d8af5ffb052447a8e35b00f60726340facd7e7216f1509653bfe34dc7f321c72

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe
Size

168KB
MD5

f80b549db3b36436d5571d55d71d45c4
SHA1

a2ec1e6672b7be7fb1543d3b78941dbb0250366a
SHA256

d8af5ffb052447a8e35b00f60726340facd7e7216f1509653bfe34dc7f321c72
SHA512

06c29a8e19967ba64c8aac0961f62fe0aad3bc024a08f4de15fa693f4e6b5705a85bd73a3f6f0f882026703fb9e7d8360930428fafb8da8be011451a2b130239
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57944BF7-577E-4b07-ABBE-A3290D60941A}\stubpath = "C:\\Windows\\{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe"	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}\stubpath = "C:\\Windows\\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe"	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}\stubpath = "C:\\Windows\\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe"	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}\stubpath = "C:\\Windows\\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe"	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684EE6B1-318F-4400-AE62-0FD7B8652598}\stubpath = "C:\\Windows\\{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe"	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}\stubpath = "C:\\Windows\\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe"	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57944BF7-577E-4b07-ABBE-A3290D60941A}	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}	{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}\stubpath = "C:\\Windows\\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}.exe"	{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}\stubpath = "C:\\Windows\\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe"	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684EE6B1-318F-4400-AE62-0FD7B8652598}	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}\stubpath = "C:\\Windows\\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe"	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}\stubpath = "C:\\Windows\\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe"	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}\stubpath = "C:\\Windows\\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe"	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}\stubpath = "C:\\Windows\\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe"	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe

Executes dropped EXE 12 IoCs

pid	Process
1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe
1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe
2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe
2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe
2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe
368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe
4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe
2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe
2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe
652	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe
4932	{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe
3652	{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe
File created	C:\Windows\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe
File created	C:\Windows\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe
File created	C:\Windows\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe
File created	C:\Windows\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe
File created	C:\Windows\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe
File created	C:\Windows\{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe
File created	C:\Windows\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe
File created	C:\Windows\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}.exe	{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe
File created	C:\Windows\{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe
File created	C:\Windows\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe
File created	C:\Windows\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3508	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe
Token: SeIncBasePriorityPrivilege	1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe
Token: SeIncBasePriorityPrivilege	2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe
Token: SeIncBasePriorityPrivilege	2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe
Token: SeIncBasePriorityPrivilege	2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe
Token: SeIncBasePriorityPrivilege	368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe
Token: SeIncBasePriorityPrivilege	4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe
Token: SeIncBasePriorityPrivilege	2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe
Token: SeIncBasePriorityPrivilege	2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe
Token: SeIncBasePriorityPrivilege	652	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe
Token: SeIncBasePriorityPrivilege	4932	{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1052	3508	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe	79
PID 3508 wrote to memory of 1052	3508	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe	79
PID 3508 wrote to memory of 1052	3508	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe	79
PID 3508 wrote to memory of 4676	3508	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe	80
PID 3508 wrote to memory of 4676	3508	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe	80
PID 3508 wrote to memory of 4676	3508	NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe	80
PID 1052 wrote to memory of 1616	1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe	81
PID 1052 wrote to memory of 1616	1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe	81
PID 1052 wrote to memory of 1616	1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe	81
PID 1052 wrote to memory of 5016	1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe	82
PID 1052 wrote to memory of 5016	1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe	82
PID 1052 wrote to memory of 5016	1052	{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe	82
PID 1616 wrote to memory of 2904	1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe	83
PID 1616 wrote to memory of 2904	1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe	83
PID 1616 wrote to memory of 2904	1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe	83
PID 1616 wrote to memory of 4808	1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe	84
PID 1616 wrote to memory of 4808	1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe	84
PID 1616 wrote to memory of 4808	1616	{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe	84
PID 2904 wrote to memory of 2356	2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe	85
PID 2904 wrote to memory of 2356	2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe	85
PID 2904 wrote to memory of 2356	2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe	85
PID 2904 wrote to memory of 1384	2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe	86
PID 2904 wrote to memory of 1384	2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe	86
PID 2904 wrote to memory of 1384	2904	{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe	86
PID 2356 wrote to memory of 2888	2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe	87
PID 2356 wrote to memory of 2888	2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe	87
PID 2356 wrote to memory of 2888	2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe	87
PID 2356 wrote to memory of 236	2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe	88
PID 2356 wrote to memory of 236	2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe	88
PID 2356 wrote to memory of 236	2356	{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe	88
PID 2888 wrote to memory of 368	2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe	89
PID 2888 wrote to memory of 368	2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe	89
PID 2888 wrote to memory of 368	2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe	89
PID 2888 wrote to memory of 4528	2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe	90
PID 2888 wrote to memory of 4528	2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe	90
PID 2888 wrote to memory of 4528	2888	{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe	90
PID 368 wrote to memory of 4940	368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe	91
PID 368 wrote to memory of 4940	368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe	91
PID 368 wrote to memory of 4940	368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe	91
PID 368 wrote to memory of 4060	368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe	92
PID 368 wrote to memory of 4060	368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe	92
PID 368 wrote to memory of 4060	368	{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe	92
PID 4940 wrote to memory of 2388	4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe	93
PID 4940 wrote to memory of 2388	4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe	93
PID 4940 wrote to memory of 2388	4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe	93
PID 4940 wrote to memory of 416	4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe	94
PID 4940 wrote to memory of 416	4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe	94
PID 4940 wrote to memory of 416	4940	{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe	94
PID 2388 wrote to memory of 2072	2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe	95
PID 2388 wrote to memory of 2072	2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe	95
PID 2388 wrote to memory of 2072	2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe	95
PID 2388 wrote to memory of 408	2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe	96
PID 2388 wrote to memory of 408	2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe	96
PID 2388 wrote to memory of 408	2388	{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe	96
PID 2072 wrote to memory of 652	2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe	97
PID 2072 wrote to memory of 652	2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe	97
PID 2072 wrote to memory of 652	2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe	97
PID 2072 wrote to memory of 3332	2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe	98
PID 2072 wrote to memory of 3332	2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe	98
PID 2072 wrote to memory of 3332	2072	{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe	98
PID 652 wrote to memory of 4932	652	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe	99
PID 652 wrote to memory of 4932	652	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe	99
PID 652 wrote to memory of 4932	652	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe	99
PID 652 wrote to memory of 532	652	{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe	100

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f80b549db3b36436d5571d55d71d45c4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe
  C:\Windows\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe
    C:\Windows\{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe
      C:\Windows\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe
        
        C:\Windows\{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe
        
        C:\Windows\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe
        
        C:\Windows\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe
        
        C:\Windows\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe
        
        C:\Windows\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe
        
        C:\Windows\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe
        
        C:\Windows\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe
        
        C:\Windows\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}.exe
        
        C:\Windows\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}.exe
        13⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA3E2~1.EXE > nul
        13⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC75~1.EXE > nul
        12⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF344~1.EXE > nul
        11⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0BB~1.EXE > nul
        10⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B2E0~1.EXE > nul
        9⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E98FC~1.EXE > nul
        8⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18263~1.EXE > nul
        7⤵
        
        PID:4528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57944~1.EXE > nul
        6⤵
        
        PID:236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A7CC~1.EXE > nul
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{684EE~1.EXE > nul
      4⤵
      PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C617E~1.EXE > nul
    3⤵
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe

Filesize
168KB

MD5
13cc9f416d73ba1b3753bf5b84787db6

SHA1
8840e2605c67af68e9305a9291999c794aecf4a8

SHA256
7c3cbb3c97aba061902a7f5064b5b7dc057ec459f457baf35c1e05dc40cf3e90

SHA512
1e73f60de9ca8d0cfa577374c046bd68019b4f3ab238e8686553aad112697d82afb1a429c8d0d70afb598a3a78b823eba149f91fd02e735999979b51f3be62a1

Download Submit
C:\Windows\{18263CBF-84FB-45d2-8803-F3CE7C7A3D28}.exe

Filesize
168KB

MD5
13cc9f416d73ba1b3753bf5b84787db6

SHA1
8840e2605c67af68e9305a9291999c794aecf4a8

SHA256
7c3cbb3c97aba061902a7f5064b5b7dc057ec459f457baf35c1e05dc40cf3e90

SHA512
1e73f60de9ca8d0cfa577374c046bd68019b4f3ab238e8686553aad112697d82afb1a429c8d0d70afb598a3a78b823eba149f91fd02e735999979b51f3be62a1

Download Submit
C:\Windows\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe

Filesize
168KB

MD5
c7c2de48ef0cdf282209d31da4f70a4a

SHA1
e191559fc028b25badd56189908976cf42bdc950

SHA256
022d80103dcefde5e6e8b146c1a667cbcddf4469de9ed03f77c6ab6465ee04f3

SHA512
7a8544d750405ab067f636fd06f65ea50e3abc3c6858769639cff400638021c80e10741260fe53a87b0e5572ef2d94c3ae746a816588adcdef2e0dc1fce30d07

Download Submit
C:\Windows\{1A0BBBCD-A05E-4acf-8E0C-926EF216EBEA}.exe

Filesize
168KB

MD5
c7c2de48ef0cdf282209d31da4f70a4a

SHA1
e191559fc028b25badd56189908976cf42bdc950

SHA256
022d80103dcefde5e6e8b146c1a667cbcddf4469de9ed03f77c6ab6465ee04f3

SHA512
7a8544d750405ab067f636fd06f65ea50e3abc3c6858769639cff400638021c80e10741260fe53a87b0e5572ef2d94c3ae746a816588adcdef2e0dc1fce30d07

Download Submit
C:\Windows\{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe

Filesize
168KB

MD5
1aabf36195d3b3da832cd14046c26ed6

SHA1
9e68ecdca659fd1eb96c64160739848478349f94

SHA256
a286ea1bc848867bfceded8f82ff28785e294437374ab227b80617826250d2c5

SHA512
0ac60530f56fbe7fa59d8e4d6ac0c8db7492a2966753bf81060adf59c5b525b4d486c45e0121bdf7e489a16f46e8460db0fdc1ca16b1df70b9c9f9d8070c16ec

Download Submit
C:\Windows\{57944BF7-577E-4b07-ABBE-A3290D60941A}.exe

Filesize
168KB

MD5
1aabf36195d3b3da832cd14046c26ed6

SHA1
9e68ecdca659fd1eb96c64160739848478349f94

SHA256
a286ea1bc848867bfceded8f82ff28785e294437374ab227b80617826250d2c5

SHA512
0ac60530f56fbe7fa59d8e4d6ac0c8db7492a2966753bf81060adf59c5b525b4d486c45e0121bdf7e489a16f46e8460db0fdc1ca16b1df70b9c9f9d8070c16ec

Download Submit
C:\Windows\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe

Filesize
168KB

MD5
2ee3dee8aee1feae1c57523248741351

SHA1
9f7f8754e9be6a802d92d975aed037004f2a952e

SHA256
2eec7adb885c18d0e7aaf95bfbe67111f4d94f5e1d582d05e280ae5843110a83

SHA512
e15de3f87384b5b0423691c2096114d71a5f77fda3d205a1a3a3f9ea41ab48b88aeaae88c86123b229c724057bbf3535533d13f977928475e1f413c2d77f661f

Download Submit
C:\Windows\{5B2E0FE7-9A20-4dba-8000-AC2DBB152D3E}.exe

Filesize
168KB

MD5
2ee3dee8aee1feae1c57523248741351

SHA1
9f7f8754e9be6a802d92d975aed037004f2a952e

SHA256
2eec7adb885c18d0e7aaf95bfbe67111f4d94f5e1d582d05e280ae5843110a83

SHA512
e15de3f87384b5b0423691c2096114d71a5f77fda3d205a1a3a3f9ea41ab48b88aeaae88c86123b229c724057bbf3535533d13f977928475e1f413c2d77f661f

Download Submit
C:\Windows\{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe

Filesize
168KB

MD5
b26c9daa823095ddfc85f7116f36e3fd

SHA1
14594a56e790ab1bc7f5d7fff5a81972ebd746c5

SHA256
63e00aebd610248fd5955d7589a438b6dd18df18e53ddbad840af95712307b72

SHA512
cad38bc629dcf9c3329956e3a5b6db5a1e1ad97ef9b9086dfb0cdc73cecfe93e0e1df73605c0920bfc7d27440c0e1cf279e6a1c3c8e53d932659bbc911b70399

Download Submit
C:\Windows\{684EE6B1-318F-4400-AE62-0FD7B8652598}.exe

Filesize
168KB

MD5
b26c9daa823095ddfc85f7116f36e3fd

SHA1
14594a56e790ab1bc7f5d7fff5a81972ebd746c5

SHA256
63e00aebd610248fd5955d7589a438b6dd18df18e53ddbad840af95712307b72

SHA512
cad38bc629dcf9c3329956e3a5b6db5a1e1ad97ef9b9086dfb0cdc73cecfe93e0e1df73605c0920bfc7d27440c0e1cf279e6a1c3c8e53d932659bbc911b70399

Download Submit
C:\Windows\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe

Filesize
168KB

MD5
857f00b58d06b21cf4a56635d6bc3c92

SHA1
ff98b9d73d286f221e03b9c1f48587b0e6124475

SHA256
602a97a16a3ed38709b4b1aad68b3b0196836446eceed021cd35ca3673301553

SHA512
60ebc38e638ea07775bb48907c816f1e8688024c3190a21827b25464d70dc3e93127d1230677cdbf9af2cbda3f2a7e14155303ae074b3c25a70bc3b6133eea7f

Download Submit
C:\Windows\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe

Filesize
168KB

MD5
857f00b58d06b21cf4a56635d6bc3c92

SHA1
ff98b9d73d286f221e03b9c1f48587b0e6124475

SHA256
602a97a16a3ed38709b4b1aad68b3b0196836446eceed021cd35ca3673301553

SHA512
60ebc38e638ea07775bb48907c816f1e8688024c3190a21827b25464d70dc3e93127d1230677cdbf9af2cbda3f2a7e14155303ae074b3c25a70bc3b6133eea7f

Download Submit
C:\Windows\{6A7CC1DD-8F76-4778-8C4D-4D28779F71E4}.exe

Filesize
168KB

MD5
857f00b58d06b21cf4a56635d6bc3c92

SHA1
ff98b9d73d286f221e03b9c1f48587b0e6124475

SHA256
602a97a16a3ed38709b4b1aad68b3b0196836446eceed021cd35ca3673301553

SHA512
60ebc38e638ea07775bb48907c816f1e8688024c3190a21827b25464d70dc3e93127d1230677cdbf9af2cbda3f2a7e14155303ae074b3c25a70bc3b6133eea7f

Download Submit
C:\Windows\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}.exe

Filesize
168KB

MD5
319fe54a7a3c9e6c2b399f03737b682c

SHA1
cdbee2bd1f9ffca026faa91298d5e291e771a474

SHA256
acb50ec98a93daf6f4b71de9d755c3d5bffaa24ca56f7f80c84986c770d50fcd

SHA512
60f2942e7e147bb0c3568f9dc7232cc566f11a09540e4c595a7e03c7a39ea995b5035acdbf0193e1c2a3b2eeb536951d92434e587bc11df1acfd00f05382641a

Download Submit
C:\Windows\{7F1690BD-4E0E-48a2-B9C9-8723FDAE95F4}.exe

Filesize
168KB

MD5
319fe54a7a3c9e6c2b399f03737b682c

SHA1
cdbee2bd1f9ffca026faa91298d5e291e771a474

SHA256
acb50ec98a93daf6f4b71de9d755c3d5bffaa24ca56f7f80c84986c770d50fcd

SHA512
60f2942e7e147bb0c3568f9dc7232cc566f11a09540e4c595a7e03c7a39ea995b5035acdbf0193e1c2a3b2eeb536951d92434e587bc11df1acfd00f05382641a

Download Submit
C:\Windows\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe

Filesize
168KB

MD5
001136474a4ad9851a7ec68ec8b8c7d4

SHA1
67db9940f5a622459c797bce639ce2a9042253a8

SHA256
f958e1935523fa1ba129d4d9381d5d32e25fbd6d3530c3370e6f7e184f609372

SHA512
008e2a1667e09ea6b9cc8af549240d970abf4aed1b078dda4dbf5493454292a7e96198ed634c3d5815d05bad988acdebdb0040ad52b2aa05fda3242d84b1cdf4

Download Submit
C:\Windows\{AF344F86-D97D-4ea2-966B-48D6C2C3B52D}.exe

Filesize
168KB

MD5
001136474a4ad9851a7ec68ec8b8c7d4

SHA1
67db9940f5a622459c797bce639ce2a9042253a8

SHA256
f958e1935523fa1ba129d4d9381d5d32e25fbd6d3530c3370e6f7e184f609372

SHA512
008e2a1667e09ea6b9cc8af549240d970abf4aed1b078dda4dbf5493454292a7e96198ed634c3d5815d05bad988acdebdb0040ad52b2aa05fda3242d84b1cdf4

Download Submit
C:\Windows\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe

Filesize
168KB

MD5
ca99e4d7d94b37a6e7f842a79d6c3368

SHA1
9c82573f4bbd37f06f78811939a5fa68fc55a49d

SHA256
47e1762887f47e98120e751a4c27e078f46e07eb449ce16f3e27c0166c77be3e

SHA512
ad1d118af5885767cc4422bf7d3fc1f586e58e8c32a0b153822e814caa6d91118f78d048fd26c97a5a4fcb7093134d5d19451950d61e9c40b8cdc8ab79a6803f

Download Submit
C:\Windows\{C617EACC-EDE0-4adb-A43A-E200A4B5F58E}.exe

Filesize
168KB

MD5
ca99e4d7d94b37a6e7f842a79d6c3368

SHA1
9c82573f4bbd37f06f78811939a5fa68fc55a49d

SHA256
47e1762887f47e98120e751a4c27e078f46e07eb449ce16f3e27c0166c77be3e

SHA512
ad1d118af5885767cc4422bf7d3fc1f586e58e8c32a0b153822e814caa6d91118f78d048fd26c97a5a4fcb7093134d5d19451950d61e9c40b8cdc8ab79a6803f

Download Submit
C:\Windows\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe

Filesize
168KB

MD5
b448bf969c9e330f33ed4a3b321f666e

SHA1
f758b28661fea50f40bf8d7a61493540478b2cdb

SHA256
8cb195df4bf1e4bb381e265e4ef3345dfef49c60f2b3890d4e1918854f0ac34c

SHA512
19262b3afb131cacf1d27dae5d7922713259ca70bf96c0c3e95141f12db9c8d0c49c690d6b3ef9aff9e54efe2bdc4b6fe3939e442c2acf81a8047c214f6291c4

Download Submit
C:\Windows\{E98FCDE1-2F9B-4bfd-AAB8-7066A0BA6838}.exe

Filesize
168KB

MD5
b448bf969c9e330f33ed4a3b321f666e

SHA1
f758b28661fea50f40bf8d7a61493540478b2cdb

SHA256
8cb195df4bf1e4bb381e265e4ef3345dfef49c60f2b3890d4e1918854f0ac34c

SHA512
19262b3afb131cacf1d27dae5d7922713259ca70bf96c0c3e95141f12db9c8d0c49c690d6b3ef9aff9e54efe2bdc4b6fe3939e442c2acf81a8047c214f6291c4

Download Submit
C:\Windows\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe

Filesize
168KB

MD5
c58db6dd9af2a14462453e7654ce8686

SHA1
38a027cef7fbc172c41afcee6d2e1861c50e4b20

SHA256
aa9772d7bba7a86213fb7340952ab948193fd21b0c1fda6e927403ae9451a606

SHA512
c3dfc7162c55287d8a9e3909325c42460b95eb90208533190d591e08a634be22488b7fd2acb86c4a42a348a6eda0fd93a286ae078954a91373a39f9fb1e49d40

Download Submit
C:\Windows\{EA3E2AD4-4D5F-4f04-9351-E78078F8B97F}.exe

Filesize
168KB

MD5
c58db6dd9af2a14462453e7654ce8686

SHA1
38a027cef7fbc172c41afcee6d2e1861c50e4b20

SHA256
aa9772d7bba7a86213fb7340952ab948193fd21b0c1fda6e927403ae9451a606

SHA512
c3dfc7162c55287d8a9e3909325c42460b95eb90208533190d591e08a634be22488b7fd2acb86c4a42a348a6eda0fd93a286ae078954a91373a39f9fb1e49d40

Download Submit
C:\Windows\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe

Filesize
168KB

MD5
708e27e63dded50ea3183ba8c8501d4f

SHA1
e4ecf38dc4826e43f66d0f92e55c52786be4ce15

SHA256
ba6d7b6c04dceab31e9e969e05a5232aa8b990b76ac646602dc2ed6ce0199d37

SHA512
438bee80a1296295175b9c2e7a56c01b4d137af419ba811d51083abcb95ab25212bf4e1ac68e8d91181b420646dd483657bd5847a1ee18010a136e71fefa960a

Download Submit
C:\Windows\{EDC757D2-0516-48e9-8B32-EA86F6A0ECF6}.exe

Filesize
168KB

MD5
708e27e63dded50ea3183ba8c8501d4f

SHA1
e4ecf38dc4826e43f66d0f92e55c52786be4ce15

SHA256
ba6d7b6c04dceab31e9e969e05a5232aa8b990b76ac646602dc2ed6ce0199d37

SHA512
438bee80a1296295175b9c2e7a56c01b4d137af419ba811d51083abcb95ab25212bf4e1ac68e8d91181b420646dd483657bd5847a1ee18010a136e71fefa960a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads