73b77fc7822d0c419b52768202dde7afa1e3acb85731477162b1a0036bbc31a5

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Size

180KB
MD5

f6509d9a4235ea0037c683a6ec44d518
SHA1

8b723f0719662722a3392bd41f5dc630f0ae4501
SHA256

73b77fc7822d0c419b52768202dde7afa1e3acb85731477162b1a0036bbc31a5
SHA512

b88e05699d20d4730ab0b380d91ac0266a26d042e6f625cb8e1a8303a28deae497e63bcc653f766020dbd683a154311416269eb3ace5cc235166eeae02f19502
SSDEEP

3072:jEGh0oZAlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGfAl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE6094D9-7198-488f-9A78-40F74206FE0C}	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DEA872E-C272-41ce-BC00-3414B7991AF7}\stubpath = "C:\\Windows\\{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe"	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}\stubpath = "C:\\Windows\\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe"	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}\stubpath = "C:\\Windows\\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe"	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F134A03A-55A2-4642-87D5-43C4DA392335}	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}\stubpath = "C:\\Windows\\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe"	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}	{B66851FF-081B-4901-9473-F3080860AD14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}\stubpath = "C:\\Windows\\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe"	{B66851FF-081B-4901-9473-F3080860AD14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B44215CF-0084-4420-8137-7051E876F0BC}\stubpath = "C:\\Windows\\{B44215CF-0084-4420-8137-7051E876F0BC}.exe"	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DEA872E-C272-41ce-BC00-3414B7991AF7}	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB9EC174-05EC-4c4b-AC26-09530BE59108}	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014F8650-6129-42cd-9E8D-E4C02A203D07}	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014F8650-6129-42cd-9E8D-E4C02A203D07}\stubpath = "C:\\Windows\\{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe"	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE6094D9-7198-488f-9A78-40F74206FE0C}\stubpath = "C:\\Windows\\{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe"	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B66851FF-081B-4901-9473-F3080860AD14}	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B66851FF-081B-4901-9473-F3080860AD14}\stubpath = "C:\\Windows\\{B66851FF-081B-4901-9473-F3080860AD14}.exe"	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F134A03A-55A2-4642-87D5-43C4DA392335}\stubpath = "C:\\Windows\\{F134A03A-55A2-4642-87D5-43C4DA392335}.exe"	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB9EC174-05EC-4c4b-AC26-09530BE59108}\stubpath = "C:\\Windows\\{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe"	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B44215CF-0084-4420-8137-7051E876F0BC}	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe

Executes dropped EXE 11 IoCs

pid	Process
1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe
860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe
3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe
2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe
3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe
2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe
228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe
336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe
3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe
3404	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe
1544	{B44215CF-0084-4420-8137-7051E876F0BC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe
File created	C:\Windows\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe	{B66851FF-081B-4901-9473-F3080860AD14}.exe
File created	C:\Windows\{F134A03A-55A2-4642-87D5-43C4DA392335}.exe	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe
File created	C:\Windows\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe
File created	C:\Windows\{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe
File created	C:\Windows\{B44215CF-0084-4420-8137-7051E876F0BC}.exe	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe
File created	C:\Windows\{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
File created	C:\Windows\{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe
File created	C:\Windows\{B66851FF-081B-4901-9473-F3080860AD14}.exe	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe
File created	C:\Windows\{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe
File created	C:\Windows\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2604	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe
Token: SeIncBasePriorityPrivilege	860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe
Token: SeIncBasePriorityPrivilege	3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe
Token: SeIncBasePriorityPrivilege	2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe
Token: SeIncBasePriorityPrivilege	3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe
Token: SeIncBasePriorityPrivilege	2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe
Token: SeIncBasePriorityPrivilege	228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe
Token: SeIncBasePriorityPrivilege	336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe
Token: SeIncBasePriorityPrivilege	3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe
Token: SeIncBasePriorityPrivilege	3404	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1096	2604	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	95
PID 2604 wrote to memory of 1096	2604	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	95
PID 2604 wrote to memory of 1096	2604	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	95
PID 2604 wrote to memory of 472	2604	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	96
PID 2604 wrote to memory of 472	2604	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	96
PID 2604 wrote to memory of 472	2604	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	96
PID 1096 wrote to memory of 860	1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe	100
PID 1096 wrote to memory of 860	1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe	100
PID 1096 wrote to memory of 860	1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe	100
PID 1096 wrote to memory of 564	1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe	101
PID 1096 wrote to memory of 564	1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe	101
PID 1096 wrote to memory of 564	1096	{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe	101
PID 860 wrote to memory of 3884	860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe	107
PID 860 wrote to memory of 3884	860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe	107
PID 860 wrote to memory of 3884	860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe	107
PID 860 wrote to memory of 4484	860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe	108
PID 860 wrote to memory of 4484	860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe	108
PID 860 wrote to memory of 4484	860	{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe	108
PID 3884 wrote to memory of 2332	3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe	113
PID 3884 wrote to memory of 2332	3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe	113
PID 3884 wrote to memory of 2332	3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe	113
PID 3884 wrote to memory of 3368	3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe	114
PID 3884 wrote to memory of 3368	3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe	114
PID 3884 wrote to memory of 3368	3884	{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe	114
PID 2332 wrote to memory of 3832	2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe	115
PID 2332 wrote to memory of 3832	2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe	115
PID 2332 wrote to memory of 3832	2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe	115
PID 2332 wrote to memory of 3064	2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe	116
PID 2332 wrote to memory of 3064	2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe	116
PID 2332 wrote to memory of 3064	2332	{B66851FF-081B-4901-9473-F3080860AD14}.exe	116
PID 3832 wrote to memory of 2368	3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe	117
PID 3832 wrote to memory of 2368	3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe	117
PID 3832 wrote to memory of 2368	3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe	117
PID 3832 wrote to memory of 1340	3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe	118
PID 3832 wrote to memory of 1340	3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe	118
PID 3832 wrote to memory of 1340	3832	{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe	118
PID 2368 wrote to memory of 228	2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe	120
PID 2368 wrote to memory of 228	2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe	120
PID 2368 wrote to memory of 228	2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe	120
PID 2368 wrote to memory of 4504	2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe	121
PID 2368 wrote to memory of 4504	2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe	121
PID 2368 wrote to memory of 4504	2368	{F134A03A-55A2-4642-87D5-43C4DA392335}.exe	121
PID 228 wrote to memory of 336	228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe	122
PID 228 wrote to memory of 336	228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe	122
PID 228 wrote to memory of 336	228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe	122
PID 228 wrote to memory of 3432	228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe	123
PID 228 wrote to memory of 3432	228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe	123
PID 228 wrote to memory of 3432	228	{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe	123
PID 336 wrote to memory of 3468	336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe	124
PID 336 wrote to memory of 3468	336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe	124
PID 336 wrote to memory of 3468	336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe	124
PID 336 wrote to memory of 2904	336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe	125
PID 336 wrote to memory of 2904	336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe	125
PID 336 wrote to memory of 2904	336	{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe	125
PID 3468 wrote to memory of 3404	3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe	126
PID 3468 wrote to memory of 3404	3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe	126
PID 3468 wrote to memory of 3404	3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe	126
PID 3468 wrote to memory of 1600	3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe	127
PID 3468 wrote to memory of 1600	3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe	127
PID 3468 wrote to memory of 1600	3468	{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe	127
PID 3404 wrote to memory of 1544	3404	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe	128
PID 3404 wrote to memory of 1544	3404	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe	128
PID 3404 wrote to memory of 1544	3404	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe	128
PID 3404 wrote to memory of 2844	3404	{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe	129

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe
  C:\Windows\{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe
    C:\Windows\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe
      C:\Windows\{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\{B66851FF-081B-4901-9473-F3080860AD14}.exe
        
        C:\Windows\{B66851FF-081B-4901-9473-F3080860AD14}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe
        
        C:\Windows\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\{F134A03A-55A2-4642-87D5-43C4DA392335}.exe
        
        C:\Windows\{F134A03A-55A2-4642-87D5-43C4DA392335}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe
        
        C:\Windows\{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe
        
        C:\Windows\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe
        
        C:\Windows\{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe
        
        C:\Windows\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{B44215CF-0084-4420-8137-7051E876F0BC}.exe
        
        C:\Windows\{B44215CF-0084-4420-8137-7051E876F0BC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8FC~1.EXE > nul
        12⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB9EC~1.EXE > nul
        11⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B51C6~1.EXE > nul
        10⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DEA8~1.EXE > nul
        9⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F134A~1.EXE > nul
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06549~1.EXE > nul
        7⤵
        
        PID:1340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6685~1.EXE > nul
        6⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE609~1.EXE > nul
        5⤵
        
        PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0FF9A~1.EXE > nul
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{014F8~1.EXE > nul
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe

Filesize
180KB

MD5
5b7e512cccaa058bdc845f468b5fcc70

SHA1
2ca0e61b0478a6a5f55ade384927bf6729cd0089

SHA256
2a5965e39f8dbdf3e76b8abf3f31e1899ddda0b30d84edd8b68052bb362d9dc9

SHA512
7902060fe6b80fa4936a8016e441b909a0c22691082255bd3ede1da2e9565a1df920d4780273a20248bb8f7f44b9f317a5f41474abd0583d0abe7c395ce70d3d

Download Submit
C:\Windows\{014F8650-6129-42cd-9E8D-E4C02A203D07}.exe

Filesize
180KB

MD5
5b7e512cccaa058bdc845f468b5fcc70

SHA1
2ca0e61b0478a6a5f55ade384927bf6729cd0089

SHA256
2a5965e39f8dbdf3e76b8abf3f31e1899ddda0b30d84edd8b68052bb362d9dc9

SHA512
7902060fe6b80fa4936a8016e441b909a0c22691082255bd3ede1da2e9565a1df920d4780273a20248bb8f7f44b9f317a5f41474abd0583d0abe7c395ce70d3d

Download Submit
C:\Windows\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe

Filesize
180KB

MD5
aaee4eeb3265edb23fba0a165b3a9dcf

SHA1
60e8febd0de6776d064bcbe83d88b730b54d0b12

SHA256
8409ad6780bd79976e19a9bd03cd35e262c9eaa0ff797e6751d0e7f7ad9de185

SHA512
0fcdedc102ce8b21920416488543bc89281e5eae80cd6dc06ee2afd61a8cf89a61eb43f8ef7386cf7c243b6bcc1e8ade4981ab8d936aff498162304a24cc2b9d

Download Submit
C:\Windows\{06549CD9-CC66-4efd-BD93-071BFF3C3B7E}.exe

Filesize
180KB

MD5
aaee4eeb3265edb23fba0a165b3a9dcf

SHA1
60e8febd0de6776d064bcbe83d88b730b54d0b12

SHA256
8409ad6780bd79976e19a9bd03cd35e262c9eaa0ff797e6751d0e7f7ad9de185

SHA512
0fcdedc102ce8b21920416488543bc89281e5eae80cd6dc06ee2afd61a8cf89a61eb43f8ef7386cf7c243b6bcc1e8ade4981ab8d936aff498162304a24cc2b9d

Download Submit
C:\Windows\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe

Filesize
180KB

MD5
cf2e6d2516b26383e98974a189510c22

SHA1
1db744fc7a78cbc4257273b54ea1f48bf62cdc23

SHA256
5d7f7fdcda12141d898bc4055b1805a16cee58c76cd3eeeeab2cd5cdebde60c0

SHA512
93a64e4fb85999fdc692a45a472010dac4581c41328a443926314f64c526fb86fe2e8c8ea31bf5e139624011d65f3224cad85ebdf545580f5a10ed18d8f6d069

Download Submit
C:\Windows\{0E8FC4CF-B4B5-4fd8-9986-21A163E06EF4}.exe

Filesize
180KB

MD5
cf2e6d2516b26383e98974a189510c22

SHA1
1db744fc7a78cbc4257273b54ea1f48bf62cdc23

SHA256
5d7f7fdcda12141d898bc4055b1805a16cee58c76cd3eeeeab2cd5cdebde60c0

SHA512
93a64e4fb85999fdc692a45a472010dac4581c41328a443926314f64c526fb86fe2e8c8ea31bf5e139624011d65f3224cad85ebdf545580f5a10ed18d8f6d069

Download Submit
C:\Windows\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe

Filesize
180KB

MD5
1d8c4076d59206ae4b62b2ff03417c0b

SHA1
c688c4cd4f549dafd146382e58e69ced16a2ae5d

SHA256
da56cd16acb9c024677b85794643445dde712f30a9a382d0af5733c1dfa553b0

SHA512
70cd39f199d1420649063957049a2dc26515fc2bf1d010bdab7191d6142eac86ddbc6c05731ddc187a8316181c23be882243ea9dd9b23e210d6078af82fd2ada

Download Submit
C:\Windows\{0FF9A634-8616-45fe-A21B-ACB21EF9718C}.exe

Filesize
180KB

MD5
1d8c4076d59206ae4b62b2ff03417c0b

SHA1
c688c4cd4f549dafd146382e58e69ced16a2ae5d

SHA256
da56cd16acb9c024677b85794643445dde712f30a9a382d0af5733c1dfa553b0

SHA512
70cd39f199d1420649063957049a2dc26515fc2bf1d010bdab7191d6142eac86ddbc6c05731ddc187a8316181c23be882243ea9dd9b23e210d6078af82fd2ada

Download Submit
C:\Windows\{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe

Filesize
180KB

MD5
c33e04c6035b78faf1a3fab999dd8f68

SHA1
99e830ee6d6e9ebcf4fb2040c3425f46630b7c67

SHA256
a54089b467d1579659cec9ec8851d1eb59a3e82f9a82a23c4bc38a581b0d56e7

SHA512
5b5f7c7c59d52c4447a0d5952d7be8fbc6c871398a3b40f425e2093afd7bdf0c6d8e323a9f0aea58393dbb87f349825302a23193a7caeebcdc43a712ab63563c

Download Submit
C:\Windows\{5DEA872E-C272-41ce-BC00-3414B7991AF7}.exe

Filesize
180KB

MD5
c33e04c6035b78faf1a3fab999dd8f68

SHA1
99e830ee6d6e9ebcf4fb2040c3425f46630b7c67

SHA256
a54089b467d1579659cec9ec8851d1eb59a3e82f9a82a23c4bc38a581b0d56e7

SHA512
5b5f7c7c59d52c4447a0d5952d7be8fbc6c871398a3b40f425e2093afd7bdf0c6d8e323a9f0aea58393dbb87f349825302a23193a7caeebcdc43a712ab63563c

Download Submit
C:\Windows\{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe

Filesize
180KB

MD5
b68b423352e57a36d8fe71e59bd99ecc

SHA1
43490e35e056abdc3f704bfdcc172439e998deb1

SHA256
35573a671d813d8394bcfa70c99c5cc4ef98521bf42f6005916a50417ee59c63

SHA512
99d75ead56c56da3562073a5a926e3f717d8f1f11a8dae5b4692333562f41e5e0369bb3ad39f8fd3fa15c32fbda23a2666ebab40014302eab49fa171fd328cec

Download Submit
C:\Windows\{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe

Filesize
180KB

MD5
b68b423352e57a36d8fe71e59bd99ecc

SHA1
43490e35e056abdc3f704bfdcc172439e998deb1

SHA256
35573a671d813d8394bcfa70c99c5cc4ef98521bf42f6005916a50417ee59c63

SHA512
99d75ead56c56da3562073a5a926e3f717d8f1f11a8dae5b4692333562f41e5e0369bb3ad39f8fd3fa15c32fbda23a2666ebab40014302eab49fa171fd328cec

Download Submit
C:\Windows\{AE6094D9-7198-488f-9A78-40F74206FE0C}.exe

Filesize
180KB

MD5
b68b423352e57a36d8fe71e59bd99ecc

SHA1
43490e35e056abdc3f704bfdcc172439e998deb1

SHA256
35573a671d813d8394bcfa70c99c5cc4ef98521bf42f6005916a50417ee59c63

SHA512
99d75ead56c56da3562073a5a926e3f717d8f1f11a8dae5b4692333562f41e5e0369bb3ad39f8fd3fa15c32fbda23a2666ebab40014302eab49fa171fd328cec

Download Submit
C:\Windows\{B44215CF-0084-4420-8137-7051E876F0BC}.exe

Filesize
180KB

MD5
04f201a4035658ed7f2d7427a0b457c7

SHA1
5ce8896b212c695a91e2994e200420e30bd5b243

SHA256
53369dfb492d40ad125162d6b420b81e56345c83eb95d1445d4ebc1c017a26cf

SHA512
9ad57e307f4037a1cfd1e03cb313d15a2d012bc602d18423cb2c1cc9a22047e931e345f1451820a2b2e85f48792191b3fb4ef59ed5f08cb3a439212bb126b375

Download Submit
C:\Windows\{B44215CF-0084-4420-8137-7051E876F0BC}.exe

Filesize
180KB

MD5
04f201a4035658ed7f2d7427a0b457c7

SHA1
5ce8896b212c695a91e2994e200420e30bd5b243

SHA256
53369dfb492d40ad125162d6b420b81e56345c83eb95d1445d4ebc1c017a26cf

SHA512
9ad57e307f4037a1cfd1e03cb313d15a2d012bc602d18423cb2c1cc9a22047e931e345f1451820a2b2e85f48792191b3fb4ef59ed5f08cb3a439212bb126b375

Download Submit
C:\Windows\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe

Filesize
180KB

MD5
2a9207b8eb0da7976160eb2b4ba5728f

SHA1
c0af9eeb9398b709e21999213dcfbb63663aa40f

SHA256
e8cc5ff5bc973878657876e567a4329234f68d3b67f3149400ad4fbb44235795

SHA512
c8edb08185f09baf0059a750b09c2ebc3d0d91976e61d028b121619d14fa6b2620a4179617ec742c75ded3a8f1a9def9c791aaee5d56614c632d691ab451d29e

Download Submit
C:\Windows\{B51C6EFC-BBD8-4d0c-905F-A04414F9B55E}.exe

Filesize
180KB

MD5
2a9207b8eb0da7976160eb2b4ba5728f

SHA1
c0af9eeb9398b709e21999213dcfbb63663aa40f

SHA256
e8cc5ff5bc973878657876e567a4329234f68d3b67f3149400ad4fbb44235795

SHA512
c8edb08185f09baf0059a750b09c2ebc3d0d91976e61d028b121619d14fa6b2620a4179617ec742c75ded3a8f1a9def9c791aaee5d56614c632d691ab451d29e

Download Submit
C:\Windows\{B66851FF-081B-4901-9473-F3080860AD14}.exe

Filesize
180KB

MD5
ddddbd37a7de5645b0c9ee04c1643418

SHA1
bd3e88104eeb4ccb9de1d59922e6edc9e150a8dc

SHA256
d6227ab1f82659d85e8cf5fd8f1514fe3e0a5e3e892937ee9345b095b7ef2168

SHA512
9604e0202da6f588c665e9ed69c0c88b1c9c2775d6f8d3f6bfe9475368da4e2f9e7c5ee72afd4963739c13a8c44add745fd17085ffb358864824b541b39e2945

Download Submit
C:\Windows\{B66851FF-081B-4901-9473-F3080860AD14}.exe

Filesize
180KB

MD5
ddddbd37a7de5645b0c9ee04c1643418

SHA1
bd3e88104eeb4ccb9de1d59922e6edc9e150a8dc

SHA256
d6227ab1f82659d85e8cf5fd8f1514fe3e0a5e3e892937ee9345b095b7ef2168

SHA512
9604e0202da6f588c665e9ed69c0c88b1c9c2775d6f8d3f6bfe9475368da4e2f9e7c5ee72afd4963739c13a8c44add745fd17085ffb358864824b541b39e2945

Download Submit
C:\Windows\{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe

Filesize
180KB

MD5
d8329d54c8489bddaa01fc255883eb3f

SHA1
f0d55ae2319163292be8af06f6b7be24bda8739e

SHA256
4980a481fd53e50ba5155b4db32d5973353b1353f8142c0503627a6bc10c50e2

SHA512
af66050cda9d3a1f12a42a1fdf869eef4782e0b1cfe876f623f5bfc28b6b0a28adfa341a1c4a70a3cab429658214123460be53b2d919cd0d1567dc3f7430cc9d

Download Submit
C:\Windows\{BB9EC174-05EC-4c4b-AC26-09530BE59108}.exe

Filesize
180KB

MD5
d8329d54c8489bddaa01fc255883eb3f

SHA1
f0d55ae2319163292be8af06f6b7be24bda8739e

SHA256
4980a481fd53e50ba5155b4db32d5973353b1353f8142c0503627a6bc10c50e2

SHA512
af66050cda9d3a1f12a42a1fdf869eef4782e0b1cfe876f623f5bfc28b6b0a28adfa341a1c4a70a3cab429658214123460be53b2d919cd0d1567dc3f7430cc9d

Download Submit
C:\Windows\{F134A03A-55A2-4642-87D5-43C4DA392335}.exe

Filesize
180KB

MD5
327b2d60f18d89ca1046619907e6b8bf

SHA1
c275581494656432f1cc2f6d143d79fb59903ce4

SHA256
9815be7e9aee21bc130994d24eab2407715782cd9edc9d43b29115a4dba12d8c

SHA512
3f4979c026bc993302eee591a1e549b4f333e1501777115c8036abdd2769560518c99f923c2097b5e35631253c44bbd73263496da5a01f20cd6e2fda9761a49b

Download Submit
C:\Windows\{F134A03A-55A2-4642-87D5-43C4DA392335}.exe

Filesize
180KB

MD5
327b2d60f18d89ca1046619907e6b8bf

SHA1
c275581494656432f1cc2f6d143d79fb59903ce4

SHA256
9815be7e9aee21bc130994d24eab2407715782cd9edc9d43b29115a4dba12d8c

SHA512
3f4979c026bc993302eee591a1e549b4f333e1501777115c8036abdd2769560518c99f923c2097b5e35631253c44bbd73263496da5a01f20cd6e2fda9761a49b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads