1508e2ef646afe0b6deb11d57f1b080caf3d65ed4cc6183cd53f6bc6ca68bcee

Analysis

max time kernel
156s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Size

372KB
MD5

99dbcb1fa9dcd5fcf5588f056974b704
SHA1

22d91498e4e9b7196ac27b47307bbd186b1ba974
SHA256

1508e2ef646afe0b6deb11d57f1b080caf3d65ed4cc6183cd53f6bc6ca68bcee
SHA512

93daeccccb9e5e856086c3c8a166058d53a975e3853f710819ee09e79a5fa37ff7e8f24059cbd3349904f0a6de00084e56af9d07639cd6eec8e7a725a4f6dbf4
SSDEEP

3072:CEGh0oumlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGZl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C406759-7D3F-43b9-95D5-9CF546B8055C}\stubpath = "C:\\Windows\\{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe"	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C218D48-22DE-4267-9941-840584371936}\stubpath = "C:\\Windows\\{9C218D48-22DE-4267-9941-840584371936}.exe"	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}\stubpath = "C:\\Windows\\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe"	{9C218D48-22DE-4267-9941-840584371936}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D6A08C-209E-413e-9926-81E7F1D9C903}	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AE9A3A-0D59-454b-B686-F2F2037288FF}\stubpath = "C:\\Windows\\{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe"	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}\stubpath = "C:\\Windows\\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe"	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF304E72-2C9C-47ac-BD2B-216B832643C4}	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF304E72-2C9C-47ac-BD2B-216B832643C4}\stubpath = "C:\\Windows\\{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe"	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}	{9C218D48-22DE-4267-9941-840584371936}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}\stubpath = "C:\\Windows\\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe"	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}\stubpath = "C:\\Windows\\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe"	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D6A08C-209E-413e-9926-81E7F1D9C903}\stubpath = "C:\\Windows\\{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe"	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1327CC37-B717-42bc-A83A-D67DF15A46F4}	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}\stubpath = "C:\\Windows\\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}.exe"	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C406759-7D3F-43b9-95D5-9CF546B8055C}	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C218D48-22DE-4267-9941-840584371936}	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AE9A3A-0D59-454b-B686-F2F2037288FF}	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1327CC37-B717-42bc-A83A-D67DF15A46F4}\stubpath = "C:\\Windows\\{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe"	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe

Executes dropped EXE 11 IoCs

pid	Process
1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe
3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe
1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe
2660	{9C218D48-22DE-4267-9941-840584371936}.exe
3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe
2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe
2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe
4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe
4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe
2320	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe
972	{0DBAA4A6-4DCD-490e-991D-A5D875360D91}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe
File created	C:\Windows\{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe
File created	C:\Windows\{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe
File created	C:\Windows\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
File created	C:\Windows\{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe
File created	C:\Windows\{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe
File created	C:\Windows\{9C218D48-22DE-4267-9941-840584371936}.exe	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe
File created	C:\Windows\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe
File created	C:\Windows\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe	{9C218D48-22DE-4267-9941-840584371936}.exe
File created	C:\Windows\{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe
File created	C:\Windows\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}.exe	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3924	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe
Token: SeIncBasePriorityPrivilege	3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe
Token: SeIncBasePriorityPrivilege	1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe
Token: SeIncBasePriorityPrivilege	2660	{9C218D48-22DE-4267-9941-840584371936}.exe
Token: SeIncBasePriorityPrivilege	3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe
Token: SeIncBasePriorityPrivilege	2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe
Token: SeIncBasePriorityPrivilege	2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe
Token: SeIncBasePriorityPrivilege	4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe
Token: SeIncBasePriorityPrivilege	4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe
Token: SeIncBasePriorityPrivilege	2320	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1732	3924	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	90
PID 3924 wrote to memory of 1732	3924	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	90
PID 3924 wrote to memory of 1732	3924	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	90
PID 3924 wrote to memory of 2560	3924	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	91
PID 3924 wrote to memory of 2560	3924	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	91
PID 3924 wrote to memory of 2560	3924	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	91
PID 1732 wrote to memory of 3972	1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe	98
PID 1732 wrote to memory of 3972	1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe	98
PID 1732 wrote to memory of 3972	1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe	98
PID 1732 wrote to memory of 4520	1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe	99
PID 1732 wrote to memory of 4520	1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe	99
PID 1732 wrote to memory of 4520	1732	{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe	99
PID 3972 wrote to memory of 1924	3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe	103
PID 3972 wrote to memory of 1924	3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe	103
PID 3972 wrote to memory of 1924	3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe	103
PID 3972 wrote to memory of 1580	3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe	104
PID 3972 wrote to memory of 1580	3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe	104
PID 3972 wrote to memory of 1580	3972	{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe	104
PID 1924 wrote to memory of 2660	1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe	112
PID 1924 wrote to memory of 2660	1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe	112
PID 1924 wrote to memory of 2660	1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe	112
PID 1924 wrote to memory of 4520	1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe	113
PID 1924 wrote to memory of 4520	1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe	113
PID 1924 wrote to memory of 4520	1924	{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe	113
PID 2660 wrote to memory of 3700	2660	{9C218D48-22DE-4267-9941-840584371936}.exe	114
PID 2660 wrote to memory of 3700	2660	{9C218D48-22DE-4267-9941-840584371936}.exe	114
PID 2660 wrote to memory of 3700	2660	{9C218D48-22DE-4267-9941-840584371936}.exe	114
PID 2660 wrote to memory of 3848	2660	{9C218D48-22DE-4267-9941-840584371936}.exe	115
PID 2660 wrote to memory of 3848	2660	{9C218D48-22DE-4267-9941-840584371936}.exe	115
PID 2660 wrote to memory of 3848	2660	{9C218D48-22DE-4267-9941-840584371936}.exe	115
PID 3700 wrote to memory of 2352	3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe	116
PID 3700 wrote to memory of 2352	3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe	116
PID 3700 wrote to memory of 2352	3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe	116
PID 3700 wrote to memory of 2556	3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe	117
PID 3700 wrote to memory of 2556	3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe	117
PID 3700 wrote to memory of 2556	3700	{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe	117
PID 2352 wrote to memory of 2028	2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe	119
PID 2352 wrote to memory of 2028	2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe	119
PID 2352 wrote to memory of 2028	2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe	119
PID 2352 wrote to memory of 4864	2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe	120
PID 2352 wrote to memory of 4864	2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe	120
PID 2352 wrote to memory of 4864	2352	{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe	120
PID 2028 wrote to memory of 4380	2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe	121
PID 2028 wrote to memory of 4380	2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe	121
PID 2028 wrote to memory of 4380	2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe	121
PID 2028 wrote to memory of 1864	2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe	122
PID 2028 wrote to memory of 1864	2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe	122
PID 2028 wrote to memory of 1864	2028	{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe	122
PID 4380 wrote to memory of 4232	4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe	123
PID 4380 wrote to memory of 4232	4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe	123
PID 4380 wrote to memory of 4232	4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe	123
PID 4380 wrote to memory of 3968	4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe	124
PID 4380 wrote to memory of 3968	4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe	124
PID 4380 wrote to memory of 3968	4380	{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe	124
PID 4232 wrote to memory of 2320	4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe	125
PID 4232 wrote to memory of 2320	4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe	125
PID 4232 wrote to memory of 2320	4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe	125
PID 4232 wrote to memory of 488	4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe	126
PID 4232 wrote to memory of 488	4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe	126
PID 4232 wrote to memory of 488	4232	{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe	126
PID 2320 wrote to memory of 972	2320	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe	127
PID 2320 wrote to memory of 972	2320	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe	127
PID 2320 wrote to memory of 972	2320	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe	127
PID 2320 wrote to memory of 1232	2320	{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe	128

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe
  C:\Windows\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe
    C:\Windows\{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe
      C:\Windows\{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\{9C218D48-22DE-4267-9941-840584371936}.exe
        
        C:\Windows\{9C218D48-22DE-4267-9941-840584371936}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe
        
        C:\Windows\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe
        
        C:\Windows\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe
        
        C:\Windows\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe
        
        C:\Windows\{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe
        
        C:\Windows\{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe
        
        C:\Windows\{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}.exe
        
        C:\Windows\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}.exe
        12⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1327C~1.EXE > nul
        12⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16AE9~1.EXE > nul
        11⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75D6A~1.EXE > nul
        10⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED5B0~1.EXE > nul
        9⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA2D~1.EXE > nul
        8⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0685C~1.EXE > nul
        7⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C218~1.EXE > nul
        6⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C406~1.EXE > nul
        5⤵
        
        PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF304~1.EXE > nul
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F4A~1.EXE > nul
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe

Filesize
372KB

MD5
7a70842dfac2a81fac99400bed70087e

SHA1
7a59dbb3e02f6ac70bb5d4db7d21e589342c899f

SHA256
df7cb70458a67960f1850b5a7cffc9446ca6c122dd814de69056a8666c954743

SHA512
bd56ed8286a46d8c9ec8ca5fda1f2d512c35aa35fca1a3be122ae021d80608d3808e6d43cb209026d47dc7e0341894e82deaca2c2374c7526681cac414198001

Download Submit
C:\Windows\{0685C0CF-6D8C-4fbf-9CB5-511311EF10E4}.exe

Filesize
372KB

MD5
7a70842dfac2a81fac99400bed70087e

SHA1
7a59dbb3e02f6ac70bb5d4db7d21e589342c899f

SHA256
df7cb70458a67960f1850b5a7cffc9446ca6c122dd814de69056a8666c954743

SHA512
bd56ed8286a46d8c9ec8ca5fda1f2d512c35aa35fca1a3be122ae021d80608d3808e6d43cb209026d47dc7e0341894e82deaca2c2374c7526681cac414198001

Download Submit
C:\Windows\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}.exe

Filesize
372KB

MD5
30509e7bd3d02412771c5adeb83493c4

SHA1
d20dd44136eaea05cd5a50d144bf695d274a1193

SHA256
b3c5f2441a5ac208fb16b6b07523ac3f479a9456e50f3c01dac0944ab08b191b

SHA512
b32c4918bde19c988d8cc41e9760c3d637b99e7dc4542b2d5e6e72d4f14883643c3b2d70c731a8df9ea547bb9bd75aeb26cd305425685d3cc2fa94aaa7d5c75e

Download Submit
C:\Windows\{0DBAA4A6-4DCD-490e-991D-A5D875360D91}.exe

Filesize
372KB

MD5
30509e7bd3d02412771c5adeb83493c4

SHA1
d20dd44136eaea05cd5a50d144bf695d274a1193

SHA256
b3c5f2441a5ac208fb16b6b07523ac3f479a9456e50f3c01dac0944ab08b191b

SHA512
b32c4918bde19c988d8cc41e9760c3d637b99e7dc4542b2d5e6e72d4f14883643c3b2d70c731a8df9ea547bb9bd75aeb26cd305425685d3cc2fa94aaa7d5c75e

Download Submit
C:\Windows\{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe

Filesize
372KB

MD5
c231b70626336d90e5dbcdf79d0f8b3e

SHA1
06ce99f01226ddd5278726695d10b7f5d23f1a68

SHA256
92fb2ab93f760377c6d5fdb963249609aaa03e43a33de4d58c4cb578749f837f

SHA512
a51efd4e4ae9ec5daeb72a7e73af9df6618f6be5fe42e01ee828b7923a312a67d251b53da415fecc9026a442848b385ad555d4aceb83ec1d035539fad4e0f4e5

Download Submit
C:\Windows\{1327CC37-B717-42bc-A83A-D67DF15A46F4}.exe

Filesize
372KB

MD5
c231b70626336d90e5dbcdf79d0f8b3e

SHA1
06ce99f01226ddd5278726695d10b7f5d23f1a68

SHA256
92fb2ab93f760377c6d5fdb963249609aaa03e43a33de4d58c4cb578749f837f

SHA512
a51efd4e4ae9ec5daeb72a7e73af9df6618f6be5fe42e01ee828b7923a312a67d251b53da415fecc9026a442848b385ad555d4aceb83ec1d035539fad4e0f4e5

Download Submit
C:\Windows\{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe

Filesize
372KB

MD5
32a3dc8f6d000736924e054e0fd117bf

SHA1
a28fb10591d463811722f9cc2029933865397374

SHA256
86e2b11a33c2415904212725fe510bfdd23bfda7d40f809cf33e48e38c6c3eac

SHA512
89404ce0a2b9ac06799f5c1f167bd722c6c193d9c0bc60240a6a52cf2fb562d6c397fb46c17524fd0a177a02fc0760bf1fc0db9e67b967ef3996d083433c3ba9

Download Submit
C:\Windows\{16AE9A3A-0D59-454b-B686-F2F2037288FF}.exe

Filesize
372KB

MD5
32a3dc8f6d000736924e054e0fd117bf

SHA1
a28fb10591d463811722f9cc2029933865397374

SHA256
86e2b11a33c2415904212725fe510bfdd23bfda7d40f809cf33e48e38c6c3eac

SHA512
89404ce0a2b9ac06799f5c1f167bd722c6c193d9c0bc60240a6a52cf2fb562d6c397fb46c17524fd0a177a02fc0760bf1fc0db9e67b967ef3996d083433c3ba9

Download Submit
C:\Windows\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe

Filesize
372KB

MD5
d7db60356e1f2d581f600a4d5114a107

SHA1
05a35c707b33e76575d9c9f7fe7262a94f9de049

SHA256
35a62b8827fb0bbc5bd30ca0ecbdb30edb3f6d13aef656c56625d23af566cafb

SHA512
8039012fc0766cbb168bb9e31c14ff5df78c8e1199a0d4a31839b743417e74f88424c95a475d1c325aec1f0691cef4901584a71c1a0b805947de4d7e410bb142

Download Submit
C:\Windows\{3EA2D5D4-C8A1-4ba8-ABF0-F81E68BC1652}.exe

Filesize
372KB

MD5
d7db60356e1f2d581f600a4d5114a107

SHA1
05a35c707b33e76575d9c9f7fe7262a94f9de049

SHA256
35a62b8827fb0bbc5bd30ca0ecbdb30edb3f6d13aef656c56625d23af566cafb

SHA512
8039012fc0766cbb168bb9e31c14ff5df78c8e1199a0d4a31839b743417e74f88424c95a475d1c325aec1f0691cef4901584a71c1a0b805947de4d7e410bb142

Download Submit
C:\Windows\{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe

Filesize
372KB

MD5
4d643153227164c018d27dc419acb1f8

SHA1
d153067b17be1b8862154d5c659dddbeb59ddf9c

SHA256
111f4c9a35234127b00020f4bc67628a90c2275a7ef850122385bbed1f9afa4a

SHA512
19ddaf3bacd627169f56fd6f1d733af7dcdc451f35262d29ae090bbacd9643d5050fe507e790f668236a7dff0d11aa1975915a43742ac231160351529e826957

Download Submit
C:\Windows\{75D6A08C-209E-413e-9926-81E7F1D9C903}.exe

Filesize
372KB

MD5
4d643153227164c018d27dc419acb1f8

SHA1
d153067b17be1b8862154d5c659dddbeb59ddf9c

SHA256
111f4c9a35234127b00020f4bc67628a90c2275a7ef850122385bbed1f9afa4a

SHA512
19ddaf3bacd627169f56fd6f1d733af7dcdc451f35262d29ae090bbacd9643d5050fe507e790f668236a7dff0d11aa1975915a43742ac231160351529e826957

Download Submit
C:\Windows\{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe

Filesize
372KB

MD5
ec65344a20b1af611a91139bf63d8561

SHA1
4716c55ee1598daa275093bffe1e3a0fdd719d35

SHA256
a7c1306c6d61f6429993ca8ad2685d623999861481b1759e03c45df174a18de3

SHA512
fb34821591cf629cd3f7b7467e2c00a0a34d4c4d89c738b39c8abbb24d66c43d4eb26458d24c26ab84068706018e4fb5bbdf793b33865b3f6c173f393e729cee

Download Submit
C:\Windows\{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe

Filesize
372KB

MD5
ec65344a20b1af611a91139bf63d8561

SHA1
4716c55ee1598daa275093bffe1e3a0fdd719d35

SHA256
a7c1306c6d61f6429993ca8ad2685d623999861481b1759e03c45df174a18de3

SHA512
fb34821591cf629cd3f7b7467e2c00a0a34d4c4d89c738b39c8abbb24d66c43d4eb26458d24c26ab84068706018e4fb5bbdf793b33865b3f6c173f393e729cee

Download Submit
C:\Windows\{7C406759-7D3F-43b9-95D5-9CF546B8055C}.exe

Filesize
372KB

MD5
ec65344a20b1af611a91139bf63d8561

SHA1
4716c55ee1598daa275093bffe1e3a0fdd719d35

SHA256
a7c1306c6d61f6429993ca8ad2685d623999861481b1759e03c45df174a18de3

SHA512
fb34821591cf629cd3f7b7467e2c00a0a34d4c4d89c738b39c8abbb24d66c43d4eb26458d24c26ab84068706018e4fb5bbdf793b33865b3f6c173f393e729cee

Download Submit
C:\Windows\{9C218D48-22DE-4267-9941-840584371936}.exe

Filesize
372KB

MD5
f50c904002c63ae061b893583adbc915

SHA1
0a71c9a2c198b621930d4192404e07971d6d677d

SHA256
4724c2d0ddbbb34529537403d617e47191c378aa214dd0d4aefc06bc2f88433e

SHA512
3f023c455eeb91520a549ea3ee3558d71570b842618a539b17b48f74157917770380cc4e372e419e1193327c1f31e5913931274f7cffc29b90f196df0884c4b7

Download Submit
C:\Windows\{9C218D48-22DE-4267-9941-840584371936}.exe

Filesize
372KB

MD5
f50c904002c63ae061b893583adbc915

SHA1
0a71c9a2c198b621930d4192404e07971d6d677d

SHA256
4724c2d0ddbbb34529537403d617e47191c378aa214dd0d4aefc06bc2f88433e

SHA512
3f023c455eeb91520a549ea3ee3558d71570b842618a539b17b48f74157917770380cc4e372e419e1193327c1f31e5913931274f7cffc29b90f196df0884c4b7

Download Submit
C:\Windows\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe

Filesize
372KB

MD5
42302a0212c4c97f1769e5724b59d649

SHA1
bd5456f835183c663a3ac2fa7ea8cc93c98fb6ff

SHA256
751fe7f4c238e2750ff673900c5e599370fe856f98215b53ee58b1e1fb1147f4

SHA512
9e244bec139ddf3dcf0f58c4f9c551dc61a159a24ac4a449f5d0679719ccb8862674d6c4127508473e39b3cf8721acd4426b8c9b882437719e0dd300f83245d1

Download Submit
C:\Windows\{ED5B03D6-D5D8-4d1e-8337-8FA11A590FC9}.exe

Filesize
372KB

MD5
42302a0212c4c97f1769e5724b59d649

SHA1
bd5456f835183c663a3ac2fa7ea8cc93c98fb6ff

SHA256
751fe7f4c238e2750ff673900c5e599370fe856f98215b53ee58b1e1fb1147f4

SHA512
9e244bec139ddf3dcf0f58c4f9c551dc61a159a24ac4a449f5d0679719ccb8862674d6c4127508473e39b3cf8721acd4426b8c9b882437719e0dd300f83245d1

Download Submit
C:\Windows\{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe

Filesize
372KB

MD5
4f9ebc9bc168ab1e9cbd1bb35da083b6

SHA1
8d345e5460d26c1b301f1074b726ecfd8a8a4457

SHA256
fd160764c53b1d508f9bc82f435f93ff3c19dfaba61a0ebbae45139be92e6d1e

SHA512
1d2c4775b896eac4771e564164dafbaed3531e2705fc3224f26c258008acf91f395685bee335392f012af04b876c1e19232ac5058148cd9c4301600e207fdc04

Download Submit
C:\Windows\{EF304E72-2C9C-47ac-BD2B-216B832643C4}.exe

Filesize
372KB

MD5
4f9ebc9bc168ab1e9cbd1bb35da083b6

SHA1
8d345e5460d26c1b301f1074b726ecfd8a8a4457

SHA256
fd160764c53b1d508f9bc82f435f93ff3c19dfaba61a0ebbae45139be92e6d1e

SHA512
1d2c4775b896eac4771e564164dafbaed3531e2705fc3224f26c258008acf91f395685bee335392f012af04b876c1e19232ac5058148cd9c4301600e207fdc04

Download Submit
C:\Windows\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe

Filesize
372KB

MD5
a759ca30875f953885a2ae26e90e004d

SHA1
459d6f5eb28c57ab8f06c8de0d1a6a2a174fa392

SHA256
741c6b87c54e32589334bc85c787dc442f1dbf0483e1203fd450dd6d086663f2

SHA512
42b9c9c744a2c2e660fdc5e721253bca0b1d5621ff3d51948685e9b67af42a99f27cbb2b7f5479a9e82d2bb97e2c86c6eed49555daada17304487efe6ea08332

Download Submit
C:\Windows\{F0F4A501-655C-420c-AC3D-AF620A4D78A2}.exe

Filesize
372KB

MD5
a759ca30875f953885a2ae26e90e004d

SHA1
459d6f5eb28c57ab8f06c8de0d1a6a2a174fa392

SHA256
741c6b87c54e32589334bc85c787dc442f1dbf0483e1203fd450dd6d086663f2

SHA512
42b9c9c744a2c2e660fdc5e721253bca0b1d5621ff3d51948685e9b67af42a99f27cbb2b7f5479a9e82d2bb97e2c86c6eed49555daada17304487efe6ea08332

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads