7a28fd156d788ea46df7641fafd7e2b63f8f2dc53b25c053e69e8cb46c373dd3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Size

168KB
MD5

7d55d8099fb9323a7d229e35c78d3f60
SHA1

cfce232810f6501d76f185229637d2459d27f405
SHA256

7a28fd156d788ea46df7641fafd7e2b63f8f2dc53b25c053e69e8cb46c373dd3
SHA512

9b9ad16d3fb5fae7e7c9e695f3069e2e07c92ca5dab02b39d8e46698abe567e609fb8bc41964ac656dfc3acdb302caaa31110b6b1447ff8ee72d61e6b14458b6
SSDEEP

192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwVUr4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLroKr4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}\stubpath = "C:\\Windows\\{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe"	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B508F8C-5B80-4ce6-A795-3D879041DC04}\stubpath = "C:\\Windows\\{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe"	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C57AD14-6523-4461-A754-8D087513D853}\stubpath = "C:\\Windows\\{2C57AD14-6523-4461-A754-8D087513D853}.exe"	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}\stubpath = "C:\\Windows\\{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}.exe"	{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8376D45F-81AF-46d9-9C27-17D1303B34D2}	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38288FAD-491A-4f00-9A30-F7814B61867E}\stubpath = "C:\\Windows\\{38288FAD-491A-4f00-9A30-F7814B61867E}.exe"	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C251B8C8-C1E2-4c35-8576-BD757A160C56}	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD65574-0565-4b33-A305-1374FE3D438B}	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B508F8C-5B80-4ce6-A795-3D879041DC04}	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7121CDE9-7E5F-443a-8079-C871B879E0F6}\stubpath = "C:\\Windows\\{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe"	{2C57AD14-6523-4461-A754-8D087513D853}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}\stubpath = "C:\\Windows\\{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe"	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}	{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8376D45F-81AF-46d9-9C27-17D1303B34D2}\stubpath = "C:\\Windows\\{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe"	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{814636ED-7325-4782-BB5F-7B316D4C7B43}	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{814636ED-7325-4782-BB5F-7B316D4C7B43}\stubpath = "C:\\Windows\\{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe"	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C251B8C8-C1E2-4c35-8576-BD757A160C56}\stubpath = "C:\\Windows\\{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe"	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C57AD14-6523-4461-A754-8D087513D853}	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38288FAD-491A-4f00-9A30-F7814B61867E}	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}\stubpath = "C:\\Windows\\{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe"	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD65574-0565-4b33-A305-1374FE3D438B}\stubpath = "C:\\Windows\\{CCD65574-0565-4b33-A305-1374FE3D438B}.exe"	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7121CDE9-7E5F-443a-8079-C871B879E0F6}	{2C57AD14-6523-4461-A754-8D087513D853}.exe

Executes dropped EXE 12 IoCs

pid	Process
2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe
3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe
4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe
5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe
1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe
2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe
3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe
3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe
1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe
3276	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe
2492	{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe
2564	{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{38288FAD-491A-4f00-9A30-F7814B61867E}.exe	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe
File created	C:\Windows\{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe
File created	C:\Windows\{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe
File created	C:\Windows\{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe
File created	C:\Windows\{2C57AD14-6523-4461-A754-8D087513D853}.exe	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe
File created	C:\Windows\{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
File created	C:\Windows\{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe
File created	C:\Windows\{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe
File created	C:\Windows\{CCD65574-0565-4b33-A305-1374FE3D438B}.exe	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe
File created	C:\Windows\{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe	{2C57AD14-6523-4461-A754-8D087513D853}.exe
File created	C:\Windows\{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe
File created	C:\Windows\{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}.exe	{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	740	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
Token: SeIncBasePriorityPrivilege	2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe
Token: SeIncBasePriorityPrivilege	3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe
Token: SeIncBasePriorityPrivilege	4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe
Token: SeIncBasePriorityPrivilege	5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe
Token: SeIncBasePriorityPrivilege	1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe
Token: SeIncBasePriorityPrivilege	2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe
Token: SeIncBasePriorityPrivilege	3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe
Token: SeIncBasePriorityPrivilege	3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe
Token: SeIncBasePriorityPrivilege	1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe
Token: SeIncBasePriorityPrivilege	3276	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe
Token: SeIncBasePriorityPrivilege	2492	{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2980	740	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	92
PID 740 wrote to memory of 2980	740	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	92
PID 740 wrote to memory of 2980	740	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	92
PID 740 wrote to memory of 2696	740	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	93
PID 740 wrote to memory of 2696	740	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	93
PID 740 wrote to memory of 2696	740	7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe	93
PID 2980 wrote to memory of 3564	2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe	95
PID 2980 wrote to memory of 3564	2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe	95
PID 2980 wrote to memory of 3564	2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe	95
PID 2980 wrote to memory of 1052	2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe	96
PID 2980 wrote to memory of 1052	2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe	96
PID 2980 wrote to memory of 1052	2980	{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe	96
PID 3564 wrote to memory of 4608	3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe	100
PID 3564 wrote to memory of 4608	3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe	100
PID 3564 wrote to memory of 4608	3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe	100
PID 3564 wrote to memory of 3552	3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe	101
PID 3564 wrote to memory of 3552	3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe	101
PID 3564 wrote to memory of 3552	3564	{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe	101
PID 4608 wrote to memory of 5004	4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe	102
PID 4608 wrote to memory of 5004	4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe	102
PID 4608 wrote to memory of 5004	4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe	102
PID 4608 wrote to memory of 688	4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe	103
PID 4608 wrote to memory of 688	4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe	103
PID 4608 wrote to memory of 688	4608	{38288FAD-491A-4f00-9A30-F7814B61867E}.exe	103
PID 5004 wrote to memory of 1596	5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe	105
PID 5004 wrote to memory of 1596	5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe	105
PID 5004 wrote to memory of 1596	5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe	105
PID 5004 wrote to memory of 1580	5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe	106
PID 5004 wrote to memory of 1580	5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe	106
PID 5004 wrote to memory of 1580	5004	{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe	106
PID 1596 wrote to memory of 2388	1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe	107
PID 1596 wrote to memory of 2388	1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe	107
PID 1596 wrote to memory of 2388	1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe	107
PID 1596 wrote to memory of 2972	1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe	108
PID 1596 wrote to memory of 2972	1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe	108
PID 1596 wrote to memory of 2972	1596	{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe	108
PID 2388 wrote to memory of 3180	2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe	109
PID 2388 wrote to memory of 3180	2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe	109
PID 2388 wrote to memory of 3180	2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe	109
PID 2388 wrote to memory of 3044	2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe	110
PID 2388 wrote to memory of 3044	2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe	110
PID 2388 wrote to memory of 3044	2388	{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe	110
PID 3180 wrote to memory of 3372	3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe	117
PID 3180 wrote to memory of 3372	3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe	117
PID 3180 wrote to memory of 3372	3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe	117
PID 3180 wrote to memory of 1940	3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe	118
PID 3180 wrote to memory of 1940	3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe	118
PID 3180 wrote to memory of 1940	3180	{CCD65574-0565-4b33-A305-1374FE3D438B}.exe	118
PID 3372 wrote to memory of 1948	3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe	119
PID 3372 wrote to memory of 1948	3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe	119
PID 3372 wrote to memory of 1948	3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe	119
PID 3372 wrote to memory of 4888	3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe	120
PID 3372 wrote to memory of 4888	3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe	120
PID 3372 wrote to memory of 4888	3372	{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe	120
PID 1948 wrote to memory of 3276	1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe	121
PID 1948 wrote to memory of 3276	1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe	121
PID 1948 wrote to memory of 3276	1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe	121
PID 1948 wrote to memory of 1132	1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe	122
PID 1948 wrote to memory of 1132	1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe	122
PID 1948 wrote to memory of 1132	1948	{2C57AD14-6523-4461-A754-8D087513D853}.exe	122
PID 3276 wrote to memory of 2492	3276	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe	126
PID 3276 wrote to memory of 2492	3276	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe	126
PID 3276 wrote to memory of 2492	3276	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe	126
PID 3276 wrote to memory of 1072	3276	{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe	127

C:\Users\Admin\AppData\Local\Temp\7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\7d55d8099fb9323a7d229e35c78d3f60_NEAS.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe
  C:\Windows\{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe
    C:\Windows\{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\{38288FAD-491A-4f00-9A30-F7814B61867E}.exe
      C:\Windows\{38288FAD-491A-4f00-9A30-F7814B61867E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe
        
        C:\Windows\{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe
        
        C:\Windows\{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe
        
        C:\Windows\{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{CCD65574-0565-4b33-A305-1374FE3D438B}.exe
        
        C:\Windows\{CCD65574-0565-4b33-A305-1374FE3D438B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe
        
        C:\Windows\{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\{2C57AD14-6523-4461-A754-8D087513D853}.exe
        
        C:\Windows\{2C57AD14-6523-4461-A754-8D087513D853}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe
        
        C:\Windows\{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe
        
        C:\Windows\{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}.exe
        
        C:\Windows\{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46096~1.EXE > nul
        13⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7121C~1.EXE > nul
        12⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C57A~1.EXE > nul
        11⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B508~1.EXE > nul
        10⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD65~1.EXE > nul
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C251B~1.EXE > nul
        8⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F1F9~1.EXE > nul
        7⤵
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{065CD~1.EXE > nul
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38288~1.EXE > nul
        5⤵
        
        PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{81463~1.EXE > nul
      4⤵
      PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8376D~1.EXE > nul
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7D55D8~1.EXE > nul
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{065CDE8A-D680-493f-8EE1-BC9C3D3DE0B7}.exe

Filesize
168KB

MD5
cfd28e2d88de9f91ca9cbec06afb3ce8

SHA1
3e7fd2b576d18cdf8203e42539fb915f41d33397

SHA256
6dbf6923e5d471ca7b067498fc3b54569a366a0af8f945bd8a36fc161e302b94

SHA512
9614ee5fe61d32334cdc4d83e7050cd31a04a7ce1bafb361ed473c2184db5e4d92848a3015cf8a91b90e84f3662f6dbbe3017f91f87d50a75e8e0f83d6d60f94

Download Submit
C:\Windows\{2C57AD14-6523-4461-A754-8D087513D853}.exe

Filesize
168KB

MD5
80278bad7b0a06e4aa5cfcca87a8b307

SHA1
d5687995cf628d8cc5764a4e4a2af61570edf1cc

SHA256
97d8ccca5a58e438ba2984b9a708f38dbbcdff17a829d6d66e784ba828350a75

SHA512
224e5c0cc694a9370b5b3f3decefa4d8a31caf9f6b8bf357531c33f051984b048b8807fd03dabaee076458817cd9c8200b115ec7bbc36aef48c7441e15daf962

Download Submit
C:\Windows\{38288FAD-491A-4f00-9A30-F7814B61867E}.exe

Filesize
168KB

MD5
651de198b20186de31650bb8b951dd16

SHA1
96fae7a0881b6a0938963b3137003e4d27c4e83a

SHA256
901a5e3da6bf40abfb6ce08dc4275ef06348a7fd72a1c50f406e77d463f3255d

SHA512
7374f57de2df26c1d6505453c29212920a94ba18a63150a55901a8c5e367457f693236945ddbdb20e11315f7fd93c724374e766dc01d98c11dcef03d981525f9

Download Submit
C:\Windows\{46096542-B8D9-4bd0-9528-C2A00D6B6BB6}.exe

Filesize
168KB

MD5
b4248e3ea2071e2ee3536223ec06b894

SHA1
d98a214d07aa56e387edadb3e129b501fd5f589f

SHA256
6a8e9c6d611d3600f2499bbf6b94cf306afbea22b89c69e8f993bfee0ce47dc0

SHA512
654821fd72d20b4ac353ed57fda8b0875cdafe4c81cb785d5a91342d4155951e0de5aa9ba3a784f93ddea2d6d7d1c18bf41cf09db1c5aecaa490aa5413ed4f04

Download Submit
C:\Windows\{4B508F8C-5B80-4ce6-A795-3D879041DC04}.exe

Filesize
168KB

MD5
532199fe36f74ee9104e05ace17aadb7

SHA1
038045dfbc287e7213a89155eacfda1e59c99c13

SHA256
abcbd8f1a00074b8f5a907a54799f432cd44b0476b8d5212eaf613a4026d8460

SHA512
66f222be256977f864bc433e7b5749100b86459a8590576fe08b406d1f33a82023845222fa7c181102f4c43150eea6520dad5fb9e9627c82d425613e156ca3ff

Download Submit
C:\Windows\{5D0110BE-35C5-4e0b-85A2-F909B352CFD9}.exe

Filesize
168KB

MD5
75f5e330df8005e8e13e365aef00b41b

SHA1
8713855d25609122f6e3ec76fcbc72f90aee6f8f

SHA256
e682e0c60163d39eec754efb6de1610bee9183ece3a7b68fcdee0f2aa5b27805

SHA512
7ab1d30de6fc07e1be983155a5349e8cbd6ba57a07e06dca4cdbfd9a0e29b415bdbaebf8f46d4f5a131716632c86347d0d7cc313cf542be1af2e1a3d64cda978

Download Submit
C:\Windows\{7121CDE9-7E5F-443a-8079-C871B879E0F6}.exe

Filesize
168KB

MD5
22c65b255a3a20cbaa66a6a36d96dc6d

SHA1
b8950e7c37f05c83eeaf6cfa0fd45156df2f19a5

SHA256
8d418e86ccebf011c8ab8045437c884e3a341b44f4a4beacd0ce0f5448fc1e34

SHA512
f6cd5c783957dc7f5a3d09b64be70a7f6c2476e7fab90f50f886e182616c19783f4fef3b2f3f0070bfa43e0ca9e8ed7c8b84b0e5e343955ad7af1c4a88d594f5

Download Submit
C:\Windows\{7F1F98B3-9CC4-4882-A4FD-9DDC58EC912D}.exe

Filesize
168KB

MD5
2acd1ffabfc9dd0564b35aeebb41b595

SHA1
837a31175cd8fe15df419a9b73110e73777afb38

SHA256
6fcaee03f3b4a37e7ebe145f357fa069fbaeab80913b617b8a1b5e57d74d7fd3

SHA512
2e6d081df6dbbae58628c1f61ab876eaacfbbf23d901a5f8a9f89621c870d33a214bd9d367f2fdbcdd0dc8323f0fafb7f1eee60ee2c5bb53f8ff7a8be05bdcec

Download Submit
C:\Windows\{814636ED-7325-4782-BB5F-7B316D4C7B43}.exe

Filesize
168KB

MD5
9827d2fb36df58c6a03f7114a5c80990

SHA1
22102444665dae6f666155abfbb12bb38c17155d

SHA256
583235ea2973a7dd39590d22caab1964f3ec40bb20c4187d843338c3c3f3e5c8

SHA512
6e3d27cb44b02a59f55535fed2dbb58f25ba4ace1dc7b12c48690ab325e471ee549880e91e2bc3cf8d89cf4731ee2963b76a619a02e4984654b1adb28edb3f55

Download Submit
C:\Windows\{8376D45F-81AF-46d9-9C27-17D1303B34D2}.exe

Filesize
168KB

MD5
c11de524ca079a011761ee9bf2141e21

SHA1
c8d8956336a700bf69f3bacf6a17183b582c6758

SHA256
1751a0f63f1c2ca960bd988a28028c9a381dcc0265924305e70d54177f50f816

SHA512
70dfa46688659261122b6d2faebe3c77395c9dbf61973e02482c7ab5ec14427b7b0d6af834a6d8ec280108cfe474882609ecd181535841868e0d0ad03396ef17

Download Submit
C:\Windows\{C251B8C8-C1E2-4c35-8576-BD757A160C56}.exe

Filesize
168KB

MD5
3acbd9d59d9c42e0efee05bad329fcc4

SHA1
3d618a32b5a7a0832edcdd29d0c2c8f7234d6ca0

SHA256
d9847637bf09afd9013d2bf588f83e9d28ee9d291988561e38d79ecab9c343e3

SHA512
f7304fcfac66ee77700fe54f4a2b7276ea84b568c3f2db54380299f961d71ddc18ac9cce9b96374330dec10e6bfd0a760dfa26bd8d7183080dd139432562279a

Download Submit
C:\Windows\{CCD65574-0565-4b33-A305-1374FE3D438B}.exe

Filesize
168KB

MD5
348717615238146b402c2d1fe0eef275

SHA1
5c4ed430383ff1e989c5ca05ff1b5a4e02a181a7

SHA256
34d3f0c2a64722ab041cb56ab9a9ff7e98fce0f8ea3c9091eba8493905c39a95

SHA512
2efa3019d15d259ee491769a2dcb96ddcac249cf22e7f80ee5c9c8519fbd6c7b6ce073e44baf5b62aefea1e98fd48cab19b510ea7478e28cf8e4efdea7525b9f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads