d51f8e9b4744addf363f682060ca883d22d6b562c9cccc13b209f86230f649d2

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Size

192KB
MD5

6c48d030f70c63f64f4060bbc8e268da
SHA1

38215da17782e2bc1bd37472b72a6e19318b9b79
SHA256

d51f8e9b4744addf363f682060ca883d22d6b562c9cccc13b209f86230f649d2
SHA512

56a03344bcab93dd56f0b402a8b01f8756d0b6fd7f2976a2d090b58d0254609f1277a09e16842def6af7fb4134331ba6c4b44ef778b8f58f7a7fcc6e0c821b20
SSDEEP

1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oLl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}\stubpath = "C:\\Windows\\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe"	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F06F4651-3EA8-4339-9255-47F69D318732}	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579C3E65-4B79-4663-84CD-A00698E1813B}	{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8A23816-0176-4597-B050-0AE4DE50FA04}	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8A23816-0176-4597-B050-0AE4DE50FA04}\stubpath = "C:\\Windows\\{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe"	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65618CF8-7FD1-431f-8910-792E873AEDD6}\stubpath = "C:\\Windows\\{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe"	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}\stubpath = "C:\\Windows\\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe"	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}\stubpath = "C:\\Windows\\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe"	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}	{F06F4651-3EA8-4339-9255-47F69D318732}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}\stubpath = "C:\\Windows\\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe"	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}\stubpath = "C:\\Windows\\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe"	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB62A0FB-1B36-4131-AE8C-D730832244AD}\stubpath = "C:\\Windows\\{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe"	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}\stubpath = "C:\\Windows\\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe"	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F06F4651-3EA8-4339-9255-47F69D318732}\stubpath = "C:\\Windows\\{F06F4651-3EA8-4339-9255-47F69D318732}.exe"	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65618CF8-7FD1-431f-8910-792E873AEDD6}	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB62A0FB-1B36-4131-AE8C-D730832244AD}	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}\stubpath = "C:\\Windows\\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe"	{F06F4651-3EA8-4339-9255-47F69D318732}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579C3E65-4B79-4663-84CD-A00698E1813B}\stubpath = "C:\\Windows\\{579C3E65-4B79-4663-84CD-A00698E1813B}.exe"	{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe

Executes dropped EXE 12 IoCs

pid	Process
2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe
4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe
3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe
324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe
1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe
2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe
2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe
3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe
5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe
1516	{F06F4651-3EA8-4339-9255-47F69D318732}.exe
3712	{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe
5044	{579C3E65-4B79-4663-84CD-A00698E1813B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe
File created	C:\Windows\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe
File created	C:\Windows\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe
File created	C:\Windows\{F06F4651-3EA8-4339-9255-47F69D318732}.exe	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe
File created	C:\Windows\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe	{F06F4651-3EA8-4339-9255-47F69D318732}.exe
File created	C:\Windows\{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe
File created	C:\Windows\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe
File created	C:\Windows\{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe
File created	C:\Windows\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe
File created	C:\Windows\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe
File created	C:\Windows\{579C3E65-4B79-4663-84CD-A00698E1813B}.exe	{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe
File created	C:\Windows\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4620	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe
Token: SeIncBasePriorityPrivilege	4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe
Token: SeIncBasePriorityPrivilege	3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe
Token: SeIncBasePriorityPrivilege	324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe
Token: SeIncBasePriorityPrivilege	1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe
Token: SeIncBasePriorityPrivilege	2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe
Token: SeIncBasePriorityPrivilege	2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe
Token: SeIncBasePriorityPrivilege	3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe
Token: SeIncBasePriorityPrivilege	5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe
Token: SeIncBasePriorityPrivilege	1516	{F06F4651-3EA8-4339-9255-47F69D318732}.exe
Token: SeIncBasePriorityPrivilege	3712	{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2996	4620	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	87
PID 4620 wrote to memory of 2996	4620	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	87
PID 4620 wrote to memory of 2996	4620	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	87
PID 4620 wrote to memory of 4984	4620	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	88
PID 4620 wrote to memory of 4984	4620	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	88
PID 4620 wrote to memory of 4984	4620	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	88
PID 2996 wrote to memory of 4884	2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe	89
PID 2996 wrote to memory of 4884	2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe	89
PID 2996 wrote to memory of 4884	2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe	89
PID 2996 wrote to memory of 3428	2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe	90
PID 2996 wrote to memory of 3428	2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe	90
PID 2996 wrote to memory of 3428	2996	{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe	90
PID 4884 wrote to memory of 3868	4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe	95
PID 4884 wrote to memory of 3868	4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe	95
PID 4884 wrote to memory of 3868	4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe	95
PID 4884 wrote to memory of 2540	4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe	94
PID 4884 wrote to memory of 2540	4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe	94
PID 4884 wrote to memory of 2540	4884	{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe	94
PID 3868 wrote to memory of 324	3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe	96
PID 3868 wrote to memory of 324	3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe	96
PID 3868 wrote to memory of 324	3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe	96
PID 3868 wrote to memory of 1464	3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe	97
PID 3868 wrote to memory of 1464	3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe	97
PID 3868 wrote to memory of 1464	3868	{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe	97
PID 324 wrote to memory of 1504	324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe	98
PID 324 wrote to memory of 1504	324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe	98
PID 324 wrote to memory of 1504	324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe	98
PID 324 wrote to memory of 2136	324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe	99
PID 324 wrote to memory of 2136	324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe	99
PID 324 wrote to memory of 2136	324	{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe	99
PID 1504 wrote to memory of 2120	1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe	100
PID 1504 wrote to memory of 2120	1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe	100
PID 1504 wrote to memory of 2120	1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe	100
PID 1504 wrote to memory of 236	1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe	101
PID 1504 wrote to memory of 236	1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe	101
PID 1504 wrote to memory of 236	1504	{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe	101
PID 2120 wrote to memory of 2708	2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe	102
PID 2120 wrote to memory of 2708	2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe	102
PID 2120 wrote to memory of 2708	2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe	102
PID 2120 wrote to memory of 3124	2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe	103
PID 2120 wrote to memory of 3124	2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe	103
PID 2120 wrote to memory of 3124	2120	{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe	103
PID 2708 wrote to memory of 3008	2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe	104
PID 2708 wrote to memory of 3008	2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe	104
PID 2708 wrote to memory of 3008	2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe	104
PID 2708 wrote to memory of 4028	2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe	105
PID 2708 wrote to memory of 4028	2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe	105
PID 2708 wrote to memory of 4028	2708	{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe	105
PID 3008 wrote to memory of 5040	3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe	106
PID 3008 wrote to memory of 5040	3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe	106
PID 3008 wrote to memory of 5040	3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe	106
PID 3008 wrote to memory of 4632	3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe	107
PID 3008 wrote to memory of 4632	3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe	107
PID 3008 wrote to memory of 4632	3008	{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe	107
PID 5040 wrote to memory of 1516	5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe	108
PID 5040 wrote to memory of 1516	5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe	108
PID 5040 wrote to memory of 1516	5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe	108
PID 5040 wrote to memory of 4224	5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe	109
PID 5040 wrote to memory of 4224	5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe	109
PID 5040 wrote to memory of 4224	5040	{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe	109
PID 1516 wrote to memory of 3712	1516	{F06F4651-3EA8-4339-9255-47F69D318732}.exe	110
PID 1516 wrote to memory of 3712	1516	{F06F4651-3EA8-4339-9255-47F69D318732}.exe	110
PID 1516 wrote to memory of 3712	1516	{F06F4651-3EA8-4339-9255-47F69D318732}.exe	110
PID 1516 wrote to memory of 116	1516	{F06F4651-3EA8-4339-9255-47F69D318732}.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe
  C:\Windows\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe
    C:\Windows\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8900D~1.EXE > nul
      4⤵
      PID:2540
  - - C:\Windows\{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe
      C:\Windows\{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe
        
        C:\Windows\{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
      - C:\Windows\{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe
        
        C:\Windows\{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe
        
        C:\Windows\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe
        
        C:\Windows\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe
        
        C:\Windows\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe
        
        C:\Windows\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{F06F4651-3EA8-4339-9255-47F69D318732}.exe
        
        C:\Windows\{F06F4651-3EA8-4339-9255-47F69D318732}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe
        
        C:\Windows\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
        
        C:\Windows\{579C3E65-4B79-4663-84CD-A00698E1813B}.exe
        
        C:\Windows\{579C3E65-4B79-4663-84CD-A00698E1813B}.exe
        13⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9A1F~1.EXE > nul
        13⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F06F4~1.EXE > nul
        12⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FCF3~1.EXE > nul
        11⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{833EA~1.EXE > nul
        10⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3C2D~1.EXE > nul
        9⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B3A~1.EXE > nul
        8⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB62A~1.EXE > nul
        7⤵
        
        PID:236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8A23~1.EXE > nul
        6⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65618~1.EXE > nul
        5⤵
        
        PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CFF26~1.EXE > nul
    3⤵
    PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe

Filesize
192KB

MD5
3ba7eda548167b7d672c6cb155a60941

SHA1
1c857ade98b2819cf2c250cf2f8fe4e6af8282c4

SHA256
91b9d2957b81bd24b557dd527351ac993cb6ceabdc861c57025671bd01fe29cf

SHA512
41313178e8f50a8934b3bbd0fcbd45a44c04e4e4253d68155744bf71b2c65949db6ae849fd2160494972ceb393bbd9eabe1bb92b7f76e788fafe78fad643f046

Download Submit
C:\Windows\{3FCF3D55-F904-4c50-BB76-5D77FCA1A542}.exe

Filesize
192KB

MD5
3ba7eda548167b7d672c6cb155a60941

SHA1
1c857ade98b2819cf2c250cf2f8fe4e6af8282c4

SHA256
91b9d2957b81bd24b557dd527351ac993cb6ceabdc861c57025671bd01fe29cf

SHA512
41313178e8f50a8934b3bbd0fcbd45a44c04e4e4253d68155744bf71b2c65949db6ae849fd2160494972ceb393bbd9eabe1bb92b7f76e788fafe78fad643f046

Download Submit
C:\Windows\{579C3E65-4B79-4663-84CD-A00698E1813B}.exe

Filesize
192KB

MD5
63d25bcf0a82e352d8ad46aad1a1514a

SHA1
90dbd239e518b35eb3ebc2ddf6b1101a5c7a2612

SHA256
9f42b822bf7704ffbdf27b15dc9460dd384778572be53e19d31bf33dc3692ff0

SHA512
e69d6eb36bd322a755b1ce0c1c4ff886bc692ccaeb4bd08024a26c10b9943c6f3fd6d20a9e6ace189e0b07f431176c3a7220f2f905d8217ee30b53afa599d5b8

Download Submit
C:\Windows\{579C3E65-4B79-4663-84CD-A00698E1813B}.exe

Filesize
192KB

MD5
63d25bcf0a82e352d8ad46aad1a1514a

SHA1
90dbd239e518b35eb3ebc2ddf6b1101a5c7a2612

SHA256
9f42b822bf7704ffbdf27b15dc9460dd384778572be53e19d31bf33dc3692ff0

SHA512
e69d6eb36bd322a755b1ce0c1c4ff886bc692ccaeb4bd08024a26c10b9943c6f3fd6d20a9e6ace189e0b07f431176c3a7220f2f905d8217ee30b53afa599d5b8

Download Submit
C:\Windows\{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe

Filesize
192KB

MD5
5274ffa80685d93bde1bf69b73b5b3bf

SHA1
65a0a05c6021afd02701edc2aaec0bfe9f984417

SHA256
f0d61010b2787f4181d78b9b3f5608ec721281eef4d4e2c1d83b095d2a976df4

SHA512
67770059c04129df56b524885c10f4f21c6b626bb46df73c5f82d35b76787996ab651a081e3608224b4fe44604801bfee7e957e190a1490ec69a86dc8af372e8

Download Submit
C:\Windows\{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe

Filesize
192KB

MD5
5274ffa80685d93bde1bf69b73b5b3bf

SHA1
65a0a05c6021afd02701edc2aaec0bfe9f984417

SHA256
f0d61010b2787f4181d78b9b3f5608ec721281eef4d4e2c1d83b095d2a976df4

SHA512
67770059c04129df56b524885c10f4f21c6b626bb46df73c5f82d35b76787996ab651a081e3608224b4fe44604801bfee7e957e190a1490ec69a86dc8af372e8

Download Submit
C:\Windows\{65618CF8-7FD1-431f-8910-792E873AEDD6}.exe

Filesize
192KB

MD5
5274ffa80685d93bde1bf69b73b5b3bf

SHA1
65a0a05c6021afd02701edc2aaec0bfe9f984417

SHA256
f0d61010b2787f4181d78b9b3f5608ec721281eef4d4e2c1d83b095d2a976df4

SHA512
67770059c04129df56b524885c10f4f21c6b626bb46df73c5f82d35b76787996ab651a081e3608224b4fe44604801bfee7e957e190a1490ec69a86dc8af372e8

Download Submit
C:\Windows\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe

Filesize
192KB

MD5
d3a0a81bd3133ef5da3599a8f266dd7b

SHA1
ca10b05f9756c25616d7e1cd732cf8263ee721cf

SHA256
c648eb72e9bfebf4ba48990ff97ca7f2435c43afbdcc75dfbc4aa43ccf651e71

SHA512
5f68c777cb222200c42b526c883cbbbb56dfbea6b7a70e6b84b243f5ae894ac448aae7a2aa7015ae42dab19db776292b39b9ca86f77fcae053232dd80d35d833

Download Submit
C:\Windows\{833EAEF2-DBBD-4124-9FBB-D69E8880B1A8}.exe

Filesize
192KB

MD5
d3a0a81bd3133ef5da3599a8f266dd7b

SHA1
ca10b05f9756c25616d7e1cd732cf8263ee721cf

SHA256
c648eb72e9bfebf4ba48990ff97ca7f2435c43afbdcc75dfbc4aa43ccf651e71

SHA512
5f68c777cb222200c42b526c883cbbbb56dfbea6b7a70e6b84b243f5ae894ac448aae7a2aa7015ae42dab19db776292b39b9ca86f77fcae053232dd80d35d833

Download Submit
C:\Windows\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe

Filesize
192KB

MD5
256e9538e36fbbc614fd575c5a6fe654

SHA1
cf044cbc623b294419ae02f5c4c5ecedbf1ef2cd

SHA256
b5b0116efc186fcd145651cbb114a2249399bcc6d6eac9be859b000a0a30ae0c

SHA512
cfda042c0e21be37b782f9fdb58db161602e86e5ed2c6c29a613e2df6d0f38c49e96983d6c8d074ef97c8b9a72fc9a038158ec8d8940122268c4aa9539242300

Download Submit
C:\Windows\{8900DC8E-7B77-4a53-AD98-0434FAE5BD6B}.exe

Filesize
192KB

MD5
256e9538e36fbbc614fd575c5a6fe654

SHA1
cf044cbc623b294419ae02f5c4c5ecedbf1ef2cd

SHA256
b5b0116efc186fcd145651cbb114a2249399bcc6d6eac9be859b000a0a30ae0c

SHA512
cfda042c0e21be37b782f9fdb58db161602e86e5ed2c6c29a613e2df6d0f38c49e96983d6c8d074ef97c8b9a72fc9a038158ec8d8940122268c4aa9539242300

Download Submit
C:\Windows\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe

Filesize
192KB

MD5
8e691ec2786d7392cfa7ddf3bfd29182

SHA1
5c28363eca1375da5c68638e6885357a38597013

SHA256
b5c824650a58426cede163d0260da3faee90885642637b750de12d5dab62f8e3

SHA512
0db0dd4fb72fb7c7da821a2a7beee866abbca9d8712436edf401a36d6ad8dc6d7887db49d010830308de310cf141b7afaad511dd4d0e583f3861c2416ba20aa3

Download Submit
C:\Windows\{B3C2D5E4-60B4-4f95-9FC8-2279F2EB3569}.exe

Filesize
192KB

MD5
8e691ec2786d7392cfa7ddf3bfd29182

SHA1
5c28363eca1375da5c68638e6885357a38597013

SHA256
b5c824650a58426cede163d0260da3faee90885642637b750de12d5dab62f8e3

SHA512
0db0dd4fb72fb7c7da821a2a7beee866abbca9d8712436edf401a36d6ad8dc6d7887db49d010830308de310cf141b7afaad511dd4d0e583f3861c2416ba20aa3

Download Submit
C:\Windows\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe

Filesize
192KB

MD5
8d7baaf7549f71404fd2c1fc909f948d

SHA1
bd6ef2f489219d3435a6a48b095975559f947ecd

SHA256
18ddb834eafed44ba06d49a872b3e8b311d5f4317e195a4ac278b393684b6d70

SHA512
7e16e67655839e56ea743fec0d53e874ac8da89eaaf9a774c51f1ad3bc2c6a6fccb1f5e933e18b97b2cf4475ab13991c8430cd2b9f088a1d91792732af659906

Download Submit
C:\Windows\{B9A1F59D-C2E0-4e70-A550-8F85D846C091}.exe

Filesize
192KB

MD5
8d7baaf7549f71404fd2c1fc909f948d

SHA1
bd6ef2f489219d3435a6a48b095975559f947ecd

SHA256
18ddb834eafed44ba06d49a872b3e8b311d5f4317e195a4ac278b393684b6d70

SHA512
7e16e67655839e56ea743fec0d53e874ac8da89eaaf9a774c51f1ad3bc2c6a6fccb1f5e933e18b97b2cf4475ab13991c8430cd2b9f088a1d91792732af659906

Download Submit
C:\Windows\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe

Filesize
192KB

MD5
825287d2637e59ec05ed838501d660e7

SHA1
6af9eaaf5549db89c6bafd75fa07365745fa3932

SHA256
423eff717bb3da879b9d1d49a73fe68056f75949bf930e995095dcee04436960

SHA512
5568ad45bbd254ed8b27c844ccc4afca4379ca7ca01800bfd0ee9d778a6e4e4da797814cdecdc39b0619025406327a63b6850a0dc382fee8a9d9fc5820cf4102

Download Submit
C:\Windows\{CFF26071-A9D1-475f-ADAE-EA117013D8CE}.exe

Filesize
192KB

MD5
825287d2637e59ec05ed838501d660e7

SHA1
6af9eaaf5549db89c6bafd75fa07365745fa3932

SHA256
423eff717bb3da879b9d1d49a73fe68056f75949bf930e995095dcee04436960

SHA512
5568ad45bbd254ed8b27c844ccc4afca4379ca7ca01800bfd0ee9d778a6e4e4da797814cdecdc39b0619025406327a63b6850a0dc382fee8a9d9fc5820cf4102

Download Submit
C:\Windows\{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe

Filesize
192KB

MD5
f5485a61bf35ed00d5f25758d69413d8

SHA1
f54fc273d04faa9ceb93c1937cd3d885b91b9d94

SHA256
cf029e8246541d53294dd2e32a985fcdbe13781cb01f64da291ed5639ce33751

SHA512
5b6e4cefcaea75bee11aa726296dc1b54de236ba557d56fae5dd6981dd63b603944a60455422f341134fc316d187c59896fc87885bced2f72bd1d671198d99e9

Download Submit
C:\Windows\{D8A23816-0176-4597-B050-0AE4DE50FA04}.exe

Filesize
192KB

MD5
f5485a61bf35ed00d5f25758d69413d8

SHA1
f54fc273d04faa9ceb93c1937cd3d885b91b9d94

SHA256
cf029e8246541d53294dd2e32a985fcdbe13781cb01f64da291ed5639ce33751

SHA512
5b6e4cefcaea75bee11aa726296dc1b54de236ba557d56fae5dd6981dd63b603944a60455422f341134fc316d187c59896fc87885bced2f72bd1d671198d99e9

Download Submit
C:\Windows\{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe

Filesize
192KB

MD5
6adf0e666cdd74be4bceb72cd67bbd9b

SHA1
ef61e2be66559a20d71aed33e34a032108d692a4

SHA256
dd7b9a9ee867d13b74c25fdb602c59888f4c707ba139e66045a2377d97e48a10

SHA512
9880ce113bc055240ac9f720cf73a0d31b0f19f6578467f3b4539c60ddf732fe5656c48472f1ae75915a262efcae172dc419419a87a562da61d209fb5b5f6b48

Download Submit
C:\Windows\{EB62A0FB-1B36-4131-AE8C-D730832244AD}.exe

Filesize
192KB

MD5
6adf0e666cdd74be4bceb72cd67bbd9b

SHA1
ef61e2be66559a20d71aed33e34a032108d692a4

SHA256
dd7b9a9ee867d13b74c25fdb602c59888f4c707ba139e66045a2377d97e48a10

SHA512
9880ce113bc055240ac9f720cf73a0d31b0f19f6578467f3b4539c60ddf732fe5656c48472f1ae75915a262efcae172dc419419a87a562da61d209fb5b5f6b48

Download Submit
C:\Windows\{F06F4651-3EA8-4339-9255-47F69D318732}.exe

Filesize
192KB

MD5
555682af588499bc11f15b04dfee2771

SHA1
ca874af8de22dedc00248581a05d539065c30caf

SHA256
6b75b36b36fae6b476730d3535fbd0082187952f049793711b16fdfd895c882c

SHA512
6d9f79358a2d8cfe893f842a017bb16e220dc3209a8c8f7d830895589c943d2c20f852b686a81ce1e6cc98cc51f9ce3192c4537702fabf07f1460797254d2dbd

Download Submit
C:\Windows\{F06F4651-3EA8-4339-9255-47F69D318732}.exe

Filesize
192KB

MD5
555682af588499bc11f15b04dfee2771

SHA1
ca874af8de22dedc00248581a05d539065c30caf

SHA256
6b75b36b36fae6b476730d3535fbd0082187952f049793711b16fdfd895c882c

SHA512
6d9f79358a2d8cfe893f842a017bb16e220dc3209a8c8f7d830895589c943d2c20f852b686a81ce1e6cc98cc51f9ce3192c4537702fabf07f1460797254d2dbd

Download Submit
C:\Windows\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe

Filesize
192KB

MD5
35ce339b764d0571728ab37739942404

SHA1
49fa56f6d583257bd2389285aed04ad84df54b90

SHA256
f3c651d0673aa509a4f3694d9c1ac36157a3510c4ecda680bf75effd73adc34a

SHA512
0a6ffc7f5c9f377241dcc1c94074e7ae77faa7bb190ee9315fc424a89f9426b92f9143e339d5268335734642b52936c13b82551fadf6baf28985c68bcd263a55

Download Submit
C:\Windows\{F2B3AEE0-BE1E-4933-B0A3-F66217745DF5}.exe

Filesize
192KB

MD5
35ce339b764d0571728ab37739942404

SHA1
49fa56f6d583257bd2389285aed04ad84df54b90

SHA256
f3c651d0673aa509a4f3694d9c1ac36157a3510c4ecda680bf75effd73adc34a

SHA512
0a6ffc7f5c9f377241dcc1c94074e7ae77faa7bb190ee9315fc424a89f9426b92f9143e339d5268335734642b52936c13b82551fadf6baf28985c68bcd263a55

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads