fefc1dd57977b799caca21026735283399ba58f910f6ce859a33a420fbf89f32

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2cf185eb051ff06d58372faf8b76bd40.exe
Size

213KB
MD5

2cf185eb051ff06d58372faf8b76bd40
SHA1

ddc41effc24739dda951b4d23baf3fb50f198376
SHA256

fefc1dd57977b799caca21026735283399ba58f910f6ce859a33a420fbf89f32
SHA512

c340605ee33c1420191b5bea3438b79591b55434a1af326351a34f9deff6aa202eaf5d5431473abb128b5eaaeb63dbdb518808061a33b9ce71a85d96bfab58d6
SSDEEP

1536:YEGh0oDl2unMxVS3HgdoKjhLJhzrryLPAneS3DquFSS4efk6kF/y+Ic7e/FtPt+A:YEGh0oDlvMUyNjhLJhXrhnJ3D4IF

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4770FD98-43F2-44bc-88C9-B37C782C1B73}\stubpath = "C:\\Windows\\{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe"	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3365F00-4740-48fe-9972-68F6D59E77D3}	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}\stubpath = "C:\\Windows\\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe"	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45FF2B0A-0D36-4de7-A564-C69697F46B74}\stubpath = "C:\\Windows\\{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe"	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}\stubpath = "C:\\Windows\\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe"	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}\stubpath = "C:\\Windows\\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe"	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}\stubpath = "C:\\Windows\\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe"	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4770FD98-43F2-44bc-88C9-B37C782C1B73}	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45FF2B0A-0D36-4de7-A564-C69697F46B74}	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}\stubpath = "C:\\Windows\\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe"	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}\stubpath = "C:\\Windows\\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe"	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3365F00-4740-48fe-9972-68F6D59E77D3}\stubpath = "C:\\Windows\\{D3365F00-4740-48fe-9972-68F6D59E77D3}.exe"	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe

Executes dropped EXE 9 IoCs

pid	Process
3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe
1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe
2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe
4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe
4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe
3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe
4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe
3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe
2244	{D3365F00-4740-48fe-9972-68F6D59E77D3}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe
File created	C:\Windows\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe
File created	C:\Windows\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe
File created	C:\Windows\{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe
File created	C:\Windows\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe
File created	C:\Windows\{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe
File created	C:\Windows\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe
File created	C:\Windows\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe
File created	C:\Windows\{D3365F00-4740-48fe-9972-68F6D59E77D3}.exe	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe
Token: SeIncBasePriorityPrivilege	3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe
Token: SeIncBasePriorityPrivilege	1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe
Token: SeIncBasePriorityPrivilege	2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe
Token: SeIncBasePriorityPrivilege	4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe
Token: SeIncBasePriorityPrivilege	4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe
Token: SeIncBasePriorityPrivilege	3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe
Token: SeIncBasePriorityPrivilege	4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe
Token: SeIncBasePriorityPrivilege	3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3812	2384	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe	92
PID 2384 wrote to memory of 3812	2384	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe	92
PID 2384 wrote to memory of 3812	2384	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe	92
PID 2384 wrote to memory of 3000	2384	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe	93
PID 2384 wrote to memory of 3000	2384	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe	93
PID 2384 wrote to memory of 3000	2384	NEAS.2cf185eb051ff06d58372faf8b76bd40.exe	93
PID 3812 wrote to memory of 1496	3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe	102
PID 3812 wrote to memory of 1496	3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe	102
PID 3812 wrote to memory of 1496	3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe	102
PID 3812 wrote to memory of 4456	3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe	103
PID 3812 wrote to memory of 4456	3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe	103
PID 3812 wrote to memory of 4456	3812	{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe	103
PID 1496 wrote to memory of 2988	1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe	104
PID 1496 wrote to memory of 2988	1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe	104
PID 1496 wrote to memory of 2988	1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe	104
PID 1496 wrote to memory of 3344	1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe	105
PID 1496 wrote to memory of 3344	1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe	105
PID 1496 wrote to memory of 3344	1496	{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe	105
PID 2988 wrote to memory of 4084	2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe	109
PID 2988 wrote to memory of 4084	2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe	109
PID 2988 wrote to memory of 4084	2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe	109
PID 2988 wrote to memory of 3368	2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe	110
PID 2988 wrote to memory of 3368	2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe	110
PID 2988 wrote to memory of 3368	2988	{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe	110
PID 4084 wrote to memory of 4792	4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe	112
PID 4084 wrote to memory of 4792	4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe	112
PID 4084 wrote to memory of 4792	4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe	112
PID 4084 wrote to memory of 2452	4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe	113
PID 4084 wrote to memory of 2452	4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe	113
PID 4084 wrote to memory of 2452	4084	{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe	113
PID 4792 wrote to memory of 3816	4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe	115
PID 4792 wrote to memory of 3816	4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe	115
PID 4792 wrote to memory of 3816	4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe	115
PID 4792 wrote to memory of 4164	4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe	116
PID 4792 wrote to memory of 4164	4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe	116
PID 4792 wrote to memory of 4164	4792	{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe	116
PID 3816 wrote to memory of 4804	3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe	121
PID 3816 wrote to memory of 4804	3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe	121
PID 3816 wrote to memory of 4804	3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe	121
PID 3816 wrote to memory of 1976	3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe	122
PID 3816 wrote to memory of 1976	3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe	122
PID 3816 wrote to memory of 1976	3816	{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe	122
PID 4804 wrote to memory of 3472	4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe	124
PID 4804 wrote to memory of 3472	4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe	124
PID 4804 wrote to memory of 3472	4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe	124
PID 4804 wrote to memory of 4012	4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe	125
PID 4804 wrote to memory of 4012	4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe	125
PID 4804 wrote to memory of 4012	4804	{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe	125
PID 3472 wrote to memory of 2244	3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe	128
PID 3472 wrote to memory of 2244	3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe	128
PID 3472 wrote to memory of 2244	3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe	128
PID 3472 wrote to memory of 4084	3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe	129
PID 3472 wrote to memory of 4084	3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe	129
PID 3472 wrote to memory of 4084	3472	{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe	129

C:\Users\Admin\AppData\Local\Temp\NEAS.2cf185eb051ff06d58372faf8b76bd40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2cf185eb051ff06d58372faf8b76bd40.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe
  C:\Windows\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe
    C:\Windows\{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe
      C:\Windows\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe
        
        C:\Windows\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Windows\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe
        
        C:\Windows\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe
        
        C:\Windows\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe
        
        C:\Windows\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe
        
        C:\Windows\{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{D3365F00-4740-48fe-9972-68F6D59E77D3}.exe
        
        C:\Windows\{D3365F00-4740-48fe-9972-68F6D59E77D3}.exe
        10⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4770F~1.EXE > nul
        10⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C0D2~1.EXE > nul
        9⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1BA5~1.EXE > nul
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE57~1.EXE > nul
        7⤵
        
        PID:4164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F618E~1.EXE > nul
        6⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E43C7~1.EXE > nul
        5⤵
        
        PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{45FF2~1.EXE > nul
      4⤵
      PID:3344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1BF8~1.EXE > nul
    3⤵
    PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS2C~1.EXE > nul
  2⤵
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe

Filesize
213KB

MD5
058b6dbe9dd98ea0e4f09656bc3fbdf2

SHA1
5af5e46d3478ffab638d50302d804d4b33ef6cbc

SHA256
98dd68ff25dff4e3befda8dbceda5fed47737bf93510d0ba2fac6dc11fb17695

SHA512
a3b3a7bfd8c17c2aafb7d25cc72fe984fbbaa3333431961de1fc01a33f086b1c8b581120ddd1df9f4c7e8e995e91fba5720104be1e7a15044575e4f344f71df4

Download Submit
C:\Windows\{2DE57404-DB5C-4507-A7AD-6A9A98427D62}.exe

Filesize
213KB

MD5
058b6dbe9dd98ea0e4f09656bc3fbdf2

SHA1
5af5e46d3478ffab638d50302d804d4b33ef6cbc

SHA256
98dd68ff25dff4e3befda8dbceda5fed47737bf93510d0ba2fac6dc11fb17695

SHA512
a3b3a7bfd8c17c2aafb7d25cc72fe984fbbaa3333431961de1fc01a33f086b1c8b581120ddd1df9f4c7e8e995e91fba5720104be1e7a15044575e4f344f71df4

Download Submit
C:\Windows\{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe

Filesize
213KB

MD5
4830bac46787e27cb8fde778d25d59b6

SHA1
1330995b645b93e4fb83a77de7e7ecaa69cb63af

SHA256
eb0da85e51e1b4377294b70e2f3c8e67feebc04ef89624c012b5319a90f1f6c6

SHA512
3f25cd5bb3bfbd426dbddc3c3ed792793bb2b5a8f28e180013d3b056a157671fa15373adef307c9921ee3fa081b4b0784ac51fe73e7d0a7190fde9016b8027fd

Download Submit
C:\Windows\{45FF2B0A-0D36-4de7-A564-C69697F46B74}.exe

Filesize
213KB

MD5
4830bac46787e27cb8fde778d25d59b6

SHA1
1330995b645b93e4fb83a77de7e7ecaa69cb63af

SHA256
eb0da85e51e1b4377294b70e2f3c8e67feebc04ef89624c012b5319a90f1f6c6

SHA512
3f25cd5bb3bfbd426dbddc3c3ed792793bb2b5a8f28e180013d3b056a157671fa15373adef307c9921ee3fa081b4b0784ac51fe73e7d0a7190fde9016b8027fd

Download Submit
C:\Windows\{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe

Filesize
213KB

MD5
ed61d57b0dd59f726166f956087b87fb

SHA1
37497c649b6009c59eca75379d4c8b3a79f06db6

SHA256
38465d744bdb9e40b131935976e2ae1e83b4cb62d0099b288437f88b3ff5a526

SHA512
64acdef004361e8ea79589805698212d4c6334e101448965ff0298a0fbae024f95cf433fea0d34f8e8aa11be4a7f6b29f69c571f968cc1c97e59bf44104fccdf

Download Submit
C:\Windows\{4770FD98-43F2-44bc-88C9-B37C782C1B73}.exe

Filesize
213KB

MD5
ed61d57b0dd59f726166f956087b87fb

SHA1
37497c649b6009c59eca75379d4c8b3a79f06db6

SHA256
38465d744bdb9e40b131935976e2ae1e83b4cb62d0099b288437f88b3ff5a526

SHA512
64acdef004361e8ea79589805698212d4c6334e101448965ff0298a0fbae024f95cf433fea0d34f8e8aa11be4a7f6b29f69c571f968cc1c97e59bf44104fccdf

Download Submit
C:\Windows\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe

Filesize
213KB

MD5
c795c6391d22006d61aadd041ce515a0

SHA1
cdaa8896a8a3954a0826ca1ddd2761b0ef5f5c26

SHA256
acbb414df12a222ef9e57d146a7e1faf153557851bb97023468400693a0d6413

SHA512
33ab4e75a3ca47f45cb883d7d0a74ca8dade1cea901e0533f4f65957cfedf34079c275a1a82988f4990485f40aa31dc5b361dced68a54191b24efa5d08029377

Download Submit
C:\Windows\{8C0D292B-15CA-464e-82D4-6A39A7EE133B}.exe

Filesize
213KB

MD5
c795c6391d22006d61aadd041ce515a0

SHA1
cdaa8896a8a3954a0826ca1ddd2761b0ef5f5c26

SHA256
acbb414df12a222ef9e57d146a7e1faf153557851bb97023468400693a0d6413

SHA512
33ab4e75a3ca47f45cb883d7d0a74ca8dade1cea901e0533f4f65957cfedf34079c275a1a82988f4990485f40aa31dc5b361dced68a54191b24efa5d08029377

Download Submit
C:\Windows\{D3365F00-4740-48fe-9972-68F6D59E77D3}.exe

Filesize
213KB

MD5
cbace28fc14c539142721c0ddb15f5bf

SHA1
2c560645596ef6d21a96ec3555c6bb12ebd6563f

SHA256
20d691f1d08d1ff38fdf91fd956ce1c4e123158e1e55d711ddfecc6c8557cd86

SHA512
035a357e4afaa0c97f56f0db4bde868274f1056c4e8c771b2b9acb34a228faccc95cfdc195b3e6233d6a98f5e16f052bca42e3ee4b16a57240d9ee139aa17426

Download Submit
C:\Windows\{D3365F00-4740-48fe-9972-68F6D59E77D3}.exe

Filesize
213KB

MD5
cbace28fc14c539142721c0ddb15f5bf

SHA1
2c560645596ef6d21a96ec3555c6bb12ebd6563f

SHA256
20d691f1d08d1ff38fdf91fd956ce1c4e123158e1e55d711ddfecc6c8557cd86

SHA512
035a357e4afaa0c97f56f0db4bde868274f1056c4e8c771b2b9acb34a228faccc95cfdc195b3e6233d6a98f5e16f052bca42e3ee4b16a57240d9ee139aa17426

Download Submit
C:\Windows\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe

Filesize
213KB

MD5
e0d67781e6824b9cdc41fe409517c309

SHA1
838d0b4582dc570e7286202fb710497ca62e9628

SHA256
06f27ea9a36457f272edb76e098b78a0b2e61557ec6f077b8a7c8bf357b4fb30

SHA512
68599a6b0fd98c881a3d0ff8d29b3e45361f4242217f0dbe079f8492a9760c874f29f552ae1d6e2637213c48115b3319a35ebeb010527b9390574bc464bc1388

Download Submit
C:\Windows\{E1BA5483-8124-4b5f-99E3-2A89008E8C31}.exe

Filesize
213KB

MD5
e0d67781e6824b9cdc41fe409517c309

SHA1
838d0b4582dc570e7286202fb710497ca62e9628

SHA256
06f27ea9a36457f272edb76e098b78a0b2e61557ec6f077b8a7c8bf357b4fb30

SHA512
68599a6b0fd98c881a3d0ff8d29b3e45361f4242217f0dbe079f8492a9760c874f29f552ae1d6e2637213c48115b3319a35ebeb010527b9390574bc464bc1388

Download Submit
C:\Windows\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe

Filesize
213KB

MD5
4ac1ee3a211b95922eb1021706ab9285

SHA1
71d78d527402f422dda753f0a78fab7ce8c7965e

SHA256
8c1144da479d5b238902cc1cdaf57ff21f83fe3965e83b3839939641b5d0744a

SHA512
5381a6a4c18a9a561e68f82e1d3221376055c5c6ba2ffa5b1836adc4ba4eaa7e8a92deb4d9ed733da108ec65764eb1b8f785bfcd1bf8f853eb5259a0912c944f

Download Submit
C:\Windows\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe

Filesize
213KB

MD5
4ac1ee3a211b95922eb1021706ab9285

SHA1
71d78d527402f422dda753f0a78fab7ce8c7965e

SHA256
8c1144da479d5b238902cc1cdaf57ff21f83fe3965e83b3839939641b5d0744a

SHA512
5381a6a4c18a9a561e68f82e1d3221376055c5c6ba2ffa5b1836adc4ba4eaa7e8a92deb4d9ed733da108ec65764eb1b8f785bfcd1bf8f853eb5259a0912c944f

Download Submit
C:\Windows\{E43C7C02-6EA0-4c0a-A044-407BCA71ED25}.exe

Filesize
213KB

MD5
4ac1ee3a211b95922eb1021706ab9285

SHA1
71d78d527402f422dda753f0a78fab7ce8c7965e

SHA256
8c1144da479d5b238902cc1cdaf57ff21f83fe3965e83b3839939641b5d0744a

SHA512
5381a6a4c18a9a561e68f82e1d3221376055c5c6ba2ffa5b1836adc4ba4eaa7e8a92deb4d9ed733da108ec65764eb1b8f785bfcd1bf8f853eb5259a0912c944f

Download Submit
C:\Windows\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe

Filesize
213KB

MD5
6e6f801645599a04e4da2ee4a023e70b

SHA1
90a74b6348547aabb332a11fcbd5a173bcfa13a6

SHA256
9c2364928ab364964aac20c92bb6925a95077b84ad85edcc5360165cd0add54b

SHA512
adbce76a9759624274e62e3623892755ff5c1c16e28ef8db5c5678e320a3da19b5c75b21b14d7ee28265d7a724bd6420c6c2b4a39bbb176221418529e4151771

Download Submit
C:\Windows\{F1BF8780-BF8B-4cdc-B5AA-20B55078F637}.exe

Filesize
213KB

MD5
6e6f801645599a04e4da2ee4a023e70b

SHA1
90a74b6348547aabb332a11fcbd5a173bcfa13a6

SHA256
9c2364928ab364964aac20c92bb6925a95077b84ad85edcc5360165cd0add54b

SHA512
adbce76a9759624274e62e3623892755ff5c1c16e28ef8db5c5678e320a3da19b5c75b21b14d7ee28265d7a724bd6420c6c2b4a39bbb176221418529e4151771

Download Submit
C:\Windows\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe

Filesize
213KB

MD5
cdf7083ba38c3645e7aad6d9da0ed4de

SHA1
00df992fbe791a3c3578569ecc6680133dfdf26e

SHA256
ebd3ab8c1cff6d072dd0d3835cdfe0f470d071400e9b3f12fbc3f36d4152fb23

SHA512
9dd80223f9b7231be199032a006b5545962573cc9cbfd9263aa810c0af8bc0eeae9ca198a32f98fceb3940a67a443685bb1cc37af186ea2a8be3ade00715e0ee

Download Submit
C:\Windows\{F618E5B6-8657-4b7f-A1B1-A984C4030E24}.exe

Filesize
213KB

MD5
cdf7083ba38c3645e7aad6d9da0ed4de

SHA1
00df992fbe791a3c3578569ecc6680133dfdf26e

SHA256
ebd3ab8c1cff6d072dd0d3835cdfe0f470d071400e9b3f12fbc3f36d4152fb23

SHA512
9dd80223f9b7231be199032a006b5545962573cc9cbfd9263aa810c0af8bc0eeae9ca198a32f98fceb3940a67a443685bb1cc37af186ea2a8be3ade00715e0ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads