b8226b80cc041688b327ee5af495333fa4430c65c596267e68e55656398c4b1e

Analysis

max time kernel
151s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Size

380KB
MD5

767115e7e1722ef9f59077aebf1330e9
SHA1

752693689cb2f89145aa98078f4292bd1d1ad6ce
SHA256

b8226b80cc041688b327ee5af495333fa4430c65c596267e68e55656398c4b1e
SHA512

9e3046b0da6b14bd80da28dc9912b68d12528b23d45fa052df88f2b75ae03a480b598cc4789dbf9ff44ed92faa5ff1801f69f96ccdf1856f576a3047ee087a70
SSDEEP

3072:mEGh0oYlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D71D016-462B-4cd8-B510-F5000656D0BE}\stubpath = "C:\\Windows\\{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe"	{26D476E1-B726-402e-A946-24F5F3796B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE3CB29-FD10-4358-8305-C071036FFF7E}	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}\stubpath = "C:\\Windows\\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe"	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0273F29A-F9F4-4117-AE80-CB5C066FD093}	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0273F29A-F9F4-4117-AE80-CB5C066FD093}\stubpath = "C:\\Windows\\{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe"	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}\stubpath = "C:\\Windows\\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe"	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D476E1-B726-402e-A946-24F5F3796B02}	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D71D016-462B-4cd8-B510-F5000656D0BE}	{26D476E1-B726-402e-A946-24F5F3796B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE3CB29-FD10-4358-8305-C071036FFF7E}\stubpath = "C:\\Windows\\{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe"	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6027435-D048-4d18-A5E9-E53DE86DFA94}\stubpath = "C:\\Windows\\{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe"	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4A253B1-4928-4180-95DC-7BC9332317DA}\stubpath = "C:\\Windows\\{B4A253B1-4928-4180-95DC-7BC9332317DA}.exe"	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}\stubpath = "C:\\Windows\\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe"	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6027435-D048-4d18-A5E9-E53DE86DFA94}	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D476E1-B726-402e-A946-24F5F3796B02}\stubpath = "C:\\Windows\\{26D476E1-B726-402e-A946-24F5F3796B02}.exe"	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}\stubpath = "C:\\Windows\\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe"	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4A253B1-4928-4180-95DC-7BC9332317DA}	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}\stubpath = "C:\\Windows\\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe"	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe

Executes dropped EXE 11 IoCs

pid	Process
5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe
4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe
868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe
4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe
1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe
1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe
3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe
1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe
1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe
4788	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe
2052	{B4A253B1-4928-4180-95DC-7BC9332317DA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe
File created	C:\Windows\{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe	{26D476E1-B726-402e-A946-24F5F3796B02}.exe
File created	C:\Windows\{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe
File created	C:\Windows\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe
File created	C:\Windows\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
File created	C:\Windows\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe
File created	C:\Windows\{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe
File created	C:\Windows\{26D476E1-B726-402e-A946-24F5F3796B02}.exe	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe
File created	C:\Windows\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe
File created	C:\Windows\{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe
File created	C:\Windows\{B4A253B1-4928-4180-95DC-7BC9332317DA}.exe	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1200	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe
Token: SeIncBasePriorityPrivilege	4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe
Token: SeIncBasePriorityPrivilege	868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe
Token: SeIncBasePriorityPrivilege	4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe
Token: SeIncBasePriorityPrivilege	1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe
Token: SeIncBasePriorityPrivilege	1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe
Token: SeIncBasePriorityPrivilege	3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe
Token: SeIncBasePriorityPrivilege	1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe
Token: SeIncBasePriorityPrivilege	1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe
Token: SeIncBasePriorityPrivilege	4788	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 5016	1200	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	84
PID 1200 wrote to memory of 5016	1200	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	84
PID 1200 wrote to memory of 5016	1200	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	84
PID 1200 wrote to memory of 4932	1200	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	85
PID 1200 wrote to memory of 4932	1200	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	85
PID 1200 wrote to memory of 4932	1200	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	85
PID 5016 wrote to memory of 4080	5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe	86
PID 5016 wrote to memory of 4080	5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe	86
PID 5016 wrote to memory of 4080	5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe	86
PID 5016 wrote to memory of 2256	5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe	87
PID 5016 wrote to memory of 2256	5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe	87
PID 5016 wrote to memory of 2256	5016	{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe	87
PID 4080 wrote to memory of 868	4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe	88
PID 4080 wrote to memory of 868	4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe	88
PID 4080 wrote to memory of 868	4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe	88
PID 4080 wrote to memory of 3852	4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe	89
PID 4080 wrote to memory of 3852	4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe	89
PID 4080 wrote to memory of 3852	4080	{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe	89
PID 868 wrote to memory of 4928	868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe	90
PID 868 wrote to memory of 4928	868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe	90
PID 868 wrote to memory of 4928	868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe	90
PID 868 wrote to memory of 4148	868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe	91
PID 868 wrote to memory of 4148	868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe	91
PID 868 wrote to memory of 4148	868	{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe	91
PID 4928 wrote to memory of 1488	4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe	92
PID 4928 wrote to memory of 1488	4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe	92
PID 4928 wrote to memory of 1488	4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe	92
PID 4928 wrote to memory of 2136	4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe	93
PID 4928 wrote to memory of 2136	4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe	93
PID 4928 wrote to memory of 2136	4928	{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe	93
PID 1488 wrote to memory of 1972	1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe	94
PID 1488 wrote to memory of 1972	1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe	94
PID 1488 wrote to memory of 1972	1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe	94
PID 1488 wrote to memory of 1904	1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe	95
PID 1488 wrote to memory of 1904	1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe	95
PID 1488 wrote to memory of 1904	1488	{26D476E1-B726-402e-A946-24F5F3796B02}.exe	95
PID 1972 wrote to memory of 3128	1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe	96
PID 1972 wrote to memory of 3128	1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe	96
PID 1972 wrote to memory of 3128	1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe	96
PID 1972 wrote to memory of 3520	1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe	97
PID 1972 wrote to memory of 3520	1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe	97
PID 1972 wrote to memory of 3520	1972	{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe	97
PID 3128 wrote to memory of 1564	3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe	98
PID 3128 wrote to memory of 1564	3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe	98
PID 3128 wrote to memory of 1564	3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe	98
PID 3128 wrote to memory of 3552	3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe	99
PID 3128 wrote to memory of 3552	3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe	99
PID 3128 wrote to memory of 3552	3128	{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe	99
PID 1564 wrote to memory of 1504	1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe	100
PID 1564 wrote to memory of 1504	1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe	100
PID 1564 wrote to memory of 1504	1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe	100
PID 1564 wrote to memory of 1144	1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe	101
PID 1564 wrote to memory of 1144	1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe	101
PID 1564 wrote to memory of 1144	1564	{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe	101
PID 1504 wrote to memory of 4788	1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe	102
PID 1504 wrote to memory of 4788	1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe	102
PID 1504 wrote to memory of 4788	1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe	102
PID 1504 wrote to memory of 3496	1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe	103
PID 1504 wrote to memory of 3496	1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe	103
PID 1504 wrote to memory of 3496	1504	{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe	103
PID 4788 wrote to memory of 2052	4788	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe	104
PID 4788 wrote to memory of 2052	4788	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe	104
PID 4788 wrote to memory of 2052	4788	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe	104
PID 4788 wrote to memory of 1304	4788	{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe
  C:\Windows\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe
    C:\Windows\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe
      C:\Windows\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe
        
        C:\Windows\{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Windows\{26D476E1-B726-402e-A946-24F5F3796B02}.exe
        
        C:\Windows\{26D476E1-B726-402e-A946-24F5F3796B02}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe
        
        C:\Windows\{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe
        
        C:\Windows\{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe
        
        C:\Windows\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe
        
        C:\Windows\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe
        
        C:\Windows\{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{B4A253B1-4928-4180-95DC-7BC9332317DA}.exe
        
        C:\Windows\{B4A253B1-4928-4180-95DC-7BC9332317DA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0273F~1.EXE > nul
        12⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FCE3~1.EXE > nul
        11⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C377~1.EXE > nul
        10⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE3C~1.EXE > nul
        9⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D71D~1.EXE > nul
        8⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26D47~1.EXE > nul
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6027~1.EXE > nul
        6⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C6C~1.EXE > nul
        5⤵
        
        PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA964~1.EXE > nul
      4⤵
      PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FABAA~1.EXE > nul
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe

Filesize
380KB

MD5
fbdf1499a5a84a9eacbca051e582546e

SHA1
f278c112a4acbb88d68274aab40eab2900810d45

SHA256
741f805de05afd39206edffc73da282b72c74ed2abf85fa49ef16ca135f9f1b6

SHA512
37c290a8dc66d04104a0edab72f59394690f85c6440bafa64695680de5436fdf4b3054ec97c4862dd21192f4d76fd9e5d0b01002c7726fec2cc0ff84eb758688

Download Submit
C:\Windows\{0273F29A-F9F4-4117-AE80-CB5C066FD093}.exe

Filesize
380KB

MD5
fbdf1499a5a84a9eacbca051e582546e

SHA1
f278c112a4acbb88d68274aab40eab2900810d45

SHA256
741f805de05afd39206edffc73da282b72c74ed2abf85fa49ef16ca135f9f1b6

SHA512
37c290a8dc66d04104a0edab72f59394690f85c6440bafa64695680de5436fdf4b3054ec97c4862dd21192f4d76fd9e5d0b01002c7726fec2cc0ff84eb758688

Download Submit
C:\Windows\{26D476E1-B726-402e-A946-24F5F3796B02}.exe

Filesize
380KB

MD5
4f2134bf5ee2534d412bd4dfcecf6b6b

SHA1
acf063e03fdbf0ae609993c2427ef1a6c9a5798b

SHA256
48023e4b661f0b39b9c7a8a464e840fba6288287d83c83932323e3caf6f410c5

SHA512
07d6b2aa38a6416bd0bea39b66a32284f5f9bb8a6c43cdca400bac7d3f8486afbb6344e9786a2cec9f48305a08167114931f9c51b1cd1fcfb98e73bf07e69701

Download Submit
C:\Windows\{26D476E1-B726-402e-A946-24F5F3796B02}.exe

Filesize
380KB

MD5
4f2134bf5ee2534d412bd4dfcecf6b6b

SHA1
acf063e03fdbf0ae609993c2427ef1a6c9a5798b

SHA256
48023e4b661f0b39b9c7a8a464e840fba6288287d83c83932323e3caf6f410c5

SHA512
07d6b2aa38a6416bd0bea39b66a32284f5f9bb8a6c43cdca400bac7d3f8486afbb6344e9786a2cec9f48305a08167114931f9c51b1cd1fcfb98e73bf07e69701

Download Submit
C:\Windows\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe

Filesize
380KB

MD5
9a46127ae02edecbc824b3154a043a31

SHA1
aab3f277bbab2664b5a87376838d490bf91f95fe

SHA256
9061fa2560c4f65c8a1c6accff2ade07b9e60dc2bf6dd28c7918f0911dce79b8

SHA512
1070b175ca4ba394b348bb95c78884ff130ef0f9a2d3d28534ffac659b6df00b31416725288793fcb4eb0ecc0a012d37eb040953b7813f91e42da0afd13c8181

Download Submit
C:\Windows\{3FCE3C9D-5CF3-4fc7-BB2A-606B0CC61430}.exe

Filesize
380KB

MD5
9a46127ae02edecbc824b3154a043a31

SHA1
aab3f277bbab2664b5a87376838d490bf91f95fe

SHA256
9061fa2560c4f65c8a1c6accff2ade07b9e60dc2bf6dd28c7918f0911dce79b8

SHA512
1070b175ca4ba394b348bb95c78884ff130ef0f9a2d3d28534ffac659b6df00b31416725288793fcb4eb0ecc0a012d37eb040953b7813f91e42da0afd13c8181

Download Submit
C:\Windows\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe

Filesize
380KB

MD5
dcf68214f623676f4cbf4f2087e187d0

SHA1
f3f5a291a86074c14e6cbdb71590a14490ef7be3

SHA256
95036b8f391e9de637a67d6e6d8515ff3cb50ad53a193350832c9e4e9568fb59

SHA512
956f6e5ed1a4468d7e67f5a936ce365d0e27f3486d81119964e8ca12c217fb4a5c210e108417809f803824165e88fb320e4eb8ef0e1f8494e372ec6bc46e7d37

Download Submit
C:\Windows\{8C3776A0-8631-4839-A4F3-5FA9027FD4AD}.exe

Filesize
380KB

MD5
dcf68214f623676f4cbf4f2087e187d0

SHA1
f3f5a291a86074c14e6cbdb71590a14490ef7be3

SHA256
95036b8f391e9de637a67d6e6d8515ff3cb50ad53a193350832c9e4e9568fb59

SHA512
956f6e5ed1a4468d7e67f5a936ce365d0e27f3486d81119964e8ca12c217fb4a5c210e108417809f803824165e88fb320e4eb8ef0e1f8494e372ec6bc46e7d37

Download Submit
C:\Windows\{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe

Filesize
380KB

MD5
ac2910699e073bca659eb6b4a911e29d

SHA1
6c3a728d71abd0a262d7737f20b7b445241074a7

SHA256
4f81e54b9aef3a2d1736f4161f90ad63efd93d71e242eff00fa1198f08e2e13f

SHA512
84dd393a804872a2602786ac4213b398a7f5529cf7c76f5299051e62011baa0726032c147499e868d6a2cb91046c7fd965a99088e6b039b8a4d7edaa0e77425d

Download Submit
C:\Windows\{8CE3CB29-FD10-4358-8305-C071036FFF7E}.exe

Filesize
380KB

MD5
ac2910699e073bca659eb6b4a911e29d

SHA1
6c3a728d71abd0a262d7737f20b7b445241074a7

SHA256
4f81e54b9aef3a2d1736f4161f90ad63efd93d71e242eff00fa1198f08e2e13f

SHA512
84dd393a804872a2602786ac4213b398a7f5529cf7c76f5299051e62011baa0726032c147499e868d6a2cb91046c7fd965a99088e6b039b8a4d7edaa0e77425d

Download Submit
C:\Windows\{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe

Filesize
380KB

MD5
fbb0a77924696249cf05ee413f4ae4da

SHA1
06790a129624f3661695b51fbaef8a79e7c13120

SHA256
160069e62399250061fd11fa4683de70a2cd87af1fce780dde04b80b10df62a5

SHA512
90d0af00778774d6be6efc74850ccdd21b1b2d18667d70db797969bd1d0974f8a6d7c6faede5fa060d1878ccf2b3a9ca0ba102440a6cff3ef06e2e18d70fb995

Download Submit
C:\Windows\{8D71D016-462B-4cd8-B510-F5000656D0BE}.exe

Filesize
380KB

MD5
fbb0a77924696249cf05ee413f4ae4da

SHA1
06790a129624f3661695b51fbaef8a79e7c13120

SHA256
160069e62399250061fd11fa4683de70a2cd87af1fce780dde04b80b10df62a5

SHA512
90d0af00778774d6be6efc74850ccdd21b1b2d18667d70db797969bd1d0974f8a6d7c6faede5fa060d1878ccf2b3a9ca0ba102440a6cff3ef06e2e18d70fb995

Download Submit
C:\Windows\{B4A253B1-4928-4180-95DC-7BC9332317DA}.exe

Filesize
380KB

MD5
1b8b73849a2bfd43f11840b9555d469c

SHA1
24b3d84ce2343059c2fa9dbd8a1fb823d4db523f

SHA256
b4355d0c656ff670b6f38026bdb28a6373a0c597b2326a578b5152a9f7759945

SHA512
b885b5d525560db7cb9451dc61f3b1e52b91baf36db9de87bdc56cf5283374a8eb59a0a0fd2ee3197fc92ba2b33c0388fed741bc9a4988ef89cc667c5d33caf4

Download Submit
C:\Windows\{B4A253B1-4928-4180-95DC-7BC9332317DA}.exe

Filesize
380KB

MD5
1b8b73849a2bfd43f11840b9555d469c

SHA1
24b3d84ce2343059c2fa9dbd8a1fb823d4db523f

SHA256
b4355d0c656ff670b6f38026bdb28a6373a0c597b2326a578b5152a9f7759945

SHA512
b885b5d525560db7cb9451dc61f3b1e52b91baf36db9de87bdc56cf5283374a8eb59a0a0fd2ee3197fc92ba2b33c0388fed741bc9a4988ef89cc667c5d33caf4

Download Submit
C:\Windows\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe

Filesize
380KB

MD5
1e086515c5a284947d61d4bde0b98d6b

SHA1
2f87d65eca58e140c8cc838c463588f97cecbe28

SHA256
fe2ec2a87c3088e9112f975c054b0668371d6fae7162dcd4d40690474c5b8e20

SHA512
acabe3afb974897189b046513684471e29f07572b7bef0e45c1382271ed97fe53470b3f6ba60562478487e6896f67b2fdaced6041ba0e9e556aef9c0fa2e197e

Download Submit
C:\Windows\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe

Filesize
380KB

MD5
1e086515c5a284947d61d4bde0b98d6b

SHA1
2f87d65eca58e140c8cc838c463588f97cecbe28

SHA256
fe2ec2a87c3088e9112f975c054b0668371d6fae7162dcd4d40690474c5b8e20

SHA512
acabe3afb974897189b046513684471e29f07572b7bef0e45c1382271ed97fe53470b3f6ba60562478487e6896f67b2fdaced6041ba0e9e556aef9c0fa2e197e

Download Submit
C:\Windows\{C0C6C508-F2E9-4052-9C2E-50ED4BB1933B}.exe

Filesize
380KB

MD5
1e086515c5a284947d61d4bde0b98d6b

SHA1
2f87d65eca58e140c8cc838c463588f97cecbe28

SHA256
fe2ec2a87c3088e9112f975c054b0668371d6fae7162dcd4d40690474c5b8e20

SHA512
acabe3afb974897189b046513684471e29f07572b7bef0e45c1382271ed97fe53470b3f6ba60562478487e6896f67b2fdaced6041ba0e9e556aef9c0fa2e197e

Download Submit
C:\Windows\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe

Filesize
380KB

MD5
c0e416a21de538629d9eebd96477ce99

SHA1
24d694d5c4aa901820d2f1c9fcefcddef53ca8ce

SHA256
c9cd703b02507bec21a270cd315df6395dd883b9f72062abe2ab793c89034e23

SHA512
0a00d97a10f621801f17e2eec601c5ee3efe4dbbd1cb8187c4b8bad4b988c541db63c52ce9fb6961eed286326a0da1d801f513b6bfd0681907e3c07c3a3dd57c

Download Submit
C:\Windows\{CA9641AC-044B-46fd-B61E-0909BD7A4E25}.exe

Filesize
380KB

MD5
c0e416a21de538629d9eebd96477ce99

SHA1
24d694d5c4aa901820d2f1c9fcefcddef53ca8ce

SHA256
c9cd703b02507bec21a270cd315df6395dd883b9f72062abe2ab793c89034e23

SHA512
0a00d97a10f621801f17e2eec601c5ee3efe4dbbd1cb8187c4b8bad4b988c541db63c52ce9fb6961eed286326a0da1d801f513b6bfd0681907e3c07c3a3dd57c

Download Submit
C:\Windows\{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe

Filesize
380KB

MD5
7969b16db56c1c52d878eb239625d199

SHA1
e358a6a5d4cc62992e0cfea052c708d092ed19f2

SHA256
9c160e5a3355418b347c003ccf5190ea0c14db958c38b75c64bdeff62333750e

SHA512
b97e0a5ff05a6a25bade1b3987b46262ac4f551df478e4c225666346a0a5c567b5c5148e6cda3cb4c2c4f6cc6fc531a99c49714c8833016939020e2bc995d277

Download Submit
C:\Windows\{E6027435-D048-4d18-A5E9-E53DE86DFA94}.exe

Filesize
380KB

MD5
7969b16db56c1c52d878eb239625d199

SHA1
e358a6a5d4cc62992e0cfea052c708d092ed19f2

SHA256
9c160e5a3355418b347c003ccf5190ea0c14db958c38b75c64bdeff62333750e

SHA512
b97e0a5ff05a6a25bade1b3987b46262ac4f551df478e4c225666346a0a5c567b5c5148e6cda3cb4c2c4f6cc6fc531a99c49714c8833016939020e2bc995d277

Download Submit
C:\Windows\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe

Filesize
380KB

MD5
2e4c87a74576806c549e50ee70e04662

SHA1
656acf2b2859d02b8f5ccf47130dcbfe29d472f2

SHA256
af1e285681409554524088e1a728645b16b80bf76015a3984e32037f1d360d36

SHA512
0a3a624cd3902a0c163a27d1ca09103f194c7648128c297a408b5176d8a0bfaa27f6d7dfd39bc209a268502a4c8b4effd82ee76979a2e5a56c6ec539379f4954

Download Submit
C:\Windows\{FABAA1D3-232C-4b35-9CDF-6351425A2BFA}.exe

Filesize
380KB

MD5
2e4c87a74576806c549e50ee70e04662

SHA1
656acf2b2859d02b8f5ccf47130dcbfe29d472f2

SHA256
af1e285681409554524088e1a728645b16b80bf76015a3984e32037f1d360d36

SHA512
0a3a624cd3902a0c163a27d1ca09103f194c7648128c297a408b5176d8a0bfaa27f6d7dfd39bc209a268502a4c8b4effd82ee76979a2e5a56c6ec539379f4954

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads