submit
C:\Windows\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe

Filesize
116KB

MD5
8a2f0c6cab52becd0774009412dc7518

SHA1
2ffdf05634ffe8cde573ce28891d5d8d757439c4

SHA256
259841595c998b155fb42355c9fb7690eacca80e194572901773e431b0bd557c

SHA512
a785eec56a0f880515d916799c322bac79523329f30cc79eae47b11ea4e1b5161acf71f160f33a52723a41083b857dd5616c8263725bc2de078932a1871e460d

Download Submit
C:\Windows\{18BD5BBF-ABCB-4d2f-B511-8F09212BE443}.exe

Filesize
116KB

MD5
8a2f0c6cab52becd0774009412dc7518

SHA1
2ffdf05634ffe8cde573ce28891d5d8d757439c4

SHA256
259841595c998b155fb42355c9fb7690eacca80e194572901773e431b0bd557c

SHA512
a785eec56a0f880515d916799c322bac79523329f30cc79eae47b11ea4e1b5161acf71f160f33a52723a41083b857dd5616c8263725bc2de078932a1871e460d

Download Submit
C:\Windows\{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe

Filesize
116KB

MD5
0f6089b6eee87c65f815587943507cf1

SHA1
981d98a74403828718b96078dd1daa9a56c8be38

SHA256
27807535781f739a7b7dd940a3fd012872d93a43d5ae257e4b56bd9ba6d72429

SHA512
c1b64362a86d9771a8fe06cba348df350f2871474abf4052c23b93c2940a5a46f88b832ccb64490ec887557208e162476e2dcb4b925e3d5ce7a3786742b3ef80

Download Submit
C:\Windows\{2D15A038-0A67-40a0-9812-7044B59D52D2}.exe

Filesize
116KB

MD5
0f6089b6eee87c65f815587943507cf1

SHA1
981d98a74403828718b96078dd1daa9a56c8be38

SHA256
27807535781f739a7b7dd940a3fd012872d93a43d5ae257e4b56bd9ba6d72429

SHA512
c1b64362a86d9771a8fe06cba348df350f2871474abf4052c23b93c2940a5a46f88b832ccb64490ec887557208e162476e2dcb4b925e3d5ce7a3786742b3ef80

Download Submit
C:\Windows\{34E55058-3313-44f0-9EA4-23CDA412F860}.exe

Filesize
116KB

MD5
df37a947f6bfc1ed213f666020c001ad

SHA1
82b6be724d3f022d52b2ddc5a7cecea8937c1604

SHA256
73adc6110a38b501b6b9d3d528291e583060baf7c56330686075b2e51b04bdc8

SHA512
b790d0ed994a367e780b8d735f098f880bd89499e3487dfc270800bb7cc8474741e3e95097ca5b0ccc0839b0bd64c93305cccf36eec833b534a52f5cfe96f4dd

Download Submit
C:\Windows\{34E55058-3313-44f0-9EA4-23CDA412F860}.exe

Filesize
116KB

MD5
df37a947f6bfc1ed213f666020c001ad

SHA1
82b6be724d3f022d52b2ddc5a7cecea8937c1604

SHA256
73adc6110a38b501b6b9d3d528291e583060baf7c56330686075b2e51b04bdc8

SHA512
b790d0ed994a367e780b8d735f098f880bd89499e3487dfc270800bb7cc8474741e3e95097ca5b0ccc0839b0bd64c93305cccf36eec833b534a52f5cfe96f4dd

Download Submit
C:\Windows\{406FD451-5318-46d5-9965-21B19A2D0392}.exe

Filesize
116KB

MD5
8140ca1e2971e43664f5db9a49eaee3b

SHA1
4aa0126ca1d109327e4bb46a77d0b3ae395e59c4

SHA256
81acbcb8da7c4b91828e42c64221713590ff030430aaab2279fb4b3283264b02

SHA512
c602a95bceb7d436298486c202bf018b87a6380c98c45699a37bc887fd6e5b4fcad676a9864cea89973073fcfd3714517e056b591da662e58c1c013b5df4d9b8

Download Submit
C:\Windows\{406FD451-5318-46d5-9965-21B19A2D0392}.exe

Filesize
116KB

MD5
8140ca1e2971e43664f5db9a49eaee3b

SHA1
4aa0126ca1d109327e4bb46a77d0b3ae395e59c4

SHA256
81acbcb8da7c4b91828e42c64221713590ff030430aaab2279fb4b3283264b02

SHA512
c602a95bceb7d436298486c202bf018b87a6380c98c45699a37bc887fd6e5b4fcad676a9864cea89973073fcfd3714517e056b591da662e58c1c013b5df4d9b8

Download Submit
C:\Windows\{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe

Filesize
116KB

MD5
a6d83b7bdbffa6d714108733fb08c2eb

SHA1
b570ddfd767b36f02bb79edc2e4ab6203bbe2cc5

SHA256
a740d158122a12ef8ca77834a80ba0875d767e68408da616eaef19d7402f4fe1

SHA512
c605b356e9e88d6df4812cc88163ceb7d19a0a54721f52e38419b4dae81b3d1bb9e209f39d6ba25dae38d8400e78d04b9786aa9f000de2781639cd08f7e41ba0

Download Submit
C:\Windows\{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe

Filesize
116KB

MD5
a6d83b7bdbffa6d714108733fb08c2eb

SHA1
b570ddfd767b36f02bb79edc2e4ab6203bbe2cc5

SHA256
a740d158122a12ef8ca77834a80ba0875d767e68408da616eaef19d7402f4fe1

SHA512
c605b356e9e88d6df4812cc88163ceb7d19a0a54721f52e38419b4dae81b3d1bb9e209f39d6ba25dae38d8400e78d04b9786aa9f000de2781639cd08f7e41ba0

Download Submit
C:\Windows\{5CA314C2-8507-40d3-B2F5-501374C5802F}.exe

Filesize
116KB

MD5
a6d83b7bdbffa6d714108733fb08c2eb

SHA1
b570ddfd767b36f02bb79edc2e4ab6203bbe2cc5

SHA256
a740d158122a12ef8ca77834a80ba0875d767e68408da616eaef19d7402f4fe1

SHA512
c605b356e9e88d6df4812cc88163ceb7d19a0a54721f52e38419b4dae81b3d1bb9e209f39d6ba25dae38d8400e78d04b9786aa9f000de2781639cd08f7e41ba0

Download Submit
C:\Windows\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe

Filesize
116KB

MD5
1f083c4b653053f0745a1970f28c996a

SHA1
b6a7ee9835d928600c961b9e1c0a49aeed55f936

SHA256
b5ef0e8acdd0091b6cf1e3d74a29577184516613c2f561eb7af66d5455970a1f

SHA512
86d00e27a8cae95fd50a496b15b578691f6391017c5b9fded78e684997cc4d8fe2f72bd535529c9cb0430e089c39f72a18a9443b7e10ccd5dbe4c1e29bbab2ba

Download Submit
C:\Windows\{888C4C93-B74E-4f91-8212-71F7E1EC7BA5}.exe

Filesize
116KB

MD5
1f083c4b653053f0745a1970f28c996a

SHA1
b6a7ee9835d928600c961b9e1c0a49aeed55f936

SHA256
b5ef0e8acdd0091b6cf1e3d74a29577184516613c2f561eb7af66d5455970a1f

SHA512
86d00e27a8cae95fd50a496b15b578691f6391017c5b9fded78e684997cc4d8fe2f72bd535529c9cb0430e089c39f72a18a9443b7e10ccd5dbe4c1e29bbab2ba

Download Submit
C:\Windows\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe

Filesize
116KB

MD5
d9fdff5e318a671d24ad1570e680b0e8

SHA1
55e8a35a408e3abfc24a66136d24acd0e66937d2

SHA256
8efe4f8e944d6b5d7c1489fe8a8a998c9b55166e7e4b3729f1d5726abff03e6a

SHA512
ff1338a661b02448d39d13a1662cbb648f21a48926d10c3fd26ca57c2fa820c5428b96a0b0bffe0a1d65f25e2ef25c3bcb6b8b3c8a089e6da07f710e1e0da42b

Download Submit
C:\Windows\{BEA875B7-CA7A-449a-9E85-7C8783DE4A97}.exe

Filesize
116KB

MD5
d9fdff5e318a671d24ad1570e680b0e8

SHA1
55e8a35a408e3abfc24a66136d24acd0e66937d2

SHA256
8efe4f8e944d6b5d7c1489fe8a8a998c9b55166e7e4b3729f1d5726abff03e6a

SHA512
ff1338a661b02448d39d13a1662cbb648f21a48926d10c3fd26ca57c2fa820c5428b96a0b0bffe0a1d65f25e2ef25c3bcb6b8b3c8a089e6da07f710e1e0da42b

Download Submit
C:\Windows\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe

Filesize
116KB

MD5
6e672d0c1c5f95dd589ffdc90bf4b48c

SHA1
ff795eaeb4e0e8ab2db07bd585da76fe8a7670f8

SHA256
ea8102f4afc0587e15694c8dcbcfade4c690bc6634e24710280434df9faa62c8

SHA512
78e63443d2170b317c3508330f5a6acfd765f321cf21d8f5ab1ea94c68b1cf3587f907c712cb70f0f3fe1c73b1d8b04361ec15e865cb777ddcf6c19499b59a8f

Download Submit
C:\Windows\{C6E3A0BD-E2A8-4a54-B4CE-43DD177A0341}.exe

Filesize
116KB

MD5
6e672d0c1c5f95dd589ffdc90bf4b48c

SHA1
ff795eaeb4e0e8ab2db07bd585da76fe8a7670f8

SHA256
ea8102f4afc0587e15694c8dcbcfade4c690bc6634e24710280434df9faa62c8

SHA512
78e63443d2170b317c3508330f5a6acfd765f321cf21d8f5ab1ea94c68b1cf3587f907c712cb70f0f3fe1c73b1d8b04361ec15e865cb777ddcf6c19499b59a8f

Download Submit
C:\Windows\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe

Filesize
116KB

MD5
477088c75d2d33079dd5ba935f1d468e

SHA1
ea51eda1cf19c513dcacafe4560c0db0a92e4712

SHA256
379aee407f0c2908a63f06cee277b9a503ec42dd2ea37c3821e196cdd470a9a7

SHA512
7835c7896b1362c8d9bb887887360cceeeac2f2ca00aa453d1a74a9e6ff3aeeed6a90c8024f6b72eb6883dcb159e57e2d99a0b2a5d60ba805c83e0ebf6f12a78

Download Submit
C:\Windows\{D9ED62E5-FA98-46ea-BEC0-0327B0DE5464}.exe

Filesize
116KB

MD5
477088c75d2d33079dd5ba935f1d468e

SHA1
ea51eda1cf19c513dcacafe4560c0db0a92e4712

SHA256
379aee407f0c2908a63f06cee277b9a503ec42dd2ea37c3821e196cdd470a9a7

SHA512
7835c7896b1362c8d9bb887887360cceeeac2f2ca00aa453d1a74a9e6ff3aeeed6a90c8024f6b72eb6883dcb159e57e2d99a0b2a5d60ba805c83e0ebf6f12a78

Download Submit
C:\Windows\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}.exe

Filesize
116KB

MD5
5d58d02969cc7782a056e601ba2deeac

SHA1
c2baf4e2f79cea50a614eb93b714c02577333bc7

SHA256
c0271fbf749e61d24e0928785c57024288113e05b5e53d87ffd282f2f7c78591

SHA512
3c68e06629d1454f650ab2ad21cdf0e40f86823f5200bce5e93d6a2a2da8f57b9832c57af7a0db061a6f083e7e56614889f3d1c4321e87df66de854c21cabc2b

Download Submit
C:\Windows\{E2B8ACBF-4B00-4b86-B7FD-8A99184ED293}.exe

Filesize
116KB

MD5
5d58d02969cc7782a056e601ba2deeac

SHA1
c2baf4e2f79cea50a614eb93b714c02577333bc7

SHA256
c0271fbf749e61d24e0928785c57024288113e05b5e53d87ffd282f2f7c78591

SHA512
3c68e06629d1454f650ab2ad21cdf0e40f86823f5200bce5e93d6a2a2da8f57b9832c57af7a0db061a6f083e7e56614889f3d1c4321e87df66de854c21cabc2b

Download Submit
C:\Windows\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe

Filesize
116KB

MD5
6be7a651fe2302598022c8fb18007b6d

SHA1
307dd618f8201c251c44c409f76dff2fabe9c9a9

SHA256
6bc7c21204a7bb2d929f69d37ea82d41122dd37f9cd93c7cb8d5bf4d6b045da6

SHA512
1a83a9bcf4c59959dae10d435dea000a49f3188ae96868a5ff0d3eb97e32bee66a9657efb7e771332896b5eb971a1a91ca2d7ce19955d8802353a7c488350010

Download Submit
C:\Windows\{EC64C01F-7E1F-4fa3-9C17-B4EFED400A95}.exe

Filesize
116KB

MD5
6be7a651fe2302598022c8fb18007b6d

SHA1
307dd618f8201c251c44c409f76dff2fabe9c9a9

SHA256
6bc7c21204a7bb2d929f69d37ea82d41122dd37f9cd93c7cb8d5bf4d6b045da6

SHA512
1a83a9bcf4c59959dae10d435dea000a49f3188ae96868a5ff0d3eb97e32bee66a9657efb7e771332896b5eb971a1a91ca2d7ce19955d8802353a7c488350010

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads