b59f242e790e8b5cee878326bacfac1ccf5d2034f133c961ef8239e5f8cf2ada

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe
Size

216KB
MD5

f4f4bb7b13ada81bdaeaa96f6c964121
SHA1

8bf8fdecc4044ea1ff507ebd47d1066836cdcc1b
SHA256

b59f242e790e8b5cee878326bacfac1ccf5d2034f133c961ef8239e5f8cf2ada
SHA512

5a856aad8c78ce51fa55b2341bf1d80d07e020ef69647cf1df6f6d77e8e6e14975ee552db8fafb034dc7e517ecc88fb8845bed7e72907ec5905cd42e28d9c93c
SSDEEP

3072:jEGh0o2l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGElEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CB6760D-E572-424a-A6D9-91BBA141B645}\stubpath = "C:\\Windows\\{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe"	{F071919B-164D-4220-BACC-2519DA855C4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}\stubpath = "C:\\Windows\\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe"	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}\stubpath = "C:\\Windows\\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe"	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{219EA6CD-3A5C-4411-A36A-2E595607F273}	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F071919B-164D-4220-BACC-2519DA855C4E}	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}\stubpath = "C:\\Windows\\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe"	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{219EA6CD-3A5C-4411-A36A-2E595607F273}\stubpath = "C:\\Windows\\{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe"	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}	{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2BF287-2538-4a59-8751-762A798BC5A2}\stubpath = "C:\\Windows\\{7C2BF287-2538-4a59-8751-762A798BC5A2}.exe"	{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F071919B-164D-4220-BACC-2519DA855C4E}\stubpath = "C:\\Windows\\{F071919B-164D-4220-BACC-2519DA855C4E}.exe"	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CB6760D-E572-424a-A6D9-91BBA141B645}	{F071919B-164D-4220-BACC-2519DA855C4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6FD921-210B-4376-BD27-EF095AD1E97F}\stubpath = "C:\\Windows\\{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe"	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}	{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}\stubpath = "C:\\Windows\\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe"	{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6FD921-210B-4376-BD27-EF095AD1E97F}	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}\stubpath = "C:\\Windows\\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe"	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}\stubpath = "C:\\Windows\\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe"	{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2BF287-2538-4a59-8751-762A798BC5A2}	{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe

Deletes itself 1 IoCs

pid	Process
2276	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe
2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe
2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe
2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe
2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe
1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe
524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe
1496	{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe
2892	{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe
2976	{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe
2996	{7C2BF287-2538-4a59-8751-762A798BC5A2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe	{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe
File created	C:\Windows\{F071919B-164D-4220-BACC-2519DA855C4E}.exe	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe
File created	C:\Windows\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe
File created	C:\Windows\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe
File created	C:\Windows\{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe
File created	C:\Windows\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe	{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe
File created	C:\Windows\{7C2BF287-2538-4a59-8751-762A798BC5A2}.exe	{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe
File created	C:\Windows\{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	{F071919B-164D-4220-BACC-2519DA855C4E}.exe
File created	C:\Windows\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe
File created	C:\Windows\{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe
File created	C:\Windows\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe
Token: SeIncBasePriorityPrivilege	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe
Token: SeIncBasePriorityPrivilege	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe
Token: SeIncBasePriorityPrivilege	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe
Token: SeIncBasePriorityPrivilege	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe
Token: SeIncBasePriorityPrivilege	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe
Token: SeIncBasePriorityPrivilege	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe
Token: SeIncBasePriorityPrivilege	1496	{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe
Token: SeIncBasePriorityPrivilege	2892	{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe
Token: SeIncBasePriorityPrivilege	2976	{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1728	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	28
PID 2516 wrote to memory of 1728	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	28
PID 2516 wrote to memory of 1728	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	28
PID 2516 wrote to memory of 1728	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	28
PID 2516 wrote to memory of 2276	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	29
PID 2516 wrote to memory of 2276	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	29
PID 2516 wrote to memory of 2276	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	29
PID 2516 wrote to memory of 2276	2516	NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe	29
PID 1728 wrote to memory of 2788	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	30
PID 1728 wrote to memory of 2788	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	30
PID 1728 wrote to memory of 2788	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	30
PID 1728 wrote to memory of 2788	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	30
PID 1728 wrote to memory of 2888	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	31
PID 1728 wrote to memory of 2888	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	31
PID 1728 wrote to memory of 2888	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	31
PID 1728 wrote to memory of 2888	1728	{F071919B-164D-4220-BACC-2519DA855C4E}.exe	31
PID 2788 wrote to memory of 2956	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	34
PID 2788 wrote to memory of 2956	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	34
PID 2788 wrote to memory of 2956	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	34
PID 2788 wrote to memory of 2956	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	34
PID 2788 wrote to memory of 2144	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	35
PID 2788 wrote to memory of 2144	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	35
PID 2788 wrote to memory of 2144	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	35
PID 2788 wrote to memory of 2144	2788	{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe	35
PID 2956 wrote to memory of 2608	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	36
PID 2956 wrote to memory of 2608	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	36
PID 2956 wrote to memory of 2608	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	36
PID 2956 wrote to memory of 2608	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	36
PID 2956 wrote to memory of 2556	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	37
PID 2956 wrote to memory of 2556	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	37
PID 2956 wrote to memory of 2556	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	37
PID 2956 wrote to memory of 2556	2956	{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe	37
PID 2608 wrote to memory of 2604	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	38
PID 2608 wrote to memory of 2604	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	38
PID 2608 wrote to memory of 2604	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	38
PID 2608 wrote to memory of 2604	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	38
PID 2608 wrote to memory of 2224	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	39
PID 2608 wrote to memory of 2224	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	39
PID 2608 wrote to memory of 2224	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	39
PID 2608 wrote to memory of 2224	2608	{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe	39
PID 2604 wrote to memory of 1300	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	40
PID 2604 wrote to memory of 1300	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	40
PID 2604 wrote to memory of 1300	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	40
PID 2604 wrote to memory of 1300	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	40
PID 2604 wrote to memory of 2544	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	41
PID 2604 wrote to memory of 2544	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	41
PID 2604 wrote to memory of 2544	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	41
PID 2604 wrote to memory of 2544	2604	{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe	41
PID 1300 wrote to memory of 524	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	42
PID 1300 wrote to memory of 524	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	42
PID 1300 wrote to memory of 524	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	42
PID 1300 wrote to memory of 524	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	42
PID 1300 wrote to memory of 312	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	43
PID 1300 wrote to memory of 312	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	43
PID 1300 wrote to memory of 312	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	43
PID 1300 wrote to memory of 312	1300	{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe	43
PID 524 wrote to memory of 1496	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	44
PID 524 wrote to memory of 1496	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	44
PID 524 wrote to memory of 1496	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	44
PID 524 wrote to memory of 1496	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	44
PID 524 wrote to memory of 2928	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	45
PID 524 wrote to memory of 2928	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	45
PID 524 wrote to memory of 2928	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	45
PID 524 wrote to memory of 2928	524	{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f4f4bb7b13ada81bdaeaa96f6c964121_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\{F071919B-164D-4220-BACC-2519DA855C4E}.exe
  C:\Windows\{F071919B-164D-4220-BACC-2519DA855C4E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe
    C:\Windows\{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe
      C:\Windows\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe
        
        C:\Windows\{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe
        
        C:\Windows\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe
        
        C:\Windows\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe
        
        C:\Windows\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe
        
        C:\Windows\{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe
        
        C:\Windows\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe
        
        C:\Windows\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{7C2BF287-2538-4a59-8751-762A798BC5A2}.exe
        
        C:\Windows\{7C2BF287-2538-4a59-8751-762A798BC5A2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CE4F~1.EXE > nul
        12⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6098B~1.EXE > nul
        11⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{219EA~1.EXE > nul
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99ACF~1.EXE > nul
        9⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D2FD~1.EXE > nul
        8⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABA4C~1.EXE > nul
        7⤵
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E6FD~1.EXE > nul
        6⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{365A3~1.EXE > nul
        5⤵
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6CB67~1.EXE > nul
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0719~1.EXE > nul
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe

Filesize
216KB

MD5
6264b53657be5717a8dc640481da771e

SHA1
81c7151b03e33ad8d62b64fe443ab6420649eb18

SHA256
e8786a1e88075a8c47bf741c61cfd2e63968380e3b1f2d7baa9bc07159067e19

SHA512
503ce87af315026c9943ea0ed9318fa27eede9e7de926535cf00f30cd1ba6bb94e2d86719449d49a83db6ba4a48b1a5657d890198a63e3e9d51f2f9d253444c4

Download Submit
C:\Windows\{0D2FD193-E5AE-4a3d-A603-118B6F3842A8}.exe

Filesize
216KB

MD5
6264b53657be5717a8dc640481da771e

SHA1
81c7151b03e33ad8d62b64fe443ab6420649eb18

SHA256
e8786a1e88075a8c47bf741c61cfd2e63968380e3b1f2d7baa9bc07159067e19

SHA512
503ce87af315026c9943ea0ed9318fa27eede9e7de926535cf00f30cd1ba6bb94e2d86719449d49a83db6ba4a48b1a5657d890198a63e3e9d51f2f9d253444c4

Download Submit
C:\Windows\{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe

Filesize
216KB

MD5
ac97cffe7b4cbe4fff1c052c610433af

SHA1
ffa7bb9ef9e9d15600885809adfd8f7351ed3ac8

SHA256
fa3dc61863a825a4e325f06a710efcc4bc980a18a2665722d3e0f3386e9c1fdc

SHA512
f4548bc541b2994be62ad4ecdd82301d4f58dcabc1c16bbf37fcf98eb936c654be87d4bf1cb733b867271be7f13700e91fa6ffe270bcbea9d5ea88b71ce7d22b

Download Submit
C:\Windows\{0E6FD921-210B-4376-BD27-EF095AD1E97F}.exe

Filesize
216KB

MD5
ac97cffe7b4cbe4fff1c052c610433af

SHA1
ffa7bb9ef9e9d15600885809adfd8f7351ed3ac8

SHA256
fa3dc61863a825a4e325f06a710efcc4bc980a18a2665722d3e0f3386e9c1fdc

SHA512
f4548bc541b2994be62ad4ecdd82301d4f58dcabc1c16bbf37fcf98eb936c654be87d4bf1cb733b867271be7f13700e91fa6ffe270bcbea9d5ea88b71ce7d22b

Download Submit
C:\Windows\{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe

Filesize
216KB

MD5
7ef1141a392aeda4c50dd864b5ca3596

SHA1
fe5b1d7961fa66afb228b82500dce85b53634cd0

SHA256
99836e94da84d09bf4f991fff71f34441c415251b8f74aced9602faf5cbeee04

SHA512
5befec5f82e6eba34cfbad27cc3cbc96d1b9863d2c8fabe59f37606095e73e001b1f27212183420537505cdd07465157444c59579746c4e5536f13230e974bd7

Download Submit
C:\Windows\{219EA6CD-3A5C-4411-A36A-2E595607F273}.exe

Filesize
216KB

MD5
7ef1141a392aeda4c50dd864b5ca3596

SHA1
fe5b1d7961fa66afb228b82500dce85b53634cd0

SHA256
99836e94da84d09bf4f991fff71f34441c415251b8f74aced9602faf5cbeee04

SHA512
5befec5f82e6eba34cfbad27cc3cbc96d1b9863d2c8fabe59f37606095e73e001b1f27212183420537505cdd07465157444c59579746c4e5536f13230e974bd7

Download Submit
C:\Windows\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe

Filesize
216KB

MD5
33e230688a5d491043401a3ba696dad8

SHA1
e966ea819077150febbd8302cd8643f5cec75c17

SHA256
9d1e2f7801aee8db5b12d049855e8da89741be82fe33c4e2a214e5c1ce5fea59

SHA512
977ba84f627cb56548d7140cdd98ecb8304d9c298110a0fb73817ee761de102dbb4726725f3aff860a4359c4cdc5fc964ea6996416714a77726f6e8f75708734

Download Submit
C:\Windows\{365A39D8-EB34-4d15-B1EF-69032D1E4E07}.exe

Filesize
216KB

MD5
33e230688a5d491043401a3ba696dad8

SHA1
e966ea819077150febbd8302cd8643f5cec75c17

SHA256
9d1e2f7801aee8db5b12d049855e8da89741be82fe33c4e2a214e5c1ce5fea59

SHA512
977ba84f627cb56548d7140cdd98ecb8304d9c298110a0fb73817ee761de102dbb4726725f3aff860a4359c4cdc5fc964ea6996416714a77726f6e8f75708734

Download Submit
C:\Windows\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe

Filesize
216KB

MD5
55455d8d32fa6d54f0657640e877204e

SHA1
ba36ab28f1914106c11946714532d1f0f81b1456

SHA256
ce26b344cd4f5b652f45af1f91314e4e8f764f7d0682950e5fdd4d9f8f9df500

SHA512
d84673eb1997e211cedad474a959135ce99f22b9e1a4b9b3b3d8773ce8777e56c49617434860352d1f35ed888164bfceecd8fbe26acd3f121f023e1cb92db039

Download Submit
C:\Windows\{5CE4FBC5-97AB-4035-955C-C9CF293C2C51}.exe

Filesize
216KB

MD5
55455d8d32fa6d54f0657640e877204e

SHA1
ba36ab28f1914106c11946714532d1f0f81b1456

SHA256
ce26b344cd4f5b652f45af1f91314e4e8f764f7d0682950e5fdd4d9f8f9df500

SHA512
d84673eb1997e211cedad474a959135ce99f22b9e1a4b9b3b3d8773ce8777e56c49617434860352d1f35ed888164bfceecd8fbe26acd3f121f023e1cb92db039

Download Submit
C:\Windows\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe

Filesize
216KB

MD5
ad66a68f02c5cc4363d8ec4a8689c856

SHA1
9e1c5f48ba752d0d816793de013b2808b92efa24

SHA256
1d5c6999b87f327bc7ed45f5d15e4a3d0948032e39b8ebaba998bfdb88384a71

SHA512
e63d63d3e322dc805dad2ce57413ff8ee31ace38b8493c6ac9164725159d2410f57858a57113f0907275516985760ed90d5a9f1d8c1d673472eb9e390a83050e

Download Submit
C:\Windows\{6098BB87-6EE8-4eb1-9B0F-658C190A1268}.exe

Filesize
216KB

MD5
ad66a68f02c5cc4363d8ec4a8689c856

SHA1
9e1c5f48ba752d0d816793de013b2808b92efa24

SHA256
1d5c6999b87f327bc7ed45f5d15e4a3d0948032e39b8ebaba998bfdb88384a71

SHA512
e63d63d3e322dc805dad2ce57413ff8ee31ace38b8493c6ac9164725159d2410f57858a57113f0907275516985760ed90d5a9f1d8c1d673472eb9e390a83050e

Download Submit
C:\Windows\{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe

Filesize
216KB

MD5
d95ba018f8157575970607653c71ec1e

SHA1
039de510d11290b449885032d40470add5ed4b92

SHA256
14041ea4506c9779cbb6ad62880812c72df89f8274fa66c7e25ec742602fa27d

SHA512
003e6de0aabc2804159b241635bc709c5148ea74e19c82ed931b03aeb9ea8babe92635f8508fb61bcfe99f8b0a91fd53a10f1bc8bb0d7f6b642e742c7ec9ab41

Download Submit
C:\Windows\{6CB6760D-E572-424a-A6D9-91BBA141B645}.exe

Filesize
216KB

MD5
d95ba018f8157575970607653c71ec1e

SHA1
039de510d11290b449885032d40470add5ed4b92

SHA256
14041ea4506c9779cbb6ad62880812c72df89f8274fa66c7e25ec742602fa27d

SHA512
003e6de0aabc2804159b241635bc709c5148ea74e19c82ed931b03aeb9ea8babe92635f8508fb61bcfe99f8b0a91fd53a10f1bc8bb0d7f6b642e742c7ec9ab41

Download Submit
C:\Windows\{7C2BF287-2538-4a59-8751-762A798BC5A2}.exe

Filesize
216KB

MD5
ae1f2bb1927054ec676cf546c2d98e6c

SHA1
bc0a0bc2243f987e57c36bed5491db0b29ce65ba

SHA256
69ddca6bdbe186d416403f59e1d8b95e568a5391fc0f7639e93f6c6968cebe34

SHA512
22b3e15123d24cba32518260c22f24796ced3340255dd36e401e9a0e42b7c981846b9abc377c053a3d179ad9d4b055cba8d205b0f6f92f599e2e74f7be26ff88

Download Submit
C:\Windows\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe

Filesize
216KB

MD5
4bedca358e25a5ae7dabbc6850e3a130

SHA1
50fa5444b794d1a8f141a593a2cfc839450d4cc8

SHA256
cb05fd263461125ec07dfd192f0cc85f5328532089f62394110b0f91402c75ae

SHA512
2a955b91f84e667c7d51e110950cfc3ab178670db6181f4e6cbf95178a6a63411fa0cb28db61bd9d2ad78f0f3f19c1f4b0017a4a17c434ba19c0bb7bc71c6d63

Download Submit
C:\Windows\{99ACFAB9-1905-4127-AFAC-0253B63A0D50}.exe

Filesize
216KB

MD5
4bedca358e25a5ae7dabbc6850e3a130

SHA1
50fa5444b794d1a8f141a593a2cfc839450d4cc8

SHA256
cb05fd263461125ec07dfd192f0cc85f5328532089f62394110b0f91402c75ae

SHA512
2a955b91f84e667c7d51e110950cfc3ab178670db6181f4e6cbf95178a6a63411fa0cb28db61bd9d2ad78f0f3f19c1f4b0017a4a17c434ba19c0bb7bc71c6d63

Download Submit
C:\Windows\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe

Filesize
216KB

MD5
7967682fb8e7f76d06549ab3291bfb8a

SHA1
5d969951f6fff59d4a2117c767f81ec0e4a4747b

SHA256
1e8d322677a0375ea9a1cb74c0c39b7230efd9afd40862606b45f3213b7a2707

SHA512
3602ba48c20587fcc49e44e63b64819bfb7748a36348c3472ba5969ebf0124a250413fb6fae1bf34affc036b621c99120639e6df29bb01d60c8711f6d3e6e4e6

Download Submit
C:\Windows\{ABA4C79F-6B79-4683-8AD7-A47CEAC961D2}.exe

Filesize
216KB

MD5
7967682fb8e7f76d06549ab3291bfb8a

SHA1
5d969951f6fff59d4a2117c767f81ec0e4a4747b

SHA256
1e8d322677a0375ea9a1cb74c0c39b7230efd9afd40862606b45f3213b7a2707

SHA512
3602ba48c20587fcc49e44e63b64819bfb7748a36348c3472ba5969ebf0124a250413fb6fae1bf34affc036b621c99120639e6df29bb01d60c8711f6d3e6e4e6

Download Submit
C:\Windows\{F071919B-164D-4220-BACC-2519DA855C4E}.exe

Filesize
216KB

MD5
2e911fb83f7e312b01b315fb45e665d6

SHA1
7dc13c1f2f7cab1f2c67beb94cb904db304296a6

SHA256
0840a54ed6991922a1e6417cef74af8ee0017d940b4fded0b8961f2b697b7fe4

SHA512
123d86b6526879be697b8472b3f04a90452cb8762abd719d329212e1003cddfe90c6cbe23cf308fcfca69a058fd92d265572286476018dcd7de085eb444a719f

Download Submit
C:\Windows\{F071919B-164D-4220-BACC-2519DA855C4E}.exe

Filesize
216KB

MD5
2e911fb83f7e312b01b315fb45e665d6

SHA1
7dc13c1f2f7cab1f2c67beb94cb904db304296a6

SHA256
0840a54ed6991922a1e6417cef74af8ee0017d940b4fded0b8961f2b697b7fe4

SHA512
123d86b6526879be697b8472b3f04a90452cb8762abd719d329212e1003cddfe90c6cbe23cf308fcfca69a058fd92d265572286476018dcd7de085eb444a719f

Download Submit
C:\Windows\{F071919B-164D-4220-BACC-2519DA855C4E}.exe

Filesize
216KB

MD5
2e911fb83f7e312b01b315fb45e665d6

SHA1
7dc13c1f2f7cab1f2c67beb94cb904db304296a6

SHA256
0840a54ed6991922a1e6417cef74af8ee0017d940b4fded0b8961f2b697b7fe4

SHA512
123d86b6526879be697b8472b3f04a90452cb8762abd719d329212e1003cddfe90c6cbe23cf308fcfca69a058fd92d265572286476018dcd7de085eb444a719f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads