cd9c791060306bffeb21f92e51e903e3519506eabcb6dcd28475ec926e8e49fe

Analysis

max time kernel
157s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Size

204KB
MD5

ad9a9285cf157d5f9014ad704e8cb27a
SHA1

a73f251d4da30d30381ef516cc60ab8009c23fa2
SHA256

cd9c791060306bffeb21f92e51e903e3519506eabcb6dcd28475ec926e8e49fe
SHA512

5bf943abe0143a5a3dee6d9647ca4a0aa0336f5878eda8cf109a0174b5f4ab3d98a78b53817c36412447377b8d943c5a187d8f8e304aee4f121056ab850a0675
SSDEEP

1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}\stubpath = "C:\\Windows\\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe"	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EC90135-4BE5-435f-BE80-80BE784A28E6}\stubpath = "C:\\Windows\\{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe"	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}\stubpath = "C:\\Windows\\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe"	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}\stubpath = "C:\\Windows\\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe"	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FCD0372-A046-4af1-A92E-659B97039E71}\stubpath = "C:\\Windows\\{7FCD0372-A046-4af1-A92E-659B97039E71}.exe"	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A941597-5463-47ce-95DC-470FE0FFD523}\stubpath = "C:\\Windows\\{3A941597-5463-47ce-95DC-470FE0FFD523}.exe"	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DCC347A-8019-4bcd-9CE2-CE7654557540}\stubpath = "C:\\Windows\\{0DCC347A-8019-4bcd-9CE2-CE7654557540}.exe"	{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EC90135-4BE5-435f-BE80-80BE784A28E6}	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}\stubpath = "C:\\Windows\\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe"	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}\stubpath = "C:\\Windows\\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe"	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0281B439-38E9-4b87-B898-EF14AEAC4485}	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0281B439-38E9-4b87-B898-EF14AEAC4485}\stubpath = "C:\\Windows\\{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe"	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}\stubpath = "C:\\Windows\\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe"	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}\stubpath = "C:\\Windows\\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe"	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FCD0372-A046-4af1-A92E-659B97039E71}	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A941597-5463-47ce-95DC-470FE0FFD523}	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DCC347A-8019-4bcd-9CE2-CE7654557540}	{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe

Executes dropped EXE 12 IoCs

pid	Process
3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe
2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe
4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe
1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe
1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe
3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe
4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe
4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe
1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe
3820	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe
4312	{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe
788	{0DCC347A-8019-4bcd-9CE2-CE7654557540}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe
File created	C:\Windows\{3A941597-5463-47ce-95DC-470FE0FFD523}.exe	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe
File created	C:\Windows\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe
File created	C:\Windows\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe
File created	C:\Windows\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe
File created	C:\Windows\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe
File created	C:\Windows\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe
File created	C:\Windows\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe
File created	C:\Windows\{7FCD0372-A046-4af1-A92E-659B97039E71}.exe	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe
File created	C:\Windows\{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe
File created	C:\Windows\{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
File created	C:\Windows\{0DCC347A-8019-4bcd-9CE2-CE7654557540}.exe	{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1120	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe
Token: SeIncBasePriorityPrivilege	2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe
Token: SeIncBasePriorityPrivilege	4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe
Token: SeIncBasePriorityPrivilege	1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe
Token: SeIncBasePriorityPrivilege	1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe
Token: SeIncBasePriorityPrivilege	3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe
Token: SeIncBasePriorityPrivilege	4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe
Token: SeIncBasePriorityPrivilege	4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe
Token: SeIncBasePriorityPrivilege	1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe
Token: SeIncBasePriorityPrivilege	3820	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe
Token: SeIncBasePriorityPrivilege	4312	{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3696	1120	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	90
PID 1120 wrote to memory of 3696	1120	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	90
PID 1120 wrote to memory of 3696	1120	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	90
PID 1120 wrote to memory of 4900	1120	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	91
PID 1120 wrote to memory of 4900	1120	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	91
PID 1120 wrote to memory of 4900	1120	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	91
PID 3696 wrote to memory of 2012	3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe	94
PID 3696 wrote to memory of 2012	3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe	94
PID 3696 wrote to memory of 2012	3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe	94
PID 3696 wrote to memory of 224	3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe	95
PID 3696 wrote to memory of 224	3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe	95
PID 3696 wrote to memory of 224	3696	{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe	95
PID 2012 wrote to memory of 4004	2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe	98
PID 2012 wrote to memory of 4004	2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe	98
PID 2012 wrote to memory of 4004	2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe	98
PID 2012 wrote to memory of 4864	2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe	97
PID 2012 wrote to memory of 4864	2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe	97
PID 2012 wrote to memory of 4864	2012	{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe	97
PID 4004 wrote to memory of 1492	4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe	99
PID 4004 wrote to memory of 1492	4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe	99
PID 4004 wrote to memory of 1492	4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe	99
PID 4004 wrote to memory of 1128	4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe	100
PID 4004 wrote to memory of 1128	4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe	100
PID 4004 wrote to memory of 1128	4004	{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe	100
PID 1492 wrote to memory of 1132	1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe	101
PID 1492 wrote to memory of 1132	1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe	101
PID 1492 wrote to memory of 1132	1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe	101
PID 1492 wrote to memory of 3804	1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe	102
PID 1492 wrote to memory of 3804	1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe	102
PID 1492 wrote to memory of 3804	1492	{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe	102
PID 1132 wrote to memory of 3784	1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe	103
PID 1132 wrote to memory of 3784	1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe	103
PID 1132 wrote to memory of 3784	1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe	103
PID 1132 wrote to memory of 4520	1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe	104
PID 1132 wrote to memory of 4520	1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe	104
PID 1132 wrote to memory of 4520	1132	{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe	104
PID 3784 wrote to memory of 4076	3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe	105
PID 3784 wrote to memory of 4076	3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe	105
PID 3784 wrote to memory of 4076	3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe	105
PID 3784 wrote to memory of 672	3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe	106
PID 3784 wrote to memory of 672	3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe	106
PID 3784 wrote to memory of 672	3784	{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe	106
PID 4076 wrote to memory of 4296	4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe	109
PID 4076 wrote to memory of 4296	4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe	109
PID 4076 wrote to memory of 4296	4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe	109
PID 4076 wrote to memory of 4348	4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe	110
PID 4076 wrote to memory of 4348	4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe	110
PID 4076 wrote to memory of 4348	4076	{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe	110
PID 4296 wrote to memory of 1560	4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe	111
PID 4296 wrote to memory of 1560	4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe	111
PID 4296 wrote to memory of 1560	4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe	111
PID 4296 wrote to memory of 4352	4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe	112
PID 4296 wrote to memory of 4352	4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe	112
PID 4296 wrote to memory of 4352	4296	{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe	112
PID 1560 wrote to memory of 3820	1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe	113
PID 1560 wrote to memory of 3820	1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe	113
PID 1560 wrote to memory of 3820	1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe	113
PID 1560 wrote to memory of 1436	1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe	114
PID 1560 wrote to memory of 1436	1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe	114
PID 1560 wrote to memory of 1436	1560	{7FCD0372-A046-4af1-A92E-659B97039E71}.exe	114
PID 3820 wrote to memory of 4312	3820	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe	116
PID 3820 wrote to memory of 4312	3820	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe	116
PID 3820 wrote to memory of 4312	3820	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe	116
PID 3820 wrote to memory of 4420	3820	{3A941597-5463-47ce-95DC-470FE0FFD523}.exe	115

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe
  C:\Windows\{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe
    C:\Windows\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0515A~1.EXE > nul
      4⤵
      PID:4864
  - - C:\Windows\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe
      C:\Windows\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe
        
        C:\Windows\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe
        
        C:\Windows\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe
        
        C:\Windows\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe
        
        C:\Windows\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe
        
        C:\Windows\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{7FCD0372-A046-4af1-A92E-659B97039E71}.exe
        
        C:\Windows\{7FCD0372-A046-4af1-A92E-659B97039E71}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{3A941597-5463-47ce-95DC-470FE0FFD523}.exe
        
        C:\Windows\{3A941597-5463-47ce-95DC-470FE0FFD523}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A941~1.EXE > nul
        12⤵
        
        PID:4420
        
        C:\Windows\{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe
        
        C:\Windows\{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\{0DCC347A-8019-4bcd-9CE2-CE7654557540}.exe
        
        C:\Windows\{0DCC347A-8019-4bcd-9CE2-CE7654557540}.exe
        13⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0281B~1.EXE > nul
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FCD0~1.EXE > nul
        11⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B23FB~1.EXE > nul
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C7F1~1.EXE > nul
        9⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11D5B~1.EXE > nul
        8⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E88BD~1.EXE > nul
        7⤵
        
        PID:4520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA149~1.EXE > nul
        6⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8716~1.EXE > nul
        5⤵
        
        PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC90~1.EXE > nul
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe

Filesize
204KB

MD5
554efa03a71719eb6ac2ae6361e4da87

SHA1
5095aa682285d2253bb0c2c880f977025834e0a6

SHA256
c840a2db5ccd1daa69ce1fe1a35d290e644ae9ba49ea52e49c557210a66a44b8

SHA512
545180dd983cfc8d0bbcc7613b0f185b347dd4f044a310034ab08d1496aa0391f02452d3c89378af9d3d4d64dd4a3a262c88a204082df7507b8af531329e11fe

Download Submit
C:\Windows\{0281B439-38E9-4b87-B898-EF14AEAC4485}.exe

Filesize
204KB

MD5
554efa03a71719eb6ac2ae6361e4da87

SHA1
5095aa682285d2253bb0c2c880f977025834e0a6

SHA256
c840a2db5ccd1daa69ce1fe1a35d290e644ae9ba49ea52e49c557210a66a44b8

SHA512
545180dd983cfc8d0bbcc7613b0f185b347dd4f044a310034ab08d1496aa0391f02452d3c89378af9d3d4d64dd4a3a262c88a204082df7507b8af531329e11fe

Download Submit
C:\Windows\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe

Filesize
204KB

MD5
a29b03c2abbb3182e5ee56afbd05d4fb

SHA1
1d8452fdd6ac1840136cda60902f07d92dad4677

SHA256
c26935731c3302df1a96cfd74323c04c1110859b9a8c3ed67c6e5746b4f4b591

SHA512
638e8476754d8954095bd32e216257765863745b2571cfa0ded95d454d355a63e31b652d816882a7cbcd045a9730fe88671ef7c7eb5480c0ad05b5a07bb2a66e

Download Submit
C:\Windows\{0515A6BF-0A97-41de-97BC-53EAAFD102DF}.exe

Filesize
204KB

MD5
a29b03c2abbb3182e5ee56afbd05d4fb

SHA1
1d8452fdd6ac1840136cda60902f07d92dad4677

SHA256
c26935731c3302df1a96cfd74323c04c1110859b9a8c3ed67c6e5746b4f4b591

SHA512
638e8476754d8954095bd32e216257765863745b2571cfa0ded95d454d355a63e31b652d816882a7cbcd045a9730fe88671ef7c7eb5480c0ad05b5a07bb2a66e

Download Submit
C:\Windows\{0DCC347A-8019-4bcd-9CE2-CE7654557540}.exe

Filesize
204KB

MD5
f5fb67a03594f0fa6970626d37217937

SHA1
61bc4d1a5278067debb3d34584335b9b583b885b

SHA256
5cc1efad339742dbe45cbc72ac1180c48a8c4e1294b9b1bb8119818e4cbf5c58

SHA512
bb9505b0f0b0ce359d3bf731383bb6a63e15b555b811bd9bf4810fa1e4fed6e6d361b561be9759e6c17fbdd2667015bb31579080bc8c9136a7d78e98ea2a57de

Download Submit
C:\Windows\{0DCC347A-8019-4bcd-9CE2-CE7654557540}.exe

Filesize
204KB

MD5
f5fb67a03594f0fa6970626d37217937

SHA1
61bc4d1a5278067debb3d34584335b9b583b885b

SHA256
5cc1efad339742dbe45cbc72ac1180c48a8c4e1294b9b1bb8119818e4cbf5c58

SHA512
bb9505b0f0b0ce359d3bf731383bb6a63e15b555b811bd9bf4810fa1e4fed6e6d361b561be9759e6c17fbdd2667015bb31579080bc8c9136a7d78e98ea2a57de

Download Submit
C:\Windows\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe

Filesize
204KB

MD5
4ba39ef40fc849c6334d7f4b49bde0ea

SHA1
905dae9f21933b86a77a7361263804685930de42

SHA256
0a08aca4c4b76ac492e0a374c1b0ba505b2769fcd0c024e90a880425da32bc6e

SHA512
055343457375f53ef5e9fe5c78fef03c89e8b368ef82ff9bd410ac927fefa1e2465628c8ff398dd9d89e677a0407c7e79bd59ae81ed6a98682a70c7251e494f8

Download Submit
C:\Windows\{11D5B937-EBF7-4737-8C0A-0811C0C4CC50}.exe

Filesize
204KB

MD5
4ba39ef40fc849c6334d7f4b49bde0ea

SHA1
905dae9f21933b86a77a7361263804685930de42

SHA256
0a08aca4c4b76ac492e0a374c1b0ba505b2769fcd0c024e90a880425da32bc6e

SHA512
055343457375f53ef5e9fe5c78fef03c89e8b368ef82ff9bd410ac927fefa1e2465628c8ff398dd9d89e677a0407c7e79bd59ae81ed6a98682a70c7251e494f8

Download Submit
C:\Windows\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe

Filesize
204KB

MD5
a8b6db595734c132f3dde1c0ed5d5d28

SHA1
83086c88b3963264e3959437a8a2080d9fea88b7

SHA256
bedfcb876b0ae1227e11c06f90588b1cc2fe299738b177b544af84eafd678dd9

SHA512
c68f8d4ce27dc24a0e93671adfbd026c5779fe564e6122099dc8394af9a1f2089a4c24a7c06a3882247f0d6090d39d62b363e11a9b065876766bb85dcb2ffbd7

Download Submit
C:\Windows\{1C7F16CE-7826-45a8-86AE-838D7CA5BB1E}.exe

Filesize
204KB

MD5
a8b6db595734c132f3dde1c0ed5d5d28

SHA1
83086c88b3963264e3959437a8a2080d9fea88b7

SHA256
bedfcb876b0ae1227e11c06f90588b1cc2fe299738b177b544af84eafd678dd9

SHA512
c68f8d4ce27dc24a0e93671adfbd026c5779fe564e6122099dc8394af9a1f2089a4c24a7c06a3882247f0d6090d39d62b363e11a9b065876766bb85dcb2ffbd7

Download Submit
C:\Windows\{3A941597-5463-47ce-95DC-470FE0FFD523}.exe

Filesize
204KB

MD5
6771af51151508b79f89a3e2cc2837dd

SHA1
e3d109513634b489cbd421169b4699da41259af1

SHA256
5db92911dd8888cff7af7d29a2ac98810dc484dc6dea0a1fc54f0385beb3148a

SHA512
3d847d05739bd7742651c083b363f296b903264bfe02cc0a352499cef31c1f7afacc8e98e105d9f63f5fb4c2401212ea15a79d180b16274798413c37f3481c06

Download Submit
C:\Windows\{3A941597-5463-47ce-95DC-470FE0FFD523}.exe

Filesize
204KB

MD5
6771af51151508b79f89a3e2cc2837dd

SHA1
e3d109513634b489cbd421169b4699da41259af1

SHA256
5db92911dd8888cff7af7d29a2ac98810dc484dc6dea0a1fc54f0385beb3148a

SHA512
3d847d05739bd7742651c083b363f296b903264bfe02cc0a352499cef31c1f7afacc8e98e105d9f63f5fb4c2401212ea15a79d180b16274798413c37f3481c06

Download Submit
C:\Windows\{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe

Filesize
204KB

MD5
28b23b0a6b841fda46f4fdd9fe1520cc

SHA1
3fc661ca55ee44c84cabb2dab005274077ef3728

SHA256
4550b35d8ebfd77c19348ca3a1ef9137db083e284e42442bbfda96f6cefbbcd9

SHA512
b48b127002b83f57291bf4e609245648a9397b4de861c0046bc11f6f08a61c7c510b538fae8495e4abcdf1865c742b3b5ab7f31a319585429182add129d1e29d

Download Submit
C:\Windows\{4EC90135-4BE5-435f-BE80-80BE784A28E6}.exe

Filesize
204KB

MD5
28b23b0a6b841fda46f4fdd9fe1520cc

SHA1
3fc661ca55ee44c84cabb2dab005274077ef3728

SHA256
4550b35d8ebfd77c19348ca3a1ef9137db083e284e42442bbfda96f6cefbbcd9

SHA512
b48b127002b83f57291bf4e609245648a9397b4de861c0046bc11f6f08a61c7c510b538fae8495e4abcdf1865c742b3b5ab7f31a319585429182add129d1e29d

Download Submit
C:\Windows\{7FCD0372-A046-4af1-A92E-659B97039E71}.exe

Filesize
204KB

MD5
42074d2a8f1c437fa15eb5602b4673bf

SHA1
6ac2554939650bc50d336ed62ddc2fafcba8d2d6

SHA256
3773be29ae1a8fa73e534387272ba5b08dbf8e111e3f2f88a43f845e50bddff6

SHA512
f71d16dc05bc3d957323dee3554e25def76a3403d321975fd7c53f4e9b60e8eacd7a78991710b9b011532571a7fe1f6802a4483db949ef7e0cb29003c15bb501

Download Submit
C:\Windows\{7FCD0372-A046-4af1-A92E-659B97039E71}.exe

Filesize
204KB

MD5
42074d2a8f1c437fa15eb5602b4673bf

SHA1
6ac2554939650bc50d336ed62ddc2fafcba8d2d6

SHA256
3773be29ae1a8fa73e534387272ba5b08dbf8e111e3f2f88a43f845e50bddff6

SHA512
f71d16dc05bc3d957323dee3554e25def76a3403d321975fd7c53f4e9b60e8eacd7a78991710b9b011532571a7fe1f6802a4483db949ef7e0cb29003c15bb501

Download Submit
C:\Windows\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe

Filesize
204KB

MD5
93ac34d54fa909800e537aa736fd952c

SHA1
b137e197fb9b26b0f76b73349c349eb5d0365d31

SHA256
dc51bf0ec55b0d829acd41f6e5f3c0830c8af3853796e0a2abf133e2ee0e892e

SHA512
b485099694313aae076781bfe3197100d489e055dd5481d86e1a63ddbfadcfaa075e5cfc88ac0784091fa5f4a5de0625991902de945d893b413fdf418641ef7c

Download Submit
C:\Windows\{B23FBB16-BAA5-492f-B7E0-1D12DBA35C29}.exe

Filesize
204KB

MD5
93ac34d54fa909800e537aa736fd952c

SHA1
b137e197fb9b26b0f76b73349c349eb5d0365d31

SHA256
dc51bf0ec55b0d829acd41f6e5f3c0830c8af3853796e0a2abf133e2ee0e892e

SHA512
b485099694313aae076781bfe3197100d489e055dd5481d86e1a63ddbfadcfaa075e5cfc88ac0784091fa5f4a5de0625991902de945d893b413fdf418641ef7c

Download Submit
C:\Windows\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe

Filesize
204KB

MD5
24e0bd0959e688787f662779f3455bbb

SHA1
d2f62d2615ac1e9b6f4727fee3fa3e19fd8d9243

SHA256
c622e2a10e7ca3ec5729045bc16caf116447d1d67a933dbb2f58eeb88f5dff79

SHA512
cdf3ff0dd7dd92e05b215b1a6a4cc654b5d57e87d73b75db8797bb9621915519a9fcaf746183f1121b3359a36c72766fe098a4ea9639453654fb5fb40e1a54af

Download Submit
C:\Windows\{E88BDA15-9C5F-4866-99F7-219B8B2482A6}.exe

Filesize
204KB

MD5
24e0bd0959e688787f662779f3455bbb

SHA1
d2f62d2615ac1e9b6f4727fee3fa3e19fd8d9243

SHA256
c622e2a10e7ca3ec5729045bc16caf116447d1d67a933dbb2f58eeb88f5dff79

SHA512
cdf3ff0dd7dd92e05b215b1a6a4cc654b5d57e87d73b75db8797bb9621915519a9fcaf746183f1121b3359a36c72766fe098a4ea9639453654fb5fb40e1a54af

Download Submit
C:\Windows\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe

Filesize
204KB

MD5
890c031e9c239dd8b9a5f6b7d0c4f829

SHA1
08b903d5b98c605f46603381420aac4bbb35973c

SHA256
65f41f2d6a1967c4efa42400693e70a00c93caaaf3712b0da5e9f780c084b5f7

SHA512
4d4632946414cb71f810af86075f19ba26f9a83b9a1c75b31be2931f6b1ec30228c855a5a38d4ee2b207ef5448250d5f0bcfb9fac3dcb55bdd0610133eb712fa

Download Submit
C:\Windows\{EA14917B-F1DC-43bf-BA5A-6B3C44606250}.exe

Filesize
204KB

MD5
890c031e9c239dd8b9a5f6b7d0c4f829

SHA1
08b903d5b98c605f46603381420aac4bbb35973c

SHA256
65f41f2d6a1967c4efa42400693e70a00c93caaaf3712b0da5e9f780c084b5f7

SHA512
4d4632946414cb71f810af86075f19ba26f9a83b9a1c75b31be2931f6b1ec30228c855a5a38d4ee2b207ef5448250d5f0bcfb9fac3dcb55bdd0610133eb712fa

Download Submit
C:\Windows\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe

Filesize
204KB

MD5
3f542a7fb8d1a88602e6c3cc6b67f2f8

SHA1
c31b4aabf3dcbe7317f495f0adb8aeb4190273bb

SHA256
8ab13f16c57351d85faa31155a46a74f0abf072f61a57398287edf7a93281eca

SHA512
c1f5dc55666f7cb46310fb8532ae238d21e9ec5f2f5aea4609de720dae9b4974b7894777d8e997e35e16c9a8a3dc60414fd3480dcd842a1ba197af6e71900ea0

Download Submit
C:\Windows\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe

Filesize
204KB

MD5
3f542a7fb8d1a88602e6c3cc6b67f2f8

SHA1
c31b4aabf3dcbe7317f495f0adb8aeb4190273bb

SHA256
8ab13f16c57351d85faa31155a46a74f0abf072f61a57398287edf7a93281eca

SHA512
c1f5dc55666f7cb46310fb8532ae238d21e9ec5f2f5aea4609de720dae9b4974b7894777d8e997e35e16c9a8a3dc60414fd3480dcd842a1ba197af6e71900ea0

Download Submit
C:\Windows\{F8716CBB-F7A8-466b-8D0E-ABAC484C72EE}.exe

Filesize
204KB

MD5
3f542a7fb8d1a88602e6c3cc6b67f2f8

SHA1
c31b4aabf3dcbe7317f495f0adb8aeb4190273bb

SHA256
8ab13f16c57351d85faa31155a46a74f0abf072f61a57398287edf7a93281eca

SHA512
c1f5dc55666f7cb46310fb8532ae238d21e9ec5f2f5aea4609de720dae9b4974b7894777d8e997e35e16c9a8a3dc60414fd3480dcd842a1ba197af6e71900ea0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads