045d2e4a71d63016798af23763e7a844f139726f344cde3d3e4b1a5676e946ab

Analysis

max time kernel
155s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Size

204KB
MD5

3304d8db6dbc78a9ec51e4b82dfc0cc5
SHA1

c90d9efdce5c46ea2e8e51d87ac61a53090373cd
SHA256

045d2e4a71d63016798af23763e7a844f139726f344cde3d3e4b1a5676e946ab
SHA512

e407729224e01f2c90dc9e4fe17c4110f10ce8e12e17542a1fa83546cc5b129e6ad3ebb747e3b19329f56fa5e40300042d0b2f461411b96173ba7ff5cdac0421
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4775036A-639F-4903-BD42-4E426854732B}\stubpath = "C:\\Windows\\{4775036A-639F-4903-BD42-4E426854732B}.exe"	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}\stubpath = "C:\\Windows\\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe"	{4775036A-639F-4903-BD42-4E426854732B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A30252A-9158-44f6-8C51-F49D08279528}\stubpath = "C:\\Windows\\{9A30252A-9158-44f6-8C51-F49D08279528}.exe"	{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CB59FED-165A-45bb-8D20-1D8CA3442375}	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3BCD242-A987-4826-8F3C-433CCE52077F}	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}\stubpath = "C:\\Windows\\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe"	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B63DD0AF-5999-474a-8F48-840042D2295D}\stubpath = "C:\\Windows\\{B63DD0AF-5999-474a-8F48-840042D2295D}.exe"	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8288E56-8C98-4a0d-875C-5EC1078417E3}\stubpath = "C:\\Windows\\{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe"	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A30252A-9158-44f6-8C51-F49D08279528}	{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A770D05-84DD-4ffa-B302-2425B79A21DC}\stubpath = "C:\\Windows\\{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe"	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3BCD242-A987-4826-8F3C-433CCE52077F}\stubpath = "C:\\Windows\\{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe"	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B63DD0AF-5999-474a-8F48-840042D2295D}	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}	{4775036A-639F-4903-BD42-4E426854732B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}\stubpath = "C:\\Windows\\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe"	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A770D05-84DD-4ffa-B302-2425B79A21DC}	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CB59FED-165A-45bb-8D20-1D8CA3442375}\stubpath = "C:\\Windows\\{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe"	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}\stubpath = "C:\\Windows\\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe"	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}\stubpath = "C:\\Windows\\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe"	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4775036A-639F-4903-BD42-4E426854732B}	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8288E56-8C98-4a0d-875C-5EC1078417E3}	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe

Executes dropped EXE 12 IoCs

pid	Process
2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe
4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe
4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe
756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe
4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe
4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe
4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe
3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe
4848	{4775036A-639F-4903-BD42-4E426854732B}.exe
4440	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe
4736	{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe
852	{9A30252A-9158-44f6-8C51-F49D08279528}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
File created	C:\Windows\{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe
File created	C:\Windows\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe
File created	C:\Windows\{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe
File created	C:\Windows\{B63DD0AF-5999-474a-8F48-840042D2295D}.exe	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe
File created	C:\Windows\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe
File created	C:\Windows\{4775036A-639F-4903-BD42-4E426854732B}.exe	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe
File created	C:\Windows\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe	{4775036A-639F-4903-BD42-4E426854732B}.exe
File created	C:\Windows\{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe
File created	C:\Windows\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe
File created	C:\Windows\{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe
File created	C:\Windows\{9A30252A-9158-44f6-8C51-F49D08279528}.exe	{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2288	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe
Token: SeIncBasePriorityPrivilege	4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe
Token: SeIncBasePriorityPrivilege	4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe
Token: SeIncBasePriorityPrivilege	756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe
Token: SeIncBasePriorityPrivilege	4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe
Token: SeIncBasePriorityPrivilege	4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe
Token: SeIncBasePriorityPrivilege	4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe
Token: SeIncBasePriorityPrivilege	3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe
Token: SeIncBasePriorityPrivilege	4848	{4775036A-639F-4903-BD42-4E426854732B}.exe
Token: SeIncBasePriorityPrivilege	4440	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe
Token: SeIncBasePriorityPrivilege	4736	{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2116	2288	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	90
PID 2288 wrote to memory of 2116	2288	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	90
PID 2288 wrote to memory of 2116	2288	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	90
PID 2288 wrote to memory of 4636	2288	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	91
PID 2288 wrote to memory of 4636	2288	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	91
PID 2288 wrote to memory of 4636	2288	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	91
PID 2116 wrote to memory of 4696	2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe	92
PID 2116 wrote to memory of 4696	2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe	92
PID 2116 wrote to memory of 4696	2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe	92
PID 2116 wrote to memory of 1016	2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe	93
PID 2116 wrote to memory of 1016	2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe	93
PID 2116 wrote to memory of 1016	2116	{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe	93
PID 4696 wrote to memory of 4692	4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe	96
PID 4696 wrote to memory of 4692	4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe	96
PID 4696 wrote to memory of 4692	4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe	96
PID 4696 wrote to memory of 1276	4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe	97
PID 4696 wrote to memory of 1276	4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe	97
PID 4696 wrote to memory of 1276	4696	{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe	97
PID 4692 wrote to memory of 756	4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe	100
PID 4692 wrote to memory of 756	4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe	100
PID 4692 wrote to memory of 756	4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe	100
PID 4692 wrote to memory of 896	4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe	101
PID 4692 wrote to memory of 896	4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe	101
PID 4692 wrote to memory of 896	4692	{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe	101
PID 756 wrote to memory of 4084	756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe	102
PID 756 wrote to memory of 4084	756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe	102
PID 756 wrote to memory of 4084	756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe	102
PID 756 wrote to memory of 2368	756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe	103
PID 756 wrote to memory of 2368	756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe	103
PID 756 wrote to memory of 2368	756	{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe	103
PID 4084 wrote to memory of 4280	4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe	104
PID 4084 wrote to memory of 4280	4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe	104
PID 4084 wrote to memory of 4280	4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe	104
PID 4084 wrote to memory of 2176	4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe	105
PID 4084 wrote to memory of 2176	4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe	105
PID 4084 wrote to memory of 2176	4084	{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe	105
PID 4280 wrote to memory of 4380	4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe	106
PID 4280 wrote to memory of 4380	4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe	106
PID 4280 wrote to memory of 4380	4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe	106
PID 4280 wrote to memory of 3200	4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe	107
PID 4280 wrote to memory of 3200	4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe	107
PID 4280 wrote to memory of 3200	4280	{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe	107
PID 4380 wrote to memory of 3628	4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe	108
PID 4380 wrote to memory of 3628	4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe	108
PID 4380 wrote to memory of 3628	4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe	108
PID 4380 wrote to memory of 3580	4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe	109
PID 4380 wrote to memory of 3580	4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe	109
PID 4380 wrote to memory of 3580	4380	{B63DD0AF-5999-474a-8F48-840042D2295D}.exe	109
PID 3628 wrote to memory of 4848	3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe	110
PID 3628 wrote to memory of 4848	3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe	110
PID 3628 wrote to memory of 4848	3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe	110
PID 3628 wrote to memory of 856	3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe	111
PID 3628 wrote to memory of 856	3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe	111
PID 3628 wrote to memory of 856	3628	{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe	111
PID 4848 wrote to memory of 4440	4848	{4775036A-639F-4903-BD42-4E426854732B}.exe	112
PID 4848 wrote to memory of 4440	4848	{4775036A-639F-4903-BD42-4E426854732B}.exe	112
PID 4848 wrote to memory of 4440	4848	{4775036A-639F-4903-BD42-4E426854732B}.exe	112
PID 4848 wrote to memory of 988	4848	{4775036A-639F-4903-BD42-4E426854732B}.exe	113
PID 4848 wrote to memory of 988	4848	{4775036A-639F-4903-BD42-4E426854732B}.exe	113
PID 4848 wrote to memory of 988	4848	{4775036A-639F-4903-BD42-4E426854732B}.exe	113
PID 4440 wrote to memory of 4736	4440	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe	114
PID 4440 wrote to memory of 4736	4440	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe	114
PID 4440 wrote to memory of 4736	4440	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe	114
PID 4440 wrote to memory of 1940	4440	{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe	115

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe
  C:\Windows\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe
    C:\Windows\{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe
      C:\Windows\{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe
        
        C:\Windows\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe
        
        C:\Windows\{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe
        
        C:\Windows\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{B63DD0AF-5999-474a-8F48-840042D2295D}.exe
        
        C:\Windows\{B63DD0AF-5999-474a-8F48-840042D2295D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe
        
        C:\Windows\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{4775036A-639F-4903-BD42-4E426854732B}.exe
        
        C:\Windows\{4775036A-639F-4903-BD42-4E426854732B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe
        
        C:\Windows\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe
        
        C:\Windows\{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\{9A30252A-9158-44f6-8C51-F49D08279528}.exe
        
        C:\Windows\{9A30252A-9158-44f6-8C51-F49D08279528}.exe
        13⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8288~1.EXE > nul
        13⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF6DE~1.EXE > nul
        12⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47750~1.EXE > nul
        11⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E17~1.EXE > nul
        10⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B63DD~1.EXE > nul
        9⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21D32~1.EXE > nul
        8⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3BCD~1.EXE > nul
        7⤵
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A66BD~1.EXE > nul
        6⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CB59~1.EXE > nul
        5⤵
        
        PID:896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A770~1.EXE > nul
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{61DAF~1.EXE > nul
    3⤵
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe

Filesize
204KB

MD5
f6231ece0c845a2765c034198337cd16

SHA1
397a48b6a4ee52b6cfc5247af68e8e1eb3ec7a24

SHA256
6ef7656c1df187d58e2cac89b06fab4fd301271aafdd554746554fe8eb44e7ee

SHA512
8be35a7d54f8c15bc5521d3b003e5d05632c150467de8798cef1152cdbed4d6c315554808c3c216063542ad21fa59b20708fd8a9f6380a67d7ae3f37057f8fad

Download Submit
C:\Windows\{21D32313-3947-4b80-A3B8-44CAD4AEE4FC}.exe

Filesize
204KB

MD5
f6231ece0c845a2765c034198337cd16

SHA1
397a48b6a4ee52b6cfc5247af68e8e1eb3ec7a24

SHA256
6ef7656c1df187d58e2cac89b06fab4fd301271aafdd554746554fe8eb44e7ee

SHA512
8be35a7d54f8c15bc5521d3b003e5d05632c150467de8798cef1152cdbed4d6c315554808c3c216063542ad21fa59b20708fd8a9f6380a67d7ae3f37057f8fad

Download Submit
C:\Windows\{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe

Filesize
204KB

MD5
0226f2a825a463dcb4f1213078351325

SHA1
5259be903b91ea271dc3dd9dd1139ea03f8f122a

SHA256
5b34a28115b0504a424b3e6979fbfda4c27516f501f859ab41cde768b1fc3744

SHA512
24973e11369836550ffab794183ffc88d2e31e1c1a7d897201ab7166d362ff8d8a5443d2d525581e0118c70473898e0bcde5f603172b4296816d16ffc0ba0bc3

Download Submit
C:\Windows\{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe

Filesize
204KB

MD5
0226f2a825a463dcb4f1213078351325

SHA1
5259be903b91ea271dc3dd9dd1139ea03f8f122a

SHA256
5b34a28115b0504a424b3e6979fbfda4c27516f501f859ab41cde768b1fc3744

SHA512
24973e11369836550ffab794183ffc88d2e31e1c1a7d897201ab7166d362ff8d8a5443d2d525581e0118c70473898e0bcde5f603172b4296816d16ffc0ba0bc3

Download Submit
C:\Windows\{2CB59FED-165A-45bb-8D20-1D8CA3442375}.exe

Filesize
204KB

MD5
0226f2a825a463dcb4f1213078351325

SHA1
5259be903b91ea271dc3dd9dd1139ea03f8f122a

SHA256
5b34a28115b0504a424b3e6979fbfda4c27516f501f859ab41cde768b1fc3744

SHA512
24973e11369836550ffab794183ffc88d2e31e1c1a7d897201ab7166d362ff8d8a5443d2d525581e0118c70473898e0bcde5f603172b4296816d16ffc0ba0bc3

Download Submit
C:\Windows\{4775036A-639F-4903-BD42-4E426854732B}.exe

Filesize
204KB

MD5
3675bc22c9c48f38789d0921ac44b971

SHA1
05bf80d8cff4f274b6f10f954f03503daa1c8a29

SHA256
1a48b686170c90d363c017357d58328be2cfc00aae2315548197a65348af106f

SHA512
ff1cf338c22c7555f0f91a45474d6519b5ed2b10da94847951e5d40e4a67808e54923449a518cd4b4cb0472ca8460b6e946119a0e4410cc8d09913bee705a632

Download Submit
C:\Windows\{4775036A-639F-4903-BD42-4E426854732B}.exe

Filesize
204KB

MD5
3675bc22c9c48f38789d0921ac44b971

SHA1
05bf80d8cff4f274b6f10f954f03503daa1c8a29

SHA256
1a48b686170c90d363c017357d58328be2cfc00aae2315548197a65348af106f

SHA512
ff1cf338c22c7555f0f91a45474d6519b5ed2b10da94847951e5d40e4a67808e54923449a518cd4b4cb0472ca8460b6e946119a0e4410cc8d09913bee705a632

Download Submit
C:\Windows\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe

Filesize
204KB

MD5
4a3b75725bfd47ce69e6157741c27d44

SHA1
22bb4d0fd84c13a0d3a6aeaeaffc7d2491fc9ff2

SHA256
a70140ad0e93927773e18e2300824825e6bb8dae58280643ee8994ecd8ed0508

SHA512
afa43c5788ed5b01b074557844c99b44a2374680f13289e194038df4bb0ac7f1ddae676c35014b3dca431f91166815d7e5abfe3d390279850937f9412f4d8987

Download Submit
C:\Windows\{61DAFAC1-0347-4e2d-AA14-BA0DCCB74C45}.exe

Filesize
204KB

MD5
4a3b75725bfd47ce69e6157741c27d44

SHA1
22bb4d0fd84c13a0d3a6aeaeaffc7d2491fc9ff2

SHA256
a70140ad0e93927773e18e2300824825e6bb8dae58280643ee8994ecd8ed0508

SHA512
afa43c5788ed5b01b074557844c99b44a2374680f13289e194038df4bb0ac7f1ddae676c35014b3dca431f91166815d7e5abfe3d390279850937f9412f4d8987

Download Submit
C:\Windows\{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe

Filesize
204KB

MD5
102c17451b50acce9d02aba2dc09fac4

SHA1
e054e21b7fc2b7f05921f691245edb66a8bd3cf6

SHA256
5b57d3ed002e5402790831378d93240a41d931763263b95296ba27800c1fa3e9

SHA512
22e508da13dffb71f99eba407a1415264ffb62edd370311cc23d5e01721147bcff4ec4da4a5436db34c16781bdd3186ce10a3826a92fb1fc93304ea9d68d1a4e

Download Submit
C:\Windows\{8A770D05-84DD-4ffa-B302-2425B79A21DC}.exe

Filesize
204KB

MD5
102c17451b50acce9d02aba2dc09fac4

SHA1
e054e21b7fc2b7f05921f691245edb66a8bd3cf6

SHA256
5b57d3ed002e5402790831378d93240a41d931763263b95296ba27800c1fa3e9

SHA512
22e508da13dffb71f99eba407a1415264ffb62edd370311cc23d5e01721147bcff4ec4da4a5436db34c16781bdd3186ce10a3826a92fb1fc93304ea9d68d1a4e

Download Submit
C:\Windows\{9A30252A-9158-44f6-8C51-F49D08279528}.exe

Filesize
204KB

MD5
2e114d76b9ff3528ebf19e6c2703f784

SHA1
710558ddfda3a304fd03641d91aa7873ffde4ea7

SHA256
ae24dc1e191d6317d878542f4493325906438ed6115a4a897781532224a11f6f

SHA512
53b4644db28a11c2f318ab54b8864b3421c4a5b40004626605bf542fd72e9a378584f51472b06283efe7d7ff6785daa0fe9d5c75d77a3936da2442e585ea41f3

Download Submit
C:\Windows\{9A30252A-9158-44f6-8C51-F49D08279528}.exe

Filesize
204KB

MD5
2e114d76b9ff3528ebf19e6c2703f784

SHA1
710558ddfda3a304fd03641d91aa7873ffde4ea7

SHA256
ae24dc1e191d6317d878542f4493325906438ed6115a4a897781532224a11f6f

SHA512
53b4644db28a11c2f318ab54b8864b3421c4a5b40004626605bf542fd72e9a378584f51472b06283efe7d7ff6785daa0fe9d5c75d77a3936da2442e585ea41f3

Download Submit
C:\Windows\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe

Filesize
204KB

MD5
61b3fb74b8cc05fe75eae3496f9fbd52

SHA1
04ea3b9e2b4d979fec6b45fd36c99efc47914581

SHA256
4055ec2ce4d8f7d5ce98f5557bd07a6d14de3bcec291ec9be9b80c68f276bbe1

SHA512
8af5cd723be14c3f3567cd915363ab43ff96056050be9eb22ea56e08d25721f23cff3d6d35c43b9ea9f2a16e9fb5ddb4176984ee0842ca2794b413cb55faf8c0

Download Submit
C:\Windows\{A66BD370-D19A-426e-A4CA-6E7AC14993CF}.exe

Filesize
204KB

MD5
61b3fb74b8cc05fe75eae3496f9fbd52

SHA1
04ea3b9e2b4d979fec6b45fd36c99efc47914581

SHA256
4055ec2ce4d8f7d5ce98f5557bd07a6d14de3bcec291ec9be9b80c68f276bbe1

SHA512
8af5cd723be14c3f3567cd915363ab43ff96056050be9eb22ea56e08d25721f23cff3d6d35c43b9ea9f2a16e9fb5ddb4176984ee0842ca2794b413cb55faf8c0

Download Submit
C:\Windows\{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe

Filesize
204KB

MD5
0580cc124c3d2ab510cb41b7ca9a62e2

SHA1
8fd9b91771fdbb2ef762543272f72d6a522fdf97

SHA256
615635cce9bbf3adb92b459bca26a2a96d47dc924a44442bc2c8a0063012ac8f

SHA512
7f92b683db6e56e0fb70efdcd3c3059a1f375b7a69c3a74bf1371756f56f4d8a1d5a41088c3a04da29c7d244562d7c1e8e4c4ee14738340f25a48b40c33272da

Download Submit
C:\Windows\{B3BCD242-A987-4826-8F3C-433CCE52077F}.exe

Filesize
204KB

MD5
0580cc124c3d2ab510cb41b7ca9a62e2

SHA1
8fd9b91771fdbb2ef762543272f72d6a522fdf97

SHA256
615635cce9bbf3adb92b459bca26a2a96d47dc924a44442bc2c8a0063012ac8f

SHA512
7f92b683db6e56e0fb70efdcd3c3059a1f375b7a69c3a74bf1371756f56f4d8a1d5a41088c3a04da29c7d244562d7c1e8e4c4ee14738340f25a48b40c33272da

Download Submit
C:\Windows\{B63DD0AF-5999-474a-8F48-840042D2295D}.exe

Filesize
204KB

MD5
97bfc8f735263f95a4fc03ce536cbad6

SHA1
a1244b9b6619af38442f7690ec2657d3f788b41e

SHA256
5dbbf1f708252dbc31eba68ce2ffdfad7f77042221222b2c5a3258f07898fb55

SHA512
8dd1b41b720e8d1a93d449e6c8f6aafc1c499f3f09ff9eca8b5df41de3a43d9bc80bf8baf6ce6dc3361acab51a89ab087f565fc817d8cb2cb2b1113021c7c7cd

Download Submit
C:\Windows\{B63DD0AF-5999-474a-8F48-840042D2295D}.exe

Filesize
204KB

MD5
97bfc8f735263f95a4fc03ce536cbad6

SHA1
a1244b9b6619af38442f7690ec2657d3f788b41e

SHA256
5dbbf1f708252dbc31eba68ce2ffdfad7f77042221222b2c5a3258f07898fb55

SHA512
8dd1b41b720e8d1a93d449e6c8f6aafc1c499f3f09ff9eca8b5df41de3a43d9bc80bf8baf6ce6dc3361acab51a89ab087f565fc817d8cb2cb2b1113021c7c7cd

Download Submit
C:\Windows\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe

Filesize
204KB

MD5
1c5ead2642a9da8bb642c99f7f20ebb9

SHA1
b5f82eaa957de871dafba4845e01ac717b5f353e

SHA256
f03b88544040fb30ef83cead79c2962819bbcc03c584c5bfa4db56d9bedea058

SHA512
825ce64b8115fe460099c1139815d9f2aad7c06aabe8e5274018fcafe60689ece6700e0dc577339fa90f04f7f2df83fb112b0a9b0afe882239e1866f17fa5c69

Download Submit
C:\Windows\{C7E1725C-9671-4fdb-8565-E222EFD8BCA0}.exe

Filesize
204KB

MD5
1c5ead2642a9da8bb642c99f7f20ebb9

SHA1
b5f82eaa957de871dafba4845e01ac717b5f353e

SHA256
f03b88544040fb30ef83cead79c2962819bbcc03c584c5bfa4db56d9bedea058

SHA512
825ce64b8115fe460099c1139815d9f2aad7c06aabe8e5274018fcafe60689ece6700e0dc577339fa90f04f7f2df83fb112b0a9b0afe882239e1866f17fa5c69

Download Submit
C:\Windows\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe

Filesize
204KB

MD5
222d35e2cb0c20b871772c825999b304

SHA1
78210eb5f73de814fb0ed121cd13b1d29e72981c

SHA256
0ed66decdd2bb7b3467bc41f11e71480ab0d5ecd4239d56b032cb1a7cecf2a6b

SHA512
f4397c5f34c9683624dfad45713f197c5967328db7793cbe6482bbaea8b8cede09eb9348106a631f534f95498452c2a732446f701193343e394461c098f86b8c

Download Submit
C:\Windows\{EF6DEDFD-81EC-48cd-BFD4-53D72BDEDD29}.exe

Filesize
204KB

MD5
222d35e2cb0c20b871772c825999b304

SHA1
78210eb5f73de814fb0ed121cd13b1d29e72981c

SHA256
0ed66decdd2bb7b3467bc41f11e71480ab0d5ecd4239d56b032cb1a7cecf2a6b

SHA512
f4397c5f34c9683624dfad45713f197c5967328db7793cbe6482bbaea8b8cede09eb9348106a631f534f95498452c2a732446f701193343e394461c098f86b8c

Download Submit
C:\Windows\{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe

Filesize
204KB

MD5
e8f20c59b76c47fcb36e20803c4a5ebf

SHA1
3409f00bf766a79970f1c49e2ff7e7bb44c471a3

SHA256
f077c8b9bb23d3d2fa3dad50e2c8a9f2fccacaba380950a97f8b2a5ac787b078

SHA512
e2bc9c7d1e7098efa00f90c3a36a8294ac10bc7490ab66d4c9b1cb8db118a561b63bad1611e5e6f903f10858515f6c2dfb695c0f8ac8409a33735cbae5a8f5c2

Download Submit
C:\Windows\{F8288E56-8C98-4a0d-875C-5EC1078417E3}.exe

Filesize
204KB

MD5
e8f20c59b76c47fcb36e20803c4a5ebf

SHA1
3409f00bf766a79970f1c49e2ff7e7bb44c471a3

SHA256
f077c8b9bb23d3d2fa3dad50e2c8a9f2fccacaba380950a97f8b2a5ac787b078

SHA512
e2bc9c7d1e7098efa00f90c3a36a8294ac10bc7490ab66d4c9b1cb8db118a561b63bad1611e5e6f903f10858515f6c2dfb695c0f8ac8409a33735cbae5a8f5c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads