17cf9e9adf964db4e97b490d2e777fea00ddbf7f28c6f198a2b243579bc3bfee

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe
Size

408KB
MD5

9e530931c6c3f2de4427d44d060d3460
SHA1

1aa3bc84290be435b83ad171617fe172173c89ea
SHA256

17cf9e9adf964db4e97b490d2e777fea00ddbf7f28c6f198a2b243579bc3bfee
SHA512

7b2a200eea31f88362e2d604080a8cf3af3edfe25f5ce1c24351da3ab1aa502ecaf653d38fd71a4aea7dfff3f938790b6c6f8df726a615889db3ffed5fec847d
SSDEEP

3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E74C8D-5349-4b04-B0BF-FD433252A627}\stubpath = "C:\\Windows\\{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe"	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}\stubpath = "C:\\Windows\\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe"	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}\stubpath = "C:\\Windows\\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}.exe"	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1758BA2B-2168-4f6c-9856-B9E939763332}\stubpath = "C:\\Windows\\{1758BA2B-2168-4f6c-9856-B9E939763332}.exe"	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7D74E63-2604-4aa8-A993-6B545647AE10}\stubpath = "C:\\Windows\\{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe"	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7D74E63-2604-4aa8-A993-6B545647AE10}	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}\stubpath = "C:\\Windows\\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe"	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{412B263D-613C-46df-92A8-8D3BAEAD0137}	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74600B96-D794-42c6-BB55-DBAF9F89D13D}	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74600B96-D794-42c6-BB55-DBAF9F89D13D}\stubpath = "C:\\Windows\\{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe"	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}\stubpath = "C:\\Windows\\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe"	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1758BA2B-2168-4f6c-9856-B9E939763332}	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}\stubpath = "C:\\Windows\\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe"	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{412B263D-613C-46df-92A8-8D3BAEAD0137}\stubpath = "C:\\Windows\\{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe"	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E74C8D-5349-4b04-B0BF-FD433252A627}	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}\stubpath = "C:\\Windows\\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe"	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe

Executes dropped EXE 11 IoCs

pid	Process
2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe
3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe
4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe
4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe
2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe
5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe
1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe
3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe
768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe
5092	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe
2400	{00ED9D13-E651-40d5-BEDE-7FE41228FE40}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe
File created	C:\Windows\{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe
File created	C:\Windows\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}.exe	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe
File created	C:\Windows\{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe
File created	C:\Windows\{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe
File created	C:\Windows\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe
File created	C:\Windows\{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe
File created	C:\Windows\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe
File created	C:\Windows\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe
File created	C:\Windows\{1758BA2B-2168-4f6c-9856-B9E939763332}.exe	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe
File created	C:\Windows\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2192	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe
Token: SeIncBasePriorityPrivilege	3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe
Token: SeIncBasePriorityPrivilege	4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe
Token: SeIncBasePriorityPrivilege	4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe
Token: SeIncBasePriorityPrivilege	2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe
Token: SeIncBasePriorityPrivilege	5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe
Token: SeIncBasePriorityPrivilege	1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe
Token: SeIncBasePriorityPrivilege	3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe
Token: SeIncBasePriorityPrivilege	768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe
Token: SeIncBasePriorityPrivilege	5092	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2128	2192	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe	90
PID 2192 wrote to memory of 2128	2192	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe	90
PID 2192 wrote to memory of 2128	2192	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe	90
PID 2192 wrote to memory of 1800	2192	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe	91
PID 2192 wrote to memory of 1800	2192	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe	91
PID 2192 wrote to memory of 1800	2192	NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe	91
PID 2128 wrote to memory of 3172	2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe	94
PID 2128 wrote to memory of 3172	2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe	94
PID 2128 wrote to memory of 3172	2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe	94
PID 2128 wrote to memory of 3520	2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe	95
PID 2128 wrote to memory of 3520	2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe	95
PID 2128 wrote to memory of 3520	2128	{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe	95
PID 3172 wrote to memory of 4740	3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe	96
PID 3172 wrote to memory of 4740	3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe	96
PID 3172 wrote to memory of 4740	3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe	96
PID 3172 wrote to memory of 1276	3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe	97
PID 3172 wrote to memory of 1276	3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe	97
PID 3172 wrote to memory of 1276	3172	{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe	97
PID 4740 wrote to memory of 4044	4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe	100
PID 4740 wrote to memory of 4044	4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe	100
PID 4740 wrote to memory of 4044	4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe	100
PID 4740 wrote to memory of 4808	4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe	101
PID 4740 wrote to memory of 4808	4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe	101
PID 4740 wrote to memory of 4808	4740	{1758BA2B-2168-4f6c-9856-B9E939763332}.exe	101
PID 4044 wrote to memory of 2368	4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe	102
PID 4044 wrote to memory of 2368	4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe	102
PID 4044 wrote to memory of 2368	4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe	102
PID 4044 wrote to memory of 3724	4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe	103
PID 4044 wrote to memory of 3724	4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe	103
PID 4044 wrote to memory of 3724	4044	{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe	103
PID 2368 wrote to memory of 5052	2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe	104
PID 2368 wrote to memory of 5052	2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe	104
PID 2368 wrote to memory of 5052	2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe	104
PID 2368 wrote to memory of 4500	2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe	105
PID 2368 wrote to memory of 4500	2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe	105
PID 2368 wrote to memory of 4500	2368	{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe	105
PID 5052 wrote to memory of 1372	5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe	106
PID 5052 wrote to memory of 1372	5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe	106
PID 5052 wrote to memory of 1372	5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe	106
PID 5052 wrote to memory of 4484	5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe	107
PID 5052 wrote to memory of 4484	5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe	107
PID 5052 wrote to memory of 4484	5052	{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe	107
PID 1372 wrote to memory of 3060	1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe	108
PID 1372 wrote to memory of 3060	1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe	108
PID 1372 wrote to memory of 3060	1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe	108
PID 1372 wrote to memory of 4960	1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe	109
PID 1372 wrote to memory of 4960	1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe	109
PID 1372 wrote to memory of 4960	1372	{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe	109
PID 3060 wrote to memory of 768	3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe	110
PID 3060 wrote to memory of 768	3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe	110
PID 3060 wrote to memory of 768	3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe	110
PID 3060 wrote to memory of 3708	3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe	111
PID 3060 wrote to memory of 3708	3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe	111
PID 3060 wrote to memory of 3708	3060	{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe	111
PID 768 wrote to memory of 5092	768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe	112
PID 768 wrote to memory of 5092	768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe	112
PID 768 wrote to memory of 5092	768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe	112
PID 768 wrote to memory of 3728	768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe	113
PID 768 wrote to memory of 3728	768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe	113
PID 768 wrote to memory of 3728	768	{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe	113
PID 5092 wrote to memory of 2400	5092	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe	114
PID 5092 wrote to memory of 2400	5092	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe	114
PID 5092 wrote to memory of 2400	5092	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe	114
PID 5092 wrote to memory of 3176	5092	{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe	115

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_9e530931c6c3f2de4427d44d060d3460_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe
  C:\Windows\{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe
    C:\Windows\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\{1758BA2B-2168-4f6c-9856-B9E939763332}.exe
      C:\Windows\{1758BA2B-2168-4f6c-9856-B9E939763332}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe
        
        C:\Windows\{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe
        
        C:\Windows\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe
        
        C:\Windows\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe
        
        C:\Windows\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe
        
        C:\Windows\{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe
        
        C:\Windows\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe
        
        C:\Windows\{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}.exe
        
        C:\Windows\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}.exe
        12⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{412B2~1.EXE > nul
        12⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{071A0~1.EXE > nul
        11⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7D74~1.EXE > nul
        10⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{669C6~1.EXE > nul
        9⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8AC4~1.EXE > nul
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46ADD~1.EXE > nul
        7⤵
        
        PID:4500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13E74~1.EXE > nul
        6⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1758B~1.EXE > nul
        5⤵
        
        PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F7F~1.EXE > nul
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74600~1.EXE > nul
    3⤵
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}.exe

Filesize
408KB

MD5
1cdf34772e850839360fed9dc39e5704

SHA1
09934cfed759b6d95560dc7e8535ad4fb77aca30

SHA256
24d20274fadeec8a8621a1ac337bd651bee55d2c0e76b6bb6cbcdd1a138033c8

SHA512
173b8e3c5520ed21d0e37eee292a13ff3f742bcd612513a1388f987dadd53ce4a93b317f5edb5187e9c5b4737215181ed92867dca50769bd6ec71c57b52c883f

Download Submit
C:\Windows\{00ED9D13-E651-40d5-BEDE-7FE41228FE40}.exe

Filesize
408KB

MD5
1cdf34772e850839360fed9dc39e5704

SHA1
09934cfed759b6d95560dc7e8535ad4fb77aca30

SHA256
24d20274fadeec8a8621a1ac337bd651bee55d2c0e76b6bb6cbcdd1a138033c8

SHA512
173b8e3c5520ed21d0e37eee292a13ff3f742bcd612513a1388f987dadd53ce4a93b317f5edb5187e9c5b4737215181ed92867dca50769bd6ec71c57b52c883f

Download Submit
C:\Windows\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe

Filesize
408KB

MD5
75e2844bd0d9d09f708570ac7afd97d6

SHA1
49d330c9fe75e2bf35d9526c98b119e5b543b5eb

SHA256
863397af76f40cefb775f15d9cf094a534733d0186d7ef72307a9554869c9911

SHA512
55e8876de8b946ac3b9129161c0c69feada1fa1b99d8fa1ee4d6aab883db57b41de73b22ba2802c7518fce81f8d6f4afe1b3a50f9a5ce6a333347932d2856576

Download Submit
C:\Windows\{071A0411-F9B2-4c33-9B07-7E8E6E36CEBF}.exe

Filesize
408KB

MD5
75e2844bd0d9d09f708570ac7afd97d6

SHA1
49d330c9fe75e2bf35d9526c98b119e5b543b5eb

SHA256
863397af76f40cefb775f15d9cf094a534733d0186d7ef72307a9554869c9911

SHA512
55e8876de8b946ac3b9129161c0c69feada1fa1b99d8fa1ee4d6aab883db57b41de73b22ba2802c7518fce81f8d6f4afe1b3a50f9a5ce6a333347932d2856576

Download Submit
C:\Windows\{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe

Filesize
408KB

MD5
96d770be486f9116ab86d6d54789f777

SHA1
3d6ac10817eec67fb341c1632810aecd594c4305

SHA256
456a5e0e92b209bcfe7cc1c4c826db440ed0b5a2568cb80123b3770e489805c2

SHA512
a0342d4bf328484f2645fbfefdc9cad7267b1307455c5fa2aeda9f084c6aff46b4ea8dfbdd9b399753576ea6e876afcbeec14c6fedd6bacb713b45710ec98f58

Download Submit
C:\Windows\{13E74C8D-5349-4b04-B0BF-FD433252A627}.exe

Filesize
408KB

MD5
96d770be486f9116ab86d6d54789f777

SHA1
3d6ac10817eec67fb341c1632810aecd594c4305

SHA256
456a5e0e92b209bcfe7cc1c4c826db440ed0b5a2568cb80123b3770e489805c2

SHA512
a0342d4bf328484f2645fbfefdc9cad7267b1307455c5fa2aeda9f084c6aff46b4ea8dfbdd9b399753576ea6e876afcbeec14c6fedd6bacb713b45710ec98f58

Download Submit
C:\Windows\{1758BA2B-2168-4f6c-9856-B9E939763332}.exe

Filesize
408KB

MD5
dbfb8f8481058b82d3ad41f900a3e172

SHA1
8c93294386e9b1f7bc95e43085dd463b95654b15

SHA256
35b20e971582c995a1733d017e7f43287a8e1dbab885ac29be63193a0a3017fc

SHA512
34c4b40e59daec5f8eb64e4da85ef202cbd54fcb2343c76ee81c83577f66e5aaf2162f14f2e5c071580473f2010c18566f69aa3e8bc8ba7f2543b2e5cd02c151

Download Submit
C:\Windows\{1758BA2B-2168-4f6c-9856-B9E939763332}.exe

Filesize
408KB

MD5
dbfb8f8481058b82d3ad41f900a3e172

SHA1
8c93294386e9b1f7bc95e43085dd463b95654b15

SHA256
35b20e971582c995a1733d017e7f43287a8e1dbab885ac29be63193a0a3017fc

SHA512
34c4b40e59daec5f8eb64e4da85ef202cbd54fcb2343c76ee81c83577f66e5aaf2162f14f2e5c071580473f2010c18566f69aa3e8bc8ba7f2543b2e5cd02c151

Download Submit
C:\Windows\{1758BA2B-2168-4f6c-9856-B9E939763332}.exe

Filesize
408KB

MD5
dbfb8f8481058b82d3ad41f900a3e172

SHA1
8c93294386e9b1f7bc95e43085dd463b95654b15

SHA256
35b20e971582c995a1733d017e7f43287a8e1dbab885ac29be63193a0a3017fc

SHA512
34c4b40e59daec5f8eb64e4da85ef202cbd54fcb2343c76ee81c83577f66e5aaf2162f14f2e5c071580473f2010c18566f69aa3e8bc8ba7f2543b2e5cd02c151

Download Submit
C:\Windows\{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe

Filesize
408KB

MD5
2edd2b3d1dc8d601602ed5e90c2e825d

SHA1
2117495eee362a20087d0f8e67774aaa3a9d2528

SHA256
f71bf01343b1b838a58e508376aa5ef9505f32284eba0faa99f3a1b601141ac2

SHA512
e2a75e569b28f5df4204850fe42f5674c3f2c36f18eea6297844aee44c43be1a110c8608c0bdfaaabe1e92b46ffaf758a42c5646e1fa4d546950d57f499bbf73

Download Submit
C:\Windows\{412B263D-613C-46df-92A8-8D3BAEAD0137}.exe

Filesize
408KB

MD5
2edd2b3d1dc8d601602ed5e90c2e825d

SHA1
2117495eee362a20087d0f8e67774aaa3a9d2528

SHA256
f71bf01343b1b838a58e508376aa5ef9505f32284eba0faa99f3a1b601141ac2

SHA512
e2a75e569b28f5df4204850fe42f5674c3f2c36f18eea6297844aee44c43be1a110c8608c0bdfaaabe1e92b46ffaf758a42c5646e1fa4d546950d57f499bbf73

Download Submit
C:\Windows\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe

Filesize
408KB

MD5
e2f2fff4bfd43ef8b4459ab38c167b93

SHA1
8a54e8601890e81be5acc61956d3e00a0e326a37

SHA256
1220f33aaf6239b1e62d2bdeb77447582ef3250cdaa0b2213a202a5d397e5797

SHA512
8c98573c96abb8b6c46bb339fb38fa0ef503a3b014523992443ea261e8bb0f8b8d1cb946dc5384233065d86a94509d801330d517823bfc754f517c57dbedb5d5

Download Submit
C:\Windows\{46ADD1CB-2854-4074-A7AA-687AE0E0CD38}.exe

Filesize
408KB

MD5
e2f2fff4bfd43ef8b4459ab38c167b93

SHA1
8a54e8601890e81be5acc61956d3e00a0e326a37

SHA256
1220f33aaf6239b1e62d2bdeb77447582ef3250cdaa0b2213a202a5d397e5797

SHA512
8c98573c96abb8b6c46bb339fb38fa0ef503a3b014523992443ea261e8bb0f8b8d1cb946dc5384233065d86a94509d801330d517823bfc754f517c57dbedb5d5

Download Submit
C:\Windows\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe

Filesize
408KB

MD5
35fe472dd4a3a0f84c44a093d6b466b9

SHA1
9389765c7e27780a3d9616832f8cbdd5ddf3c9d2

SHA256
e71984cf833b1ef5a108f0846ca92614a71866a4138ad6b12040f0f68890caa9

SHA512
3aeb6ad822dbe57c31665b15735ba64af2e1766937b18ba729529b8d3e8a66d2a75e6c78171e0a9b46b3837b52598ef447281191703154dcc1b942091d8cf942

Download Submit
C:\Windows\{669C60EE-495D-4d2f-9BD5-3A5C428B257C}.exe

Filesize
408KB

MD5
35fe472dd4a3a0f84c44a093d6b466b9

SHA1
9389765c7e27780a3d9616832f8cbdd5ddf3c9d2

SHA256
e71984cf833b1ef5a108f0846ca92614a71866a4138ad6b12040f0f68890caa9

SHA512
3aeb6ad822dbe57c31665b15735ba64af2e1766937b18ba729529b8d3e8a66d2a75e6c78171e0a9b46b3837b52598ef447281191703154dcc1b942091d8cf942

Download Submit
C:\Windows\{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe

Filesize
408KB

MD5
cf5ace50b1903fed075b291c7f2b3d3c

SHA1
a4939318e6d13691d4ef9cf0b96da805c33e57aa

SHA256
1ded44fb61866b60d84701dce8b3040767977329d39754b920738b890db8fca6

SHA512
c60e6e5ee48f6aa627cd4a7970d46e4045d32c051c9954d984eeae3cbd999d83a8576693130330ba23b46a138619588921708c7d22ce9cd8bfb3b0e74e501875

Download Submit
C:\Windows\{74600B96-D794-42c6-BB55-DBAF9F89D13D}.exe

Filesize
408KB

MD5
cf5ace50b1903fed075b291c7f2b3d3c

SHA1
a4939318e6d13691d4ef9cf0b96da805c33e57aa

SHA256
1ded44fb61866b60d84701dce8b3040767977329d39754b920738b890db8fca6

SHA512
c60e6e5ee48f6aa627cd4a7970d46e4045d32c051c9954d984eeae3cbd999d83a8576693130330ba23b46a138619588921708c7d22ce9cd8bfb3b0e74e501875

Download Submit
C:\Windows\{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe

Filesize
408KB

MD5
be45993fa70cc2d70d86308f33eeb454

SHA1
5aae41eaedebc861682b83c1e817a1414c184660

SHA256
c9f03564bc8ec28319c68739c10bdcec47b2ebb900adf2ab155ff74319e9a352

SHA512
2a5446c12dfeca42e130dfe3a2ae23621c5f07f49c414e6d0ea3b05ab485641da86fa4d6b0eb5b251067f55dbfc9bc76c8dd5c5de3ac6cb68d689ac94f1bb0f2

Download Submit
C:\Windows\{A7D74E63-2604-4aa8-A993-6B545647AE10}.exe

Filesize
408KB

MD5
be45993fa70cc2d70d86308f33eeb454

SHA1
5aae41eaedebc861682b83c1e817a1414c184660

SHA256
c9f03564bc8ec28319c68739c10bdcec47b2ebb900adf2ab155ff74319e9a352

SHA512
2a5446c12dfeca42e130dfe3a2ae23621c5f07f49c414e6d0ea3b05ab485641da86fa4d6b0eb5b251067f55dbfc9bc76c8dd5c5de3ac6cb68d689ac94f1bb0f2

Download Submit
C:\Windows\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe

Filesize
408KB

MD5
6f2133cde36fccf8da70a307a2afa84f

SHA1
c78447b28b8b6885fd76dc1acaa96f65c63a528d

SHA256
b0dc1e3fb739a8e39f1f04ad1cbbf2900aa61bbe37e2943f61629b19e72d054b

SHA512
3ae805bf1325528fbc2b9bfe68e88526bb3e66f0fdcb6c12b617cc34567f0ebf216532fa02aa724e766bdc4a18e55aaf872f78d7b9ec94b39f4be4a1c3810f96

Download Submit
C:\Windows\{A8AC41EB-498C-417f-95A4-B2C752BFF7A6}.exe

Filesize
408KB

MD5
6f2133cde36fccf8da70a307a2afa84f

SHA1
c78447b28b8b6885fd76dc1acaa96f65c63a528d

SHA256
b0dc1e3fb739a8e39f1f04ad1cbbf2900aa61bbe37e2943f61629b19e72d054b

SHA512
3ae805bf1325528fbc2b9bfe68e88526bb3e66f0fdcb6c12b617cc34567f0ebf216532fa02aa724e766bdc4a18e55aaf872f78d7b9ec94b39f4be4a1c3810f96

Download Submit
C:\Windows\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe

Filesize
408KB

MD5
272b82b4cb8b5bf69cac46c4f8f8661d

SHA1
4b3f041f745e718e01ce122e2c8851187744963f

SHA256
e918a3c22a4c5f853a42b762b4492c631e30833516b5da38a2f566ea9c3856bb

SHA512
c9b346830cc07667fe2426d935ed42319090df257e488fb84939954eb30fdd72b3d130ff629953cb2b7ef475299efaa43845582256f05d03ca84a7447f57516b

Download Submit
C:\Windows\{E1F7F8C8-B954-4873-9707-D7FBB17FEACA}.exe

Filesize
408KB

MD5
272b82b4cb8b5bf69cac46c4f8f8661d

SHA1
4b3f041f745e718e01ce122e2c8851187744963f

SHA256
e918a3c22a4c5f853a42b762b4492c631e30833516b5da38a2f566ea9c3856bb

SHA512
c9b346830cc07667fe2426d935ed42319090df257e488fb84939954eb30fdd72b3d130ff629953cb2b7ef475299efaa43845582256f05d03ca84a7447f57516b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads