996c61da9e961e154a24c6d43ed2caefd1b3584c5841e9bfc4d861e70075cdac

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe
Size

408KB
MD5

a30a329e59dbd88141b6aba235fea43a
SHA1

88e83dae536655482c5c15370a67dc5efac463d2
SHA256

996c61da9e961e154a24c6d43ed2caefd1b3584c5841e9bfc4d861e70075cdac
SHA512

ab07ef3450fb31fabceec7fdce0d4bbb2387e320f9dae663f8f4301ab405ed68cfff4a56dfe9e97f8758c1ce2d27f79e4f2fce1be1acf637dee6e38fd048661d
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGkldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F944847F-5563-4927-B26B-BBCD105870B5}	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F944847F-5563-4927-B26B-BBCD105870B5}\stubpath = "C:\\Windows\\{F944847F-5563-4927-B26B-BBCD105870B5}.exe"	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}	{F944847F-5563-4927-B26B-BBCD105870B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543C1A4E-A304-4385-8403-7CE3DACED30D}	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C796F072-3308-4cdf-847D-A70322D8B1AE}	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}	{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E870B439-BB4C-4278-A9E7-57D393CAD216}\stubpath = "C:\\Windows\\{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe"	{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3262171C-8E71-4d3c-B73E-294C6EF56589}\stubpath = "C:\\Windows\\{3262171C-8E71-4d3c-B73E-294C6EF56589}.exe"	{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FC2EDB-A079-4724-A395-AE3110E3B270}\stubpath = "C:\\Windows\\{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe"	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C796F072-3308-4cdf-847D-A70322D8B1AE}\stubpath = "C:\\Windows\\{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe"	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E870B439-BB4C-4278-A9E7-57D393CAD216}	{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}\stubpath = "C:\\Windows\\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe"	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FC2EDB-A079-4724-A395-AE3110E3B270}	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}\stubpath = "C:\\Windows\\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe"	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}\stubpath = "C:\\Windows\\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe"	{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}\stubpath = "C:\\Windows\\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe"	{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3262171C-8E71-4d3c-B73E-294C6EF56589}	{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}\stubpath = "C:\\Windows\\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe"	{F944847F-5563-4927-B26B-BBCD105870B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543C1A4E-A304-4385-8403-7CE3DACED30D}\stubpath = "C:\\Windows\\{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe"	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}\stubpath = "C:\\Windows\\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe"	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}	{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe

Deletes itself 1 IoCs

pid	Process
664	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe
1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe
1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe
1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe
2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe
2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe
2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe
2620	{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe
2756	{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe
2596	{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe
1708	{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe
1944	{3262171C-8E71-4d3c-B73E-294C6EF56589}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	{F944847F-5563-4927-B26B-BBCD105870B5}.exe
File created	C:\Windows\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe
File created	C:\Windows\{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe
File created	C:\Windows\{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe
File created	C:\Windows\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe	{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe
File created	C:\Windows\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe	{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe
File created	C:\Windows\{F944847F-5563-4927-B26B-BBCD105870B5}.exe	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe
File created	C:\Windows\{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe
File created	C:\Windows\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe
File created	C:\Windows\{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe	{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe
File created	C:\Windows\{3262171C-8E71-4d3c-B73E-294C6EF56589}.exe	{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe
File created	C:\Windows\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe
Token: SeIncBasePriorityPrivilege	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe
Token: SeIncBasePriorityPrivilege	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe
Token: SeIncBasePriorityPrivilege	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe
Token: SeIncBasePriorityPrivilege	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe
Token: SeIncBasePriorityPrivilege	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe
Token: SeIncBasePriorityPrivilege	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe
Token: SeIncBasePriorityPrivilege	2620	{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe
Token: SeIncBasePriorityPrivilege	2756	{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe
Token: SeIncBasePriorityPrivilege	2596	{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe
Token: SeIncBasePriorityPrivilege	1708	{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2284	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	30
PID 1636 wrote to memory of 2284	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	30
PID 1636 wrote to memory of 2284	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	30
PID 1636 wrote to memory of 2284	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	30
PID 1636 wrote to memory of 664	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	31
PID 1636 wrote to memory of 664	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	31
PID 1636 wrote to memory of 664	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	31
PID 1636 wrote to memory of 664	1636	NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe	31
PID 2284 wrote to memory of 1640	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	32
PID 2284 wrote to memory of 1640	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	32
PID 2284 wrote to memory of 1640	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	32
PID 2284 wrote to memory of 1640	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	32
PID 2284 wrote to memory of 1532	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	33
PID 2284 wrote to memory of 1532	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	33
PID 2284 wrote to memory of 1532	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	33
PID 2284 wrote to memory of 1532	2284	{F944847F-5563-4927-B26B-BBCD105870B5}.exe	33
PID 1640 wrote to memory of 1856	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	34
PID 1640 wrote to memory of 1856	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	34
PID 1640 wrote to memory of 1856	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	34
PID 1640 wrote to memory of 1856	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	34
PID 1640 wrote to memory of 2668	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	35
PID 1640 wrote to memory of 2668	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	35
PID 1640 wrote to memory of 2668	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	35
PID 1640 wrote to memory of 2668	1640	{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe	35
PID 1856 wrote to memory of 1608	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	36
PID 1856 wrote to memory of 1608	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	36
PID 1856 wrote to memory of 1608	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	36
PID 1856 wrote to memory of 1608	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	36
PID 1856 wrote to memory of 2160	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	37
PID 1856 wrote to memory of 2160	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	37
PID 1856 wrote to memory of 2160	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	37
PID 1856 wrote to memory of 2160	1856	{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe	37
PID 1608 wrote to memory of 2732	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	38
PID 1608 wrote to memory of 2732	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	38
PID 1608 wrote to memory of 2732	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	38
PID 1608 wrote to memory of 2732	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	38
PID 1608 wrote to memory of 2800	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	39
PID 1608 wrote to memory of 2800	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	39
PID 1608 wrote to memory of 2800	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	39
PID 1608 wrote to memory of 2800	1608	{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe	39
PID 2732 wrote to memory of 2692	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	40
PID 2732 wrote to memory of 2692	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	40
PID 2732 wrote to memory of 2692	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	40
PID 2732 wrote to memory of 2692	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	40
PID 2732 wrote to memory of 3000	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	41
PID 2732 wrote to memory of 3000	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	41
PID 2732 wrote to memory of 3000	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	41
PID 2732 wrote to memory of 3000	2732	{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe	41
PID 2692 wrote to memory of 2716	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	42
PID 2692 wrote to memory of 2716	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	42
PID 2692 wrote to memory of 2716	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	42
PID 2692 wrote to memory of 2716	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	42
PID 2692 wrote to memory of 2536	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	43
PID 2692 wrote to memory of 2536	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	43
PID 2692 wrote to memory of 2536	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	43
PID 2692 wrote to memory of 2536	2692	{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe	43
PID 2716 wrote to memory of 2620	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	44
PID 2716 wrote to memory of 2620	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	44
PID 2716 wrote to memory of 2620	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	44
PID 2716 wrote to memory of 2620	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	44
PID 2716 wrote to memory of 1712	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	45
PID 2716 wrote to memory of 1712	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	45
PID 2716 wrote to memory of 1712	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	45
PID 2716 wrote to memory of 1712	2716	{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_a30a329e59dbd88141b6aba235fea43a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\{F944847F-5563-4927-B26B-BBCD105870B5}.exe
  C:\Windows\{F944847F-5563-4927-B26B-BBCD105870B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe
    C:\Windows\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe
      C:\Windows\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe
        
        C:\Windows\{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe
        
        C:\Windows\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe
        
        C:\Windows\{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe
        
        C:\Windows\{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe
        
        C:\Windows\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe
        
        C:\Windows\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91D82~1.EXE > nul
        11⤵
        
        PID:2656
        
        C:\Windows\{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe
        
        C:\Windows\{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe
        
        C:\Windows\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\{3262171C-8E71-4d3c-B73E-294C6EF56589}.exe
        
        C:\Windows\{3262171C-8E71-4d3c-B73E-294C6EF56589}.exe
        13⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F5D~1.EXE > nul
        13⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E870B~1.EXE > nul
        12⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ED14~1.EXE > nul
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C796F~1.EXE > nul
        9⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{543C1~1.EXE > nul
        8⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E846A~1.EXE > nul
        7⤵
        
        PID:3000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6FC2~1.EXE > nul
        6⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{777BD~1.EXE > nul
        5⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F54FB~1.EXE > nul
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9448~1.EXE > nul
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe

Filesize
408KB

MD5
a1c639007c96ca7e6ce8f17b23ef11d1

SHA1
f5645cc305b344c4c950f8538eb64831abf4aea5

SHA256
2002dd57a4aec069b4858fef7f3c9ac9e02eac3375119199f4dfdd2e36b2acd2

SHA512
514e5a4242307990df8581b3ead5d1f561d5ce18b7fbdba243242fb1e01649c872ff12ec00268bac9208a8b16608531634f850e9b35051b90072b454f5405f70

Download Submit
C:\Windows\{0ED14166-9E5C-4901-8DE2-6B7A2CD79D29}.exe

Filesize
408KB

MD5
a1c639007c96ca7e6ce8f17b23ef11d1

SHA1
f5645cc305b344c4c950f8538eb64831abf4aea5

SHA256
2002dd57a4aec069b4858fef7f3c9ac9e02eac3375119199f4dfdd2e36b2acd2

SHA512
514e5a4242307990df8581b3ead5d1f561d5ce18b7fbdba243242fb1e01649c872ff12ec00268bac9208a8b16608531634f850e9b35051b90072b454f5405f70

Download Submit
C:\Windows\{3262171C-8E71-4d3c-B73E-294C6EF56589}.exe

Filesize
408KB

MD5
3814b036b9d58e4f1da5538aa0dfcd41

SHA1
9aa5b96d3a256263cee6e809fafdbc50e585eb6f

SHA256
d6c7f1ab361ced4a757e095928cb531f757a55371fb7c2af0082a6bbe7180a6b

SHA512
bb038a36ba4de13d11e8a8f7a8eefc0928aee7365966cee717a7efb1c6d6ddf511a8274e591f8ab25a00ce3e73fccca5a6d5de0f76c508a576af2699ab23d481

Download Submit
C:\Windows\{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe

Filesize
408KB

MD5
1628ef77b03c2f327ac61f88d2390e7c

SHA1
11ec776751473e17ae6c90fbe63bcc1a93598ff4

SHA256
91df3605360e7dbfac1abca852299604a126fd1ce0232ec8c8293c4a83d149ad

SHA512
f40fb5c6986e1bda3d74d135ab52d93c335a4c47e82fd782df427471811b0cb34c0483dccba7cf52720d849fe1310fb8d33032eff5d47e39bff537c9c456a45e

Download Submit
C:\Windows\{543C1A4E-A304-4385-8403-7CE3DACED30D}.exe

Filesize
408KB

MD5
1628ef77b03c2f327ac61f88d2390e7c

SHA1
11ec776751473e17ae6c90fbe63bcc1a93598ff4

SHA256
91df3605360e7dbfac1abca852299604a126fd1ce0232ec8c8293c4a83d149ad

SHA512
f40fb5c6986e1bda3d74d135ab52d93c335a4c47e82fd782df427471811b0cb34c0483dccba7cf52720d849fe1310fb8d33032eff5d47e39bff537c9c456a45e

Download Submit
C:\Windows\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe

Filesize
408KB

MD5
eac0486a41eaa4a77ab93315d265442d

SHA1
7167eae0f8c9709160e2de6de43c8c75bdc20776

SHA256
5ce581131a452b141afcd914c4bb21c3e38e02475441174f21b3b25accdf53d6

SHA512
4216c5c1a921054ae03577a3e6378244ec469c15e216da5256f095622ced11000197008c82fe0d11e2d7f4e5131f4f0e2456d9f0df62631d2a589d1ff0fe1e53

Download Submit
C:\Windows\{777BD7AF-5CE9-481e-8168-6A2A89B3A2B3}.exe

Filesize
408KB

MD5
eac0486a41eaa4a77ab93315d265442d

SHA1
7167eae0f8c9709160e2de6de43c8c75bdc20776

SHA256
5ce581131a452b141afcd914c4bb21c3e38e02475441174f21b3b25accdf53d6

SHA512
4216c5c1a921054ae03577a3e6378244ec469c15e216da5256f095622ced11000197008c82fe0d11e2d7f4e5131f4f0e2456d9f0df62631d2a589d1ff0fe1e53

Download Submit
C:\Windows\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe

Filesize
408KB

MD5
91a3814b13e0e93cbb498d8cce07cf91

SHA1
66c09c03707b4ddeb08f74d3403330dbf31621f9

SHA256
313d764547128959b96754a56d6061e84fe32ac8cb7ca6113211730c9b1d46fb

SHA512
d8a68790019a045c22355613e711c924cc4038fdca3d5732142e5766634e6667b2e221575bba56751f207870ffbb3bb1808bd5b872fbee914c703e2fb5cafb05

Download Submit
C:\Windows\{91D8295E-C20C-48a5-8BA5-B1A60244DB21}.exe

Filesize
408KB

MD5
91a3814b13e0e93cbb498d8cce07cf91

SHA1
66c09c03707b4ddeb08f74d3403330dbf31621f9

SHA256
313d764547128959b96754a56d6061e84fe32ac8cb7ca6113211730c9b1d46fb

SHA512
d8a68790019a045c22355613e711c924cc4038fdca3d5732142e5766634e6667b2e221575bba56751f207870ffbb3bb1808bd5b872fbee914c703e2fb5cafb05

Download Submit
C:\Windows\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe

Filesize
408KB

MD5
9325ce163cc5619d377e4a56e14aad86

SHA1
f8bddefe63d4374ae30b19f2d08d361af5a24d92

SHA256
9fc1218836096fc78760a1adc176fce7ac67995bbfe75116358dcc9628a07d41

SHA512
96974a09a9a5c26b65a8c1986ba869dde4e85dda14b1b745104b9b90ec5c273098d2318a462a5fc7f48fc87cf294514372bcfdbb5d1d9c33297fed35043d839d

Download Submit
C:\Windows\{A6F5DC9F-5DAA-4a00-898E-D5323FFBF4FB}.exe

Filesize
408KB

MD5
9325ce163cc5619d377e4a56e14aad86

SHA1
f8bddefe63d4374ae30b19f2d08d361af5a24d92

SHA256
9fc1218836096fc78760a1adc176fce7ac67995bbfe75116358dcc9628a07d41

SHA512
96974a09a9a5c26b65a8c1986ba869dde4e85dda14b1b745104b9b90ec5c273098d2318a462a5fc7f48fc87cf294514372bcfdbb5d1d9c33297fed35043d839d

Download Submit
C:\Windows\{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe

Filesize
408KB

MD5
3b7adcaf098d81fbd6896d3fd61480b7

SHA1
08da93d8f4024715e627278ec6d4803f8e80c4b9

SHA256
0a05c39988757484c60bf478317683dce9087afa0b684d6a1f9047ee54581f42

SHA512
8f9917746ac31a31c1e8aac986f54890a4460d6b31599e864d2f76d769b275ab6b4011e49c8555897575df6f3d9eb95d63bfb87394662bdd706a9926bfbed447

Download Submit
C:\Windows\{A6FC2EDB-A079-4724-A395-AE3110E3B270}.exe

Filesize
408KB

MD5
3b7adcaf098d81fbd6896d3fd61480b7

SHA1
08da93d8f4024715e627278ec6d4803f8e80c4b9

SHA256
0a05c39988757484c60bf478317683dce9087afa0b684d6a1f9047ee54581f42

SHA512
8f9917746ac31a31c1e8aac986f54890a4460d6b31599e864d2f76d769b275ab6b4011e49c8555897575df6f3d9eb95d63bfb87394662bdd706a9926bfbed447

Download Submit
C:\Windows\{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe

Filesize
408KB

MD5
301670601fb0a81311df7687c57022ab

SHA1
4a94e38965fe1576c52482c88bbe62dc9efbd588

SHA256
fd850bbe07b5912228f2d0860b218b8bb3231a20639f39e14f7510c48becdf70

SHA512
534c23a9a082263034ed9f4d9f199dfc2271395f6bc56ca2e4ac961c8207cbacb39088650a9e18a1664db27d1a7cfe9670620f05423b717f67aaeecea4aa71ae

Download Submit
C:\Windows\{C796F072-3308-4cdf-847D-A70322D8B1AE}.exe

Filesize
408KB

MD5
301670601fb0a81311df7687c57022ab

SHA1
4a94e38965fe1576c52482c88bbe62dc9efbd588

SHA256
fd850bbe07b5912228f2d0860b218b8bb3231a20639f39e14f7510c48becdf70

SHA512
534c23a9a082263034ed9f4d9f199dfc2271395f6bc56ca2e4ac961c8207cbacb39088650a9e18a1664db27d1a7cfe9670620f05423b717f67aaeecea4aa71ae

Download Submit
C:\Windows\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe

Filesize
408KB

MD5
d680890de27870f85152546311d18501

SHA1
1c86cd2201532b8b54e6e59c7db058428f65d06e

SHA256
f4c5efd5a828fa2731d3aa6ed55d9c9f0845db609f102a3eea4300ba4c2f8852

SHA512
b6c1f128a7fe583ea0e4e128146616d918698f13cc4c268b6eec910f0e716669d70830ddc0ebf61955ebae3c879c44aa1ba20d4999392fe1d5d4a6ccfaf1ea7c

Download Submit
C:\Windows\{E846A6AF-60B0-4d57-9923-93C0FD8A592E}.exe

Filesize
408KB

MD5
d680890de27870f85152546311d18501

SHA1
1c86cd2201532b8b54e6e59c7db058428f65d06e

SHA256
f4c5efd5a828fa2731d3aa6ed55d9c9f0845db609f102a3eea4300ba4c2f8852

SHA512
b6c1f128a7fe583ea0e4e128146616d918698f13cc4c268b6eec910f0e716669d70830ddc0ebf61955ebae3c879c44aa1ba20d4999392fe1d5d4a6ccfaf1ea7c

Download Submit
C:\Windows\{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe

Filesize
408KB

MD5
96dbefb27ca01fd03d37436eb1ba466f

SHA1
db8a6f1acd42485fd6cf8fc98d7ee8666de678cb

SHA256
8512ca9d7b0c683386523811d363b5dbb6b7c0b9b01851cbe42a85b46abf0f5c

SHA512
c103a1268418df5e35a44d5853799f0594a49e8e7db679ee5a5f3e1ec63115df71e77728facebaeb8ae8f24be7a955dc6c286d73ccd74bd7f9eefdaf2ea93185

Download Submit
C:\Windows\{E870B439-BB4C-4278-A9E7-57D393CAD216}.exe

Filesize
408KB

MD5
96dbefb27ca01fd03d37436eb1ba466f

SHA1
db8a6f1acd42485fd6cf8fc98d7ee8666de678cb

SHA256
8512ca9d7b0c683386523811d363b5dbb6b7c0b9b01851cbe42a85b46abf0f5c

SHA512
c103a1268418df5e35a44d5853799f0594a49e8e7db679ee5a5f3e1ec63115df71e77728facebaeb8ae8f24be7a955dc6c286d73ccd74bd7f9eefdaf2ea93185

Download Submit
C:\Windows\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe

Filesize
408KB

MD5
8e4d42e285cf89ff343c21bb3e671bf9

SHA1
e29115e46a6b4676d8240764834f0ae7a4699517

SHA256
7123eb2b8a43124aebab0d64820f316f4850780d985bd1e26dc6e5ffe790eec4

SHA512
34724aad6e1e63b039e3b90d6dbbd128281935f89e90baa84631ce822cf28253a11dfe6d626655c011e5dd4d83c967b9e1c80f52b8ada64299a012a0513aebd0

Download Submit
C:\Windows\{F54FB3DC-DDAF-40dd-96B9-4C3844D158DE}.exe

Filesize
408KB

MD5
8e4d42e285cf89ff343c21bb3e671bf9

SHA1
e29115e46a6b4676d8240764834f0ae7a4699517

SHA256
7123eb2b8a43124aebab0d64820f316f4850780d985bd1e26dc6e5ffe790eec4

SHA512
34724aad6e1e63b039e3b90d6dbbd128281935f89e90baa84631ce822cf28253a11dfe6d626655c011e5dd4d83c967b9e1c80f52b8ada64299a012a0513aebd0

Download Submit
C:\Windows\{F944847F-5563-4927-B26B-BBCD105870B5}.exe

Filesize
408KB

MD5
6bcca149e263f096d8b197a089ee71bd

SHA1
a7719784abc68906a7feab061b73264c0fa459ca

SHA256
7f16a920b8fa7abd2777e6eb88293b985fdb77b7196006e8eb3da8107811c23c

SHA512
944c93d39a978acf2aa56dab77fce805c07a4f0a32ccbdaf9e8ddcb32fc551e29dbf59201765c67fdc931f26805577882b2bae8dcacb42c49049bdc41f02f81f

Download Submit
C:\Windows\{F944847F-5563-4927-B26B-BBCD105870B5}.exe

Filesize
408KB

MD5
6bcca149e263f096d8b197a089ee71bd

SHA1
a7719784abc68906a7feab061b73264c0fa459ca

SHA256
7f16a920b8fa7abd2777e6eb88293b985fdb77b7196006e8eb3da8107811c23c

SHA512
944c93d39a978acf2aa56dab77fce805c07a4f0a32ccbdaf9e8ddcb32fc551e29dbf59201765c67fdc931f26805577882b2bae8dcacb42c49049bdc41f02f81f

Download Submit
C:\Windows\{F944847F-5563-4927-B26B-BBCD105870B5}.exe

Filesize
408KB

MD5
6bcca149e263f096d8b197a089ee71bd

SHA1
a7719784abc68906a7feab061b73264c0fa459ca

SHA256
7f16a920b8fa7abd2777e6eb88293b985fdb77b7196006e8eb3da8107811c23c

SHA512
944c93d39a978acf2aa56dab77fce805c07a4f0a32ccbdaf9e8ddcb32fc551e29dbf59201765c67fdc931f26805577882b2bae8dcacb42c49049bdc41f02f81f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads