7a28fd156d788ea46df7641fafd7e2b63f8f2dc53b25c053e69e8cb46c373dd3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Size

168KB
MD5

7d55d8099fb9323a7d229e35c78d3f60
SHA1

cfce232810f6501d76f185229637d2459d27f405
SHA256

7a28fd156d788ea46df7641fafd7e2b63f8f2dc53b25c053e69e8cb46c373dd3
SHA512

9b9ad16d3fb5fae7e7c9e695f3069e2e07c92ca5dab02b39d8e46698abe567e609fb8bc41964ac656dfc3acdb302caaa31110b6b1447ff8ee72d61e6b14458b6
SSDEEP

192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwVUr4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLroKr4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{322266F0-BEA3-456b-88A3-FBD953085284}\stubpath = "C:\\Windows\\{322266F0-BEA3-456b-88A3-FBD953085284}.exe"	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B02AB11-B605-4d98-9E8E-487D9545F19C}\stubpath = "C:\\Windows\\{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe"	{322266F0-BEA3-456b-88A3-FBD953085284}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CACFE685-7B04-4c25-86F8-BB23F253F3C7}	{710E28CB-0A5E-4015-A324-B86351A96E02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39481C8-A195-4646-959E-74431A1BFFD6}	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}\stubpath = "C:\\Windows\\{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe"	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{893AE905-8D89-45af-BF41-1A67B8F7278F}	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{893AE905-8D89-45af-BF41-1A67B8F7278F}\stubpath = "C:\\Windows\\{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe"	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CACFE685-7B04-4c25-86F8-BB23F253F3C7}\stubpath = "C:\\Windows\\{CACFE685-7B04-4c25-86F8-BB23F253F3C7}.exe"	{710E28CB-0A5E-4015-A324-B86351A96E02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}\stubpath = "C:\\Windows\\{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe"	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45918F94-93FD-44f6-9B65-2F937B727E1E}	{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45918F94-93FD-44f6-9B65-2F937B727E1E}\stubpath = "C:\\Windows\\{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe"	{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{710E28CB-0A5E-4015-A324-B86351A96E02}\stubpath = "C:\\Windows\\{710E28CB-0A5E-4015-A324-B86351A96E02}.exe"	{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39481C8-A195-4646-959E-74431A1BFFD6}\stubpath = "C:\\Windows\\{F39481C8-A195-4646-959E-74431A1BFFD6}.exe"	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}\stubpath = "C:\\Windows\\{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe"	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}\stubpath = "C:\\Windows\\{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe"	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{322266F0-BEA3-456b-88A3-FBD953085284}	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B02AB11-B605-4d98-9E8E-487D9545F19C}	{322266F0-BEA3-456b-88A3-FBD953085284}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{710E28CB-0A5E-4015-A324-B86351A96E02}	{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe
2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe
2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe
2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe
2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe
1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe
2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe
1964	{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe
284	{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe
2620	{710E28CB-0A5E-4015-A324-B86351A96E02}.exe
2416	{CACFE685-7B04-4c25-86F8-BB23F253F3C7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{322266F0-BEA3-456b-88A3-FBD953085284}.exe	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe
File created	C:\Windows\{710E28CB-0A5E-4015-A324-B86351A96E02}.exe	{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe
File created	C:\Windows\{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe
File created	C:\Windows\{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe
File created	C:\Windows\{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe
File created	C:\Windows\{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe
File created	C:\Windows\{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe	{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe
File created	C:\Windows\{CACFE685-7B04-4c25-86F8-BB23F253F3C7}.exe	{710E28CB-0A5E-4015-A324-B86351A96E02}.exe
File created	C:\Windows\{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
File created	C:\Windows\{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe
File created	C:\Windows\{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	{322266F0-BEA3-456b-88A3-FBD953085284}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Token: SeIncBasePriorityPrivilege	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe
Token: SeIncBasePriorityPrivilege	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe
Token: SeIncBasePriorityPrivilege	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe
Token: SeIncBasePriorityPrivilege	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe
Token: SeIncBasePriorityPrivilege	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe
Token: SeIncBasePriorityPrivilege	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe
Token: SeIncBasePriorityPrivilege	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe
Token: SeIncBasePriorityPrivilege	1964	{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe
Token: SeIncBasePriorityPrivilege	284	{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe
Token: SeIncBasePriorityPrivilege	2620	{710E28CB-0A5E-4015-A324-B86351A96E02}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2892	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	28
PID 2732 wrote to memory of 2892	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	28
PID 2732 wrote to memory of 2892	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	28
PID 2732 wrote to memory of 2892	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	28
PID 2732 wrote to memory of 2920	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	29
PID 2732 wrote to memory of 2920	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	29
PID 2732 wrote to memory of 2920	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	29
PID 2732 wrote to memory of 2920	2732	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	29
PID 2892 wrote to memory of 2672	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	30
PID 2892 wrote to memory of 2672	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	30
PID 2892 wrote to memory of 2672	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	30
PID 2892 wrote to memory of 2672	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	30
PID 2892 wrote to memory of 2588	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	31
PID 2892 wrote to memory of 2588	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	31
PID 2892 wrote to memory of 2588	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	31
PID 2892 wrote to memory of 2588	2892	{F39481C8-A195-4646-959E-74431A1BFFD6}.exe	31
PID 2672 wrote to memory of 2552	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	32
PID 2672 wrote to memory of 2552	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	32
PID 2672 wrote to memory of 2552	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	32
PID 2672 wrote to memory of 2552	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	32
PID 2672 wrote to memory of 2708	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	33
PID 2672 wrote to memory of 2708	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	33
PID 2672 wrote to memory of 2708	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	33
PID 2672 wrote to memory of 2708	2672	{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe	33
PID 2552 wrote to memory of 2860	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	36
PID 2552 wrote to memory of 2860	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	36
PID 2552 wrote to memory of 2860	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	36
PID 2552 wrote to memory of 2860	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	36
PID 2552 wrote to memory of 2016	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	37
PID 2552 wrote to memory of 2016	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	37
PID 2552 wrote to memory of 2016	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	37
PID 2552 wrote to memory of 2016	2552	{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe	37
PID 2860 wrote to memory of 2332	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	38
PID 2860 wrote to memory of 2332	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	38
PID 2860 wrote to memory of 2332	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	38
PID 2860 wrote to memory of 2332	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	38
PID 2860 wrote to memory of 772	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	39
PID 2860 wrote to memory of 772	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	39
PID 2860 wrote to memory of 772	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	39
PID 2860 wrote to memory of 772	2860	{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe	39
PID 2332 wrote to memory of 1836	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	40
PID 2332 wrote to memory of 1836	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	40
PID 2332 wrote to memory of 1836	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	40
PID 2332 wrote to memory of 1836	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	40
PID 2332 wrote to memory of 2232	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	41
PID 2332 wrote to memory of 2232	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	41
PID 2332 wrote to memory of 2232	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	41
PID 2332 wrote to memory of 2232	2332	{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe	41
PID 1836 wrote to memory of 2348	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	42
PID 1836 wrote to memory of 2348	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	42
PID 1836 wrote to memory of 2348	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	42
PID 1836 wrote to memory of 2348	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	42
PID 1836 wrote to memory of 2200	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	43
PID 1836 wrote to memory of 2200	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	43
PID 1836 wrote to memory of 2200	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	43
PID 1836 wrote to memory of 2200	1836	{322266F0-BEA3-456b-88A3-FBD953085284}.exe	43
PID 2348 wrote to memory of 1964	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	44
PID 2348 wrote to memory of 1964	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	44
PID 2348 wrote to memory of 1964	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	44
PID 2348 wrote to memory of 1964	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	44
PID 2348 wrote to memory of 336	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	45
PID 2348 wrote to memory of 336	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	45
PID 2348 wrote to memory of 336	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	45
PID 2348 wrote to memory of 336	2348	{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe	45

C:\Users\Admin\AppData\Local\Temp\7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\{F39481C8-A195-4646-959E-74431A1BFFD6}.exe
  C:\Windows\{F39481C8-A195-4646-959E-74431A1BFFD6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe
    C:\Windows\{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe
      C:\Windows\{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe
        
        C:\Windows\{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe
        
        C:\Windows\{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{322266F0-BEA3-456b-88A3-FBD953085284}.exe
        
        C:\Windows\{322266F0-BEA3-456b-88A3-FBD953085284}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe
        
        C:\Windows\{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe
        
        C:\Windows\{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe
        
        C:\Windows\{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\{710E28CB-0A5E-4015-A324-B86351A96E02}.exe
        
        C:\Windows\{710E28CB-0A5E-4015-A324-B86351A96E02}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{CACFE685-7B04-4c25-86F8-BB23F253F3C7}.exe
        
        C:\Windows\{CACFE685-7B04-4c25-86F8-BB23F253F3C7}.exe
        12⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{710E2~1.EXE > nul
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45918~1.EXE > nul
        11⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{893AE~1.EXE > nul
        10⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B02A~1.EXE > nul
        9⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32226~1.EXE > nul
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF38B~1.EXE > nul
        7⤵
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9917C~1.EXE > nul
        6⤵
        
        PID:772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5AA2~1.EXE > nul
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6A624~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3948~1.EXE > nul
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7D55D8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{322266F0-BEA3-456b-88A3-FBD953085284}.exe

Filesize
168KB

MD5
19ac0bd1098637cea66ecb83ce0d3024

SHA1
92b546b9c3839d3585a0bc083bd02298236c6439

SHA256
7b9ccbbc11001458b532a4d534a5d9ed47aff74dc12a3575f767e664b53a370c

SHA512
84913e344b16516764369ce025badb3c15523bf26d273d4a1d3c65783b3951e283723d1af9cb11fd4f990bba6257034c2d757be0b8101d34cab3caf46aa3b300

Download Submit
C:\Windows\{45918F94-93FD-44f6-9B65-2F937B727E1E}.exe

Filesize
168KB

MD5
43e8d0eadd3840f0f594e492c1e1a610

SHA1
fe64988fb9ff91530f57d0408a517f26797ab7e3

SHA256
5c594ede56012154d38a3fa3283f64514a338db1ea9dac2513985bca8ff879e3

SHA512
dc2440c5ee8b7b2ae33b3970577a82e287356688600419b5a26a15fb84f72a4933b1e914059fe56c4218acfc4f4e52ee637091f7b98b93af7c350c15ee16c36d

Download Submit
C:\Windows\{4B02AB11-B605-4d98-9E8E-487D9545F19C}.exe

Filesize
168KB

MD5
186b358f3ddb7add2ab7537861f3ad80

SHA1
9ec0c2cd86b651eb59e75554e486228389b5b141

SHA256
6f795fbaa98c7afceadd2a0d363363b8b9d742b21830c5279fbd31fd7c7a5ef9

SHA512
66bcfddec511cc91647379d45a9752955ee233c92355c1e77f13f549b364860bb6c12aff5d450cfa3ec5373115df95734bae93794227c376fb551cd344cd5a6f

Download Submit
C:\Windows\{6A624D86-F0A5-4414-9DE1-3C3C6D92E9B3}.exe

Filesize
168KB

MD5
558a676558eef5a11dd83b94a80da43f

SHA1
db69ba1fadff62fbbbe043c3c5469fc610e588b4

SHA256
272021432ba4aecfcb672c6e1a5e2c19d79c5ea4244344c39c267a41cb3ac7ca

SHA512
290c83106a24f2af6b4c871b8253529ba57cc4aed682f9f38b56fb72db38e248fbaa676d395d9094352457c067c0feb2c057016b6fce9d3292e237c3899ec02b

Download Submit
C:\Windows\{710E28CB-0A5E-4015-A324-B86351A96E02}.exe

Filesize
168KB

MD5
7533422e9f1c66e95b86e4aa2cb0419c

SHA1
c43e09c251a19c214110f8453e959fcf450221ad

SHA256
95cd91cc96a9e3c14fb9635a657f4ca9afcd67d57f9ec61b06d13132336f55c6

SHA512
9d5a031cbf60c03954222ca54bfaba281a0d72f0ffa93dce97ffe4ad20b6cecd77afb82133436124576173463f6ea92bd9b7e9851e96c9cf0b91ebf485781eb6

Download Submit
C:\Windows\{893AE905-8D89-45af-BF41-1A67B8F7278F}.exe

Filesize
168KB

MD5
d6148a870c8da240c544b6db4dee25b0

SHA1
94b8dbb4ff9e528d5bf613a8333449d08ad4c3c8

SHA256
5ca35fdbdacbca8a408b943b0b8560a0f126f61512d480ed2d49414368a5eea2

SHA512
f742d8c4fe9110b45124113bb67ce130c2e2f88e0ae7dc7a32405716171c233b0f1877ea6ff0322161bcbaccb0fd438704e8ce2cd520adebec243e22b93b38aa

Download Submit
C:\Windows\{9917C7E4-CEB0-4979-8079-2D52CBEC82DB}.exe

Filesize
168KB

MD5
78a4465a5b6da0fde029e641d948736a

SHA1
d30d782622042890fe97ae1909e225b7bd60a9df

SHA256
d422922662f88e98637463f4b3e39f4223c71860ef4de3b43ff74c4473920ad3

SHA512
54a93edaa0cadff196bb1e3bac4a7eb56f1c619056c0882eee5dd57c3f7e5ff93bdc764f3da726b2aadf83e7146515a022dac382799a2484ce581087702db5eb

Download Submit
C:\Windows\{B5AA279A-E000-4fac-9D1D-96DE7DFCB639}.exe

Filesize
168KB

MD5
edcc29f11a3390497970ec8c51e97246

SHA1
d204bce03df56206dc2c2677d111d7ecd4ce0683

SHA256
3c154c01fcc428e7de1796ff6b025d042edd55426a0065b7e185ead6cbb05fd8

SHA512
c39bf64663250ccecba308a927fd19fcd10db86865bf6436bde59f19d9f3c682586e022647ef7bb6459a8308fd71406f40afcb968f2addc5fb9766151e8c4682

Download Submit
C:\Windows\{CACFE685-7B04-4c25-86F8-BB23F253F3C7}.exe

Filesize
168KB

MD5
733219d4e0a6d756d96fef7d2d9cf105

SHA1
d62892e13ced9c804ad15b4044cef5a1818be720

SHA256
67ac3396670ed5fa5fdcc94319ef77ecc38635cbee9fd89d7b965e14619fcf2b

SHA512
3c5f060cfabe3f6c3007973a188112493c70ab3ab4703e8e2703d70fa2d36da76b43103300a7fac5ecb381d0515b96dda6b08bd61a0126b37b2ce9f0e182d97e

Download Submit
C:\Windows\{F39481C8-A195-4646-959E-74431A1BFFD6}.exe

Filesize
168KB

MD5
78438012d43dd07cc8ca191b4b58931d

SHA1
fe2d34e318c75527d2cc08f809ff362d3301693b

SHA256
1f93ba1e17b5355b43a1ef2164f9a1abe700e2f50fe84940fbfbe5f4e3eae8da

SHA512
9bacf7d2b3ff5d9a896ad728b0c7cdb2176fd62fc2e1238e6f5f0e6f676975345277b4a785c775fa9dfc7db9da1bb21700ceae925d4e1621b68fafc428ddd8f8

Download Submit
C:\Windows\{FF38BAF5-1E37-4fc0-B5C1-9AAF0BC0B122}.exe

Filesize
168KB

MD5
12ceec4ad40ed9795c55b657870a1dbf

SHA1
48f0a86f0144b92549181b0d059d3eaf1f0e6557

SHA256
fdf14dc940c5758dd0010e2e9ea929d3991dfc516ade7caf1947f3b602310e52

SHA512
8c4e5e1c1edf86f50dea8c9f339cafb3939086cc94377a131d2be2cc777276537e5599fb5a4121df80c5a9f4f54da7c36d17f3ee22c5aabe0a8bd2d88467ba7e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads