a9e6f02ab6eb1511dfe59109b2fb92b0a59c546e33192935825aa8cc7d4bf437

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Size

344KB
MD5

38817917703d30044ccc1abb053a3316
SHA1

96a1baf6ae08bfa30e8b3ea38a4d64a0d7339abb
SHA256

a9e6f02ab6eb1511dfe59109b2fb92b0a59c546e33192935825aa8cc7d4bf437
SHA512

f316bf0c260d6e2cea48bada5fd9d38fb11214d68b92dc1053ba33ae3b1b5243781ebd4e3652f172761bbe82b3122ad6e856e22cb90a7c9ed9e2051814fcf26f
SSDEEP

3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG3lqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}\stubpath = "C:\\Windows\\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}.exe"	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}\stubpath = "C:\\Windows\\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe"	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}\stubpath = "C:\\Windows\\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe"	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}\stubpath = "C:\\Windows\\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe"	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8121910-7851-4882-909C-7C087FBAE28A}\stubpath = "C:\\Windows\\{D8121910-7851-4882-909C-7C087FBAE28A}.exe"	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4339C0CF-406A-46af-A198-ADB47D87FAF8}	{D8121910-7851-4882-909C-7C087FBAE28A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}\stubpath = "C:\\Windows\\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe"	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F93CA67-3393-42a4-9668-A7980655B11F}	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F93CA67-3393-42a4-9668-A7980655B11F}\stubpath = "C:\\Windows\\{7F93CA67-3393-42a4-9668-A7980655B11F}.exe"	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4339C0CF-406A-46af-A198-ADB47D87FAF8}\stubpath = "C:\\Windows\\{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe"	{D8121910-7851-4882-909C-7C087FBAE28A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}\stubpath = "C:\\Windows\\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe"	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C173E364-34AF-40ec-AE7A-1ED5BA167289}	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C173E364-34AF-40ec-AE7A-1ED5BA167289}\stubpath = "C:\\Windows\\{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe"	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAB0196-35AD-4656-BF4D-829843AACCBC}	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAB0196-35AD-4656-BF4D-829843AACCBC}\stubpath = "C:\\Windows\\{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe"	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8121910-7851-4882-909C-7C087FBAE28A}	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe

Executes dropped EXE 11 IoCs

pid	Process
4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe
1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe
2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe
4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe
3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe
3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe
2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe
4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe
4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe
2832	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe
4196	{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
File created	C:\Windows\{D8121910-7851-4882-909C-7C087FBAE28A}.exe	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe
File created	C:\Windows\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}.exe	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe
File created	C:\Windows\{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe
File created	C:\Windows\{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe
File created	C:\Windows\{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe	{D8121910-7851-4882-909C-7C087FBAE28A}.exe
File created	C:\Windows\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe
File created	C:\Windows\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe
File created	C:\Windows\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe
File created	C:\Windows\{7F93CA67-3393-42a4-9668-A7980655B11F}.exe	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe
File created	C:\Windows\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4380	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe
Token: SeIncBasePriorityPrivilege	1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe
Token: SeIncBasePriorityPrivilege	2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe
Token: SeIncBasePriorityPrivilege	4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe
Token: SeIncBasePriorityPrivilege	3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe
Token: SeIncBasePriorityPrivilege	3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe
Token: SeIncBasePriorityPrivilege	2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe
Token: SeIncBasePriorityPrivilege	4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe
Token: SeIncBasePriorityPrivilege	4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe
Token: SeIncBasePriorityPrivilege	2832	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4412	4380	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	79
PID 4380 wrote to memory of 4412	4380	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	79
PID 4380 wrote to memory of 4412	4380	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	79
PID 4380 wrote to memory of 4964	4380	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	80
PID 4380 wrote to memory of 4964	4380	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	80
PID 4380 wrote to memory of 4964	4380	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	80
PID 4412 wrote to memory of 1920	4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe	81
PID 4412 wrote to memory of 1920	4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe	81
PID 4412 wrote to memory of 1920	4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe	81
PID 4412 wrote to memory of 4020	4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe	82
PID 4412 wrote to memory of 4020	4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe	82
PID 4412 wrote to memory of 4020	4412	{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe	82
PID 1920 wrote to memory of 2300	1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe	83
PID 1920 wrote to memory of 2300	1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe	83
PID 1920 wrote to memory of 2300	1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe	83
PID 1920 wrote to memory of 2400	1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe	84
PID 1920 wrote to memory of 2400	1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe	84
PID 1920 wrote to memory of 2400	1920	{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe	84
PID 2300 wrote to memory of 4976	2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe	85
PID 2300 wrote to memory of 4976	2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe	85
PID 2300 wrote to memory of 4976	2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe	85
PID 2300 wrote to memory of 1048	2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe	86
PID 2300 wrote to memory of 1048	2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe	86
PID 2300 wrote to memory of 1048	2300	{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe	86
PID 4976 wrote to memory of 3980	4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe	88
PID 4976 wrote to memory of 3980	4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe	88
PID 4976 wrote to memory of 3980	4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe	88
PID 4976 wrote to memory of 1724	4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe	87
PID 4976 wrote to memory of 1724	4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe	87
PID 4976 wrote to memory of 1724	4976	{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe	87
PID 3980 wrote to memory of 3860	3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe	89
PID 3980 wrote to memory of 3860	3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe	89
PID 3980 wrote to memory of 3860	3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe	89
PID 3980 wrote to memory of 4328	3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe	90
PID 3980 wrote to memory of 4328	3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe	90
PID 3980 wrote to memory of 4328	3980	{7F93CA67-3393-42a4-9668-A7980655B11F}.exe	90
PID 3860 wrote to memory of 2204	3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe	91
PID 3860 wrote to memory of 2204	3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe	91
PID 3860 wrote to memory of 2204	3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe	91
PID 3860 wrote to memory of 4916	3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe	92
PID 3860 wrote to memory of 4916	3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe	92
PID 3860 wrote to memory of 4916	3860	{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe	92
PID 2204 wrote to memory of 4904	2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe	93
PID 2204 wrote to memory of 4904	2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe	93
PID 2204 wrote to memory of 4904	2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe	93
PID 2204 wrote to memory of 4232	2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe	94
PID 2204 wrote to memory of 4232	2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe	94
PID 2204 wrote to memory of 4232	2204	{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe	94
PID 4904 wrote to memory of 4216	4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe	95
PID 4904 wrote to memory of 4216	4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe	95
PID 4904 wrote to memory of 4216	4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe	95
PID 4904 wrote to memory of 5112	4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe	96
PID 4904 wrote to memory of 5112	4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe	96
PID 4904 wrote to memory of 5112	4904	{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe	96
PID 4216 wrote to memory of 2832	4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe	97
PID 4216 wrote to memory of 2832	4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe	97
PID 4216 wrote to memory of 2832	4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe	97
PID 4216 wrote to memory of 1608	4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe	98
PID 4216 wrote to memory of 1608	4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe	98
PID 4216 wrote to memory of 1608	4216	{D8121910-7851-4882-909C-7C087FBAE28A}.exe	98
PID 2832 wrote to memory of 4196	2832	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe	99
PID 2832 wrote to memory of 4196	2832	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe	99
PID 2832 wrote to memory of 4196	2832	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe	99
PID 2832 wrote to memory of 2740	2832	{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe	100

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe
  C:\Windows\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe
    C:\Windows\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe
      C:\Windows\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe
        
        C:\Windows\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79C7E~1.EXE > nul
        6⤵
        
        PID:1724
      - C:\Windows\{7F93CA67-3393-42a4-9668-A7980655B11F}.exe
        
        C:\Windows\{7F93CA67-3393-42a4-9668-A7980655B11F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe
        
        C:\Windows\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe
        
        C:\Windows\{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe
        
        C:\Windows\{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\{D8121910-7851-4882-909C-7C087FBAE28A}.exe
        
        C:\Windows\{D8121910-7851-4882-909C-7C087FBAE28A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe
        
        C:\Windows\{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}.exe
        
        C:\Windows\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}.exe
        12⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4339C~1.EXE > nul
        12⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8121~1.EXE > nul
        11⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCAB0~1.EXE > nul
        10⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C173E~1.EXE > nul
        9⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{396C1~1.EXE > nul
        8⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F93C~1.EXE > nul
        7⤵
        
        PID:4328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{211DA~1.EXE > nul
        5⤵
        
        PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CABDA~1.EXE > nul
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D5EB1~1.EXE > nul
    3⤵
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}.exe

Filesize
344KB

MD5
66a7f8e5d91ff4b704357f4a15fe9019

SHA1
d1a408be99c64753b258b3a0c9ffd461d0eb6449

SHA256
cacee248df84516b5007aeb2dbda5289445d94184d1c6a6704263c2452c045ca

SHA512
8ef5c90b89f5742dfdee55452ad0e11f447d750e0dc51e161e97ef0e8c896a5e2419b6f6bc908eaa0658e89a1b9120cc1a0794d1981fdd80652e06e7edc115e1

Download Submit
C:\Windows\{1C2B9C92-5A83-48f6-A2C8-D082FB599C7A}.exe

Filesize
344KB

MD5
66a7f8e5d91ff4b704357f4a15fe9019

SHA1
d1a408be99c64753b258b3a0c9ffd461d0eb6449

SHA256
cacee248df84516b5007aeb2dbda5289445d94184d1c6a6704263c2452c045ca

SHA512
8ef5c90b89f5742dfdee55452ad0e11f447d750e0dc51e161e97ef0e8c896a5e2419b6f6bc908eaa0658e89a1b9120cc1a0794d1981fdd80652e06e7edc115e1

Download Submit
C:\Windows\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe

Filesize
344KB

MD5
fc88896a756e038236a22dce45daac16

SHA1
a44f8f06ed97f4c010cf2d3b89a9c000648410f5

SHA256
c954d7e1fcb25f7e8d610ec31c2cbdfd4e4a7646b9ba16b6ceb5c4b2800ac4fa

SHA512
d95ddb39aec7575d6db4e4d4c58d914f83cd9bb326496a40fb466d7bf5c8d820a879b7728aa4dda27b35d8f54b720384337b9399f78da3b5c6cb1ad7001bf3d8

Download Submit
C:\Windows\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe

Filesize
344KB

MD5
fc88896a756e038236a22dce45daac16

SHA1
a44f8f06ed97f4c010cf2d3b89a9c000648410f5

SHA256
c954d7e1fcb25f7e8d610ec31c2cbdfd4e4a7646b9ba16b6ceb5c4b2800ac4fa

SHA512
d95ddb39aec7575d6db4e4d4c58d914f83cd9bb326496a40fb466d7bf5c8d820a879b7728aa4dda27b35d8f54b720384337b9399f78da3b5c6cb1ad7001bf3d8

Download Submit
C:\Windows\{211DA7FF-6C04-47ac-9EDA-CCC92A82D853}.exe

Filesize
344KB

MD5
fc88896a756e038236a22dce45daac16

SHA1
a44f8f06ed97f4c010cf2d3b89a9c000648410f5

SHA256
c954d7e1fcb25f7e8d610ec31c2cbdfd4e4a7646b9ba16b6ceb5c4b2800ac4fa

SHA512
d95ddb39aec7575d6db4e4d4c58d914f83cd9bb326496a40fb466d7bf5c8d820a879b7728aa4dda27b35d8f54b720384337b9399f78da3b5c6cb1ad7001bf3d8

Download Submit
C:\Windows\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe

Filesize
344KB

MD5
368143ed344e2a769e97be118a1f0727

SHA1
1a37e0ebdb093538e46e7f3d5ab953ae940474b1

SHA256
b785af706543668f7379806df9e28fc16d9887ae79d13d0080129292fa266ced

SHA512
1c924d3bbf300612587811895b58a08a5b360daf5071cd08bbba20907f8da03f3f46950d42287684b65f3969c7b74ed58bcaf324f7ea025e83c7d1e6a5457bed

Download Submit
C:\Windows\{396C1757-CE44-4d32-A0CB-D77840BCAD7F}.exe

Filesize
344KB

MD5
368143ed344e2a769e97be118a1f0727

SHA1
1a37e0ebdb093538e46e7f3d5ab953ae940474b1

SHA256
b785af706543668f7379806df9e28fc16d9887ae79d13d0080129292fa266ced

SHA512
1c924d3bbf300612587811895b58a08a5b360daf5071cd08bbba20907f8da03f3f46950d42287684b65f3969c7b74ed58bcaf324f7ea025e83c7d1e6a5457bed

Download Submit
C:\Windows\{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe

Filesize
344KB

MD5
c0141c1d75187b391d3f69d1fd31d714

SHA1
28497803fa29a9b6b5d6cfb00239289f785c3823

SHA256
3f286ecceac5d940d75a0a32a12df15503cf00a1a99aca3d8cb850948a5e768b

SHA512
aee70e8093cf407a3f7a22688febdc862c423ca5da6c598399afb5f8f7d84a0d164495ef413d60c0878da1cb49a8273c0be1378ea5775a156f52f6030d02470c

Download Submit
C:\Windows\{4339C0CF-406A-46af-A198-ADB47D87FAF8}.exe

Filesize
344KB

MD5
c0141c1d75187b391d3f69d1fd31d714

SHA1
28497803fa29a9b6b5d6cfb00239289f785c3823

SHA256
3f286ecceac5d940d75a0a32a12df15503cf00a1a99aca3d8cb850948a5e768b

SHA512
aee70e8093cf407a3f7a22688febdc862c423ca5da6c598399afb5f8f7d84a0d164495ef413d60c0878da1cb49a8273c0be1378ea5775a156f52f6030d02470c

Download Submit
C:\Windows\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe

Filesize
344KB

MD5
230dac5adca928be985ea889e3ce7e54

SHA1
0f497407917475e28196530c4389b22194d58a63

SHA256
a132c13126d185fc84e827bdc81bdb1d39c24693db7ebe07134debb67c2dbec0

SHA512
baaabd971197634630712407f4cab194627ee0791bea31e876ff3c64d08d587207ad4e19a85e078aa635cc541f94810e8132d97bfc8ee7e46af72c30c3176002

Download Submit
C:\Windows\{79C7ECD8-192B-40cf-81C4-09EA93EAF012}.exe

Filesize
344KB

MD5
230dac5adca928be985ea889e3ce7e54

SHA1
0f497407917475e28196530c4389b22194d58a63

SHA256
a132c13126d185fc84e827bdc81bdb1d39c24693db7ebe07134debb67c2dbec0

SHA512
baaabd971197634630712407f4cab194627ee0791bea31e876ff3c64d08d587207ad4e19a85e078aa635cc541f94810e8132d97bfc8ee7e46af72c30c3176002

Download Submit
C:\Windows\{7F93CA67-3393-42a4-9668-A7980655B11F}.exe

Filesize
344KB

MD5
40417dd9d5bb95687263001d18d29577

SHA1
6520338c3c7ad9a983fda716063068f17d5e9211

SHA256
e816ed713e6eb4fc9ffeeb7135ac49a3be670619a45918e8e0b98790fe088888

SHA512
912a96a00e610c77d84c540a15becb2c921f3507a485e49e170672b6c46e92bc415a58ce3e9ac3a78f221af353b3f33cd000897928f9db7db7935a9bc15478a5

Download Submit
C:\Windows\{7F93CA67-3393-42a4-9668-A7980655B11F}.exe

Filesize
344KB

MD5
40417dd9d5bb95687263001d18d29577

SHA1
6520338c3c7ad9a983fda716063068f17d5e9211

SHA256
e816ed713e6eb4fc9ffeeb7135ac49a3be670619a45918e8e0b98790fe088888

SHA512
912a96a00e610c77d84c540a15becb2c921f3507a485e49e170672b6c46e92bc415a58ce3e9ac3a78f221af353b3f33cd000897928f9db7db7935a9bc15478a5

Download Submit
C:\Windows\{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe

Filesize
344KB

MD5
a4c8fa8672f26f5e0771bc0556184c32

SHA1
2cb84d037bc6399bc242fb354cb2b53d660df1b6

SHA256
c1f8384d9ba792827d53c88e91c307ca2c185898fc3e9e1c5515f08fb8527c0b

SHA512
8dcfe8affbb3e293f4b65e102726c923b69104472e48ac87eef5e0f8d4de42830877079fed994faa377f4e72e1c6f97f20d44864a8e1306fb18eee9241f520aa

Download Submit
C:\Windows\{C173E364-34AF-40ec-AE7A-1ED5BA167289}.exe

Filesize
344KB

MD5
a4c8fa8672f26f5e0771bc0556184c32

SHA1
2cb84d037bc6399bc242fb354cb2b53d660df1b6

SHA256
c1f8384d9ba792827d53c88e91c307ca2c185898fc3e9e1c5515f08fb8527c0b

SHA512
8dcfe8affbb3e293f4b65e102726c923b69104472e48ac87eef5e0f8d4de42830877079fed994faa377f4e72e1c6f97f20d44864a8e1306fb18eee9241f520aa

Download Submit
C:\Windows\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe

Filesize
344KB

MD5
1e37eb3c00b7ec349dcc134dca56bdc8

SHA1
3cf52def5487daa0014118491a903d7b9a5fd65b

SHA256
2b3166b1e39a9f7d81d3157ae1b671e5814c7c9f023903d0079ae78d7e9bb4c4

SHA512
6e6337abd17b195d88cc3bd001a2b375392fee95bc262e7f4f15172673e9fc491620d42d11705094ad602c098b25ba8a4fbd7cb4a196f7b7671f4e6c1116ef6f

Download Submit
C:\Windows\{CABDA3A3-4EF1-4de0-B3BF-883FD224BE97}.exe

Filesize
344KB

MD5
1e37eb3c00b7ec349dcc134dca56bdc8

SHA1
3cf52def5487daa0014118491a903d7b9a5fd65b

SHA256
2b3166b1e39a9f7d81d3157ae1b671e5814c7c9f023903d0079ae78d7e9bb4c4

SHA512
6e6337abd17b195d88cc3bd001a2b375392fee95bc262e7f4f15172673e9fc491620d42d11705094ad602c098b25ba8a4fbd7cb4a196f7b7671f4e6c1116ef6f

Download Submit
C:\Windows\{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe

Filesize
344KB

MD5
e3dc32c215cc833a81349a535b1ec4cc

SHA1
9e89bc42f2c790a7b92732a6f9cb24820009bbec

SHA256
9cc349f54aaad2726ac394133f163b3d43a24d01e4ece852533bfbe5798c67f0

SHA512
4b3afd9cc62900f0abacff19d1f6a6d5912f65c3027e67133f1b9ac36f56ce9c7c6cd8dd323aaed307eea9b61b8a7aa8c773f8baccf8668e8268a59c34bf0e8c

Download Submit
C:\Windows\{CCAB0196-35AD-4656-BF4D-829843AACCBC}.exe

Filesize
344KB

MD5
e3dc32c215cc833a81349a535b1ec4cc

SHA1
9e89bc42f2c790a7b92732a6f9cb24820009bbec

SHA256
9cc349f54aaad2726ac394133f163b3d43a24d01e4ece852533bfbe5798c67f0

SHA512
4b3afd9cc62900f0abacff19d1f6a6d5912f65c3027e67133f1b9ac36f56ce9c7c6cd8dd323aaed307eea9b61b8a7aa8c773f8baccf8668e8268a59c34bf0e8c

Download Submit
C:\Windows\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe

Filesize
344KB

MD5
9d095e4dc33049b8df6b58e6dc2bbcd7

SHA1
7ad81cc4d3d51965995fbbb8a626dabdd23cd8ba

SHA256
f279d6899d53dcdcbeff1481dfe9b77f453d37f67c0adfdb372418e5425d8112

SHA512
923882020af87b33e9646398b7dde89b8cd8ced669231049a83482f067e5ea811ff577e4d566b27683cf8c911ebd552c328bd190f477a0566a190430f9c33dcf

Download Submit
C:\Windows\{D5EB1DEA-33E3-4119-A8B9-10306190A9DB}.exe

Filesize
344KB

MD5
9d095e4dc33049b8df6b58e6dc2bbcd7

SHA1
7ad81cc4d3d51965995fbbb8a626dabdd23cd8ba

SHA256
f279d6899d53dcdcbeff1481dfe9b77f453d37f67c0adfdb372418e5425d8112

SHA512
923882020af87b33e9646398b7dde89b8cd8ced669231049a83482f067e5ea811ff577e4d566b27683cf8c911ebd552c328bd190f477a0566a190430f9c33dcf

Download Submit
C:\Windows\{D8121910-7851-4882-909C-7C087FBAE28A}.exe

Filesize
344KB

MD5
30220d34dddcc7e076e82264f044fe34

SHA1
f7c44fe1fa55b3455d2a75d9a5671aee646d1b5e

SHA256
adaa83d6f3264d6779da58af11cf21ec4b230e76a887f589838edf63f84e5fa2

SHA512
4e2de6a115636d90cd7f757537356f8f8b903c0253557b4223ef34cf92a5e31463cd6bc100ad17d1b39d63e2f282f651077daede0acde6176d60561daafaf250

Download Submit
C:\Windows\{D8121910-7851-4882-909C-7C087FBAE28A}.exe

Filesize
344KB

MD5
30220d34dddcc7e076e82264f044fe34

SHA1
f7c44fe1fa55b3455d2a75d9a5671aee646d1b5e

SHA256
adaa83d6f3264d6779da58af11cf21ec4b230e76a887f589838edf63f84e5fa2

SHA512
4e2de6a115636d90cd7f757537356f8f8b903c0253557b4223ef34cf92a5e31463cd6bc100ad17d1b39d63e2f282f651077daede0acde6176d60561daafaf250

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads