cea0e04dd3bf2c5acd9cbe38dc41e49bfd4224d4db81db44634d65482aeb067a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe
Size

216KB
MD5

442a26738ad38f0e1eaec4eb1f14f4ba
SHA1

8f5dc8e2ad7b85ff3cb760dcbb1746bea42e0ea1
SHA256

cea0e04dd3bf2c5acd9cbe38dc41e49bfd4224d4db81db44634d65482aeb067a
SHA512

710a63af7a41adb2b9de1932b257272ca6dd515c4dacbd26da65d7bbb49c6bec4f3aba005b802c8768e912e6c5905d37a4898f902a11a9ee48882cd44e4595bb
SSDEEP

3072:jEGh0o6l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGElEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}\stubpath = "C:\\Windows\\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe"	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461C9912-B69F-4d2e-919F-2F2F790610E4}	{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}\stubpath = "C:\\Windows\\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe"	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A597509-DB15-43b4-B277-33B8F9EC1E80}	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{738F080C-321B-4523-BF46-E6A00A92F52F}\stubpath = "C:\\Windows\\{738F080C-321B-4523-BF46-E6A00A92F52F}.exe"	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}\stubpath = "C:\\Windows\\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe"	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461C9912-B69F-4d2e-919F-2F2F790610E4}\stubpath = "C:\\Windows\\{461C9912-B69F-4d2e-919F-2F2F790610E4}.exe"	{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}\stubpath = "C:\\Windows\\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe"	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02026BBD-7EA6-40b3-A153-A6683169A740}	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A597509-DB15-43b4-B277-33B8F9EC1E80}\stubpath = "C:\\Windows\\{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe"	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}\stubpath = "C:\\Windows\\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe"	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{738F080C-321B-4523-BF46-E6A00A92F52F}	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74083692-9732-4f76-907E-CDFFBE0FD0A3}	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74083692-9732-4f76-907E-CDFFBE0FD0A3}\stubpath = "C:\\Windows\\{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe"	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02026BBD-7EA6-40b3-A153-A6683169A740}\stubpath = "C:\\Windows\\{02026BBD-7EA6-40b3-A153-A6683169A740}.exe"	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}\stubpath = "C:\\Windows\\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe"	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}\stubpath = "C:\\Windows\\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe"	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe

Executes dropped EXE 12 IoCs

pid	Process
4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe
804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe
3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe
3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe
3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe
1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe
4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe
4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe
1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe
5080	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe
3488	{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe
980	{461C9912-B69F-4d2e-919F-2F2F790610E4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe
File created	C:\Windows\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe
File created	C:\Windows\{02026BBD-7EA6-40b3-A153-A6683169A740}.exe	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe
File created	C:\Windows\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe
File created	C:\Windows\{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe
File created	C:\Windows\{738F080C-321B-4523-BF46-E6A00A92F52F}.exe	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe
File created	C:\Windows\{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe
File created	C:\Windows\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe
File created	C:\Windows\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe
File created	C:\Windows\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe
File created	C:\Windows\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe
File created	C:\Windows\{461C9912-B69F-4d2e-919F-2F2F790610E4}.exe	{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3836	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe
Token: SeIncBasePriorityPrivilege	804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe
Token: SeIncBasePriorityPrivilege	3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe
Token: SeIncBasePriorityPrivilege	3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe
Token: SeIncBasePriorityPrivilege	3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe
Token: SeIncBasePriorityPrivilege	1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe
Token: SeIncBasePriorityPrivilege	4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe
Token: SeIncBasePriorityPrivilege	4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe
Token: SeIncBasePriorityPrivilege	1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe
Token: SeIncBasePriorityPrivilege	5080	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe
Token: SeIncBasePriorityPrivilege	3488	{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 4524	3836	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe	95
PID 3836 wrote to memory of 4524	3836	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe	95
PID 3836 wrote to memory of 4524	3836	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe	95
PID 3836 wrote to memory of 4640	3836	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe	96
PID 3836 wrote to memory of 4640	3836	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe	96
PID 3836 wrote to memory of 4640	3836	NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe	96
PID 4524 wrote to memory of 804	4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe	101
PID 4524 wrote to memory of 804	4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe	101
PID 4524 wrote to memory of 804	4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe	101
PID 4524 wrote to memory of 3544	4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe	100
PID 4524 wrote to memory of 3544	4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe	100
PID 4524 wrote to memory of 3544	4524	{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe	100
PID 804 wrote to memory of 3392	804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe	104
PID 804 wrote to memory of 3392	804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe	104
PID 804 wrote to memory of 3392	804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe	104
PID 804 wrote to memory of 3928	804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe	105
PID 804 wrote to memory of 3928	804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe	105
PID 804 wrote to memory of 3928	804	{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe	105
PID 3392 wrote to memory of 3992	3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe	112
PID 3392 wrote to memory of 3992	3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe	112
PID 3392 wrote to memory of 3992	3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe	112
PID 3392 wrote to memory of 952	3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe	113
PID 3392 wrote to memory of 952	3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe	113
PID 3392 wrote to memory of 952	3392	{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe	113
PID 3992 wrote to memory of 3632	3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe	114
PID 3992 wrote to memory of 3632	3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe	114
PID 3992 wrote to memory of 3632	3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe	114
PID 3992 wrote to memory of 1380	3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe	115
PID 3992 wrote to memory of 1380	3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe	115
PID 3992 wrote to memory of 1380	3992	{02026BBD-7EA6-40b3-A153-A6683169A740}.exe	115
PID 3632 wrote to memory of 1412	3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe	116
PID 3632 wrote to memory of 1412	3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe	116
PID 3632 wrote to memory of 1412	3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe	116
PID 3632 wrote to memory of 2548	3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe	117
PID 3632 wrote to memory of 2548	3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe	117
PID 3632 wrote to memory of 2548	3632	{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe	117
PID 1412 wrote to memory of 4756	1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe	119
PID 1412 wrote to memory of 4756	1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe	119
PID 1412 wrote to memory of 4756	1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe	119
PID 1412 wrote to memory of 3764	1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe	120
PID 1412 wrote to memory of 3764	1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe	120
PID 1412 wrote to memory of 3764	1412	{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe	120
PID 4756 wrote to memory of 4488	4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe	121
PID 4756 wrote to memory of 4488	4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe	121
PID 4756 wrote to memory of 4488	4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe	121
PID 4756 wrote to memory of 752	4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe	122
PID 4756 wrote to memory of 752	4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe	122
PID 4756 wrote to memory of 752	4756	{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe	122
PID 4488 wrote to memory of 1020	4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe	123
PID 4488 wrote to memory of 1020	4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe	123
PID 4488 wrote to memory of 1020	4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe	123
PID 4488 wrote to memory of 3492	4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe	124
PID 4488 wrote to memory of 3492	4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe	124
PID 4488 wrote to memory of 3492	4488	{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe	124
PID 1020 wrote to memory of 5080	1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe	126
PID 1020 wrote to memory of 5080	1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe	126
PID 1020 wrote to memory of 5080	1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe	126
PID 1020 wrote to memory of 5012	1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe	125
PID 1020 wrote to memory of 5012	1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe	125
PID 1020 wrote to memory of 5012	1020	{738F080C-321B-4523-BF46-E6A00A92F52F}.exe	125
PID 5080 wrote to memory of 3488	5080	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe	127
PID 5080 wrote to memory of 3488	5080	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe	127
PID 5080 wrote to memory of 3488	5080	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe	127
PID 5080 wrote to memory of 2172	5080	{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe	128

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_442a26738ad38f0e1eaec4eb1f14f4ba_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe
  C:\Windows\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{984A4~1.EXE > nul
    3⤵
    PID:3544
- - C:\Windows\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe
    C:\Windows\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe
      C:\Windows\{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\{02026BBD-7EA6-40b3-A153-A6683169A740}.exe
        
        C:\Windows\{02026BBD-7EA6-40b3-A153-A6683169A740}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe
        
        C:\Windows\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe
        
        C:\Windows\{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe
        
        C:\Windows\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe
        
        C:\Windows\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\{738F080C-321B-4523-BF46-E6A00A92F52F}.exe
        
        C:\Windows\{738F080C-321B-4523-BF46-E6A00A92F52F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{738F0~1.EXE > nul
        11⤵
        
        PID:5012
        
        C:\Windows\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe
        
        C:\Windows\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe
        
        C:\Windows\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\{461C9912-B69F-4d2e-919F-2F2F790610E4}.exe
        
        C:\Windows\{461C9912-B69F-4d2e-919F-2F2F790610E4}.exe
        13⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59FBC~1.EXE > nul
        13⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDD3~1.EXE > nul
        12⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99FA1~1.EXE > nul
        10⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1C39~1.EXE > nul
        9⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A597~1.EXE > nul
        8⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63183~1.EXE > nul
        7⤵
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02026~1.EXE > nul
        6⤵
        
        PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74083~1.EXE > nul
        5⤵
        
        PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E2F1~1.EXE > nul
      4⤵
      PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02026BBD-7EA6-40b3-A153-A6683169A740}.exe

Filesize
216KB

MD5
7a0595d9e43b34a37cea0ce2a763e972

SHA1
ddde028cf8525c6b37a3e9a108b51f6a6cd257f4

SHA256
28e70255d34c0280e946dc6513273ba25a317319fe279ad1fceba712e7d88fd2

SHA512
323ceb88ff78d1fd73ce87993c9e2296426578f6c5ec503b581721dc2b05a3afd74f3639681d763fb8fc48b8a621ab365333f7ac4225eac266b52d71e889337b

Download Submit
C:\Windows\{02026BBD-7EA6-40b3-A153-A6683169A740}.exe

Filesize
216KB

MD5
7a0595d9e43b34a37cea0ce2a763e972

SHA1
ddde028cf8525c6b37a3e9a108b51f6a6cd257f4

SHA256
28e70255d34c0280e946dc6513273ba25a317319fe279ad1fceba712e7d88fd2

SHA512
323ceb88ff78d1fd73ce87993c9e2296426578f6c5ec503b581721dc2b05a3afd74f3639681d763fb8fc48b8a621ab365333f7ac4225eac266b52d71e889337b

Download Submit
C:\Windows\{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe

Filesize
216KB

MD5
f301572a0780cf00230cbc9dcf277d1e

SHA1
05a5d170a03293d818d0d29740e93bf668b49e0f

SHA256
eb885466fa0a3006de8d028c7c11c1e14e69f7b371bbbe9d164ca554c285f2c8

SHA512
2f3bf6c8998fd0edce1195ebe7b145d6c14cf0116cbfa240363a6570c8e2d83d5a21b7509e483ddfe5afae33f3fc24de4a4b8cd4aab9ea834acebd79be6f430e

Download Submit
C:\Windows\{0A597509-DB15-43b4-B277-33B8F9EC1E80}.exe

Filesize
216KB

MD5
f301572a0780cf00230cbc9dcf277d1e

SHA1
05a5d170a03293d818d0d29740e93bf668b49e0f

SHA256
eb885466fa0a3006de8d028c7c11c1e14e69f7b371bbbe9d164ca554c285f2c8

SHA512
2f3bf6c8998fd0edce1195ebe7b145d6c14cf0116cbfa240363a6570c8e2d83d5a21b7509e483ddfe5afae33f3fc24de4a4b8cd4aab9ea834acebd79be6f430e

Download Submit
C:\Windows\{461C9912-B69F-4d2e-919F-2F2F790610E4}.exe

Filesize
216KB

MD5
038a0e35417db3f448f2d7fa7143b5dd

SHA1
2e5d68b98ae8d416b8b6daf7eb62e0d8b764b644

SHA256
121f717a04c6bc1ae44c13fe68320329e2c255061257390cbe8316a32ddffa02

SHA512
63695c719328ba5b654d187c504748badcac628852612f7abca92c5c96570f1b4ce30b387732bd22327d96a27951fc88ecbe2031bf2f481315acafc2e8040a5a

Download Submit
C:\Windows\{461C9912-B69F-4d2e-919F-2F2F790610E4}.exe

Filesize
216KB

MD5
038a0e35417db3f448f2d7fa7143b5dd

SHA1
2e5d68b98ae8d416b8b6daf7eb62e0d8b764b644

SHA256
121f717a04c6bc1ae44c13fe68320329e2c255061257390cbe8316a32ddffa02

SHA512
63695c719328ba5b654d187c504748badcac628852612f7abca92c5c96570f1b4ce30b387732bd22327d96a27951fc88ecbe2031bf2f481315acafc2e8040a5a

Download Submit
C:\Windows\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe

Filesize
216KB

MD5
64e7c7884902e459f8acb94ea57e11ad

SHA1
8d26cd42710264d04e835af96778f331b584e283

SHA256
06d94b1e02a9e8c84a9f615dd718b3b808522d88f02a261ff4b459a5b8977c7a

SHA512
c6a73a8891fb49510ccbe38655eecfd3513eb3a0687b7010e065bb93a50a3c2514008c5805ff358acde8b658b70e995e49731da67c94a1e9915c048e0bda7d4f

Download Submit
C:\Windows\{4E2F1769-F441-4e6e-881C-4A2D421AAE18}.exe

Filesize
216KB

MD5
64e7c7884902e459f8acb94ea57e11ad

SHA1
8d26cd42710264d04e835af96778f331b584e283

SHA256
06d94b1e02a9e8c84a9f615dd718b3b808522d88f02a261ff4b459a5b8977c7a

SHA512
c6a73a8891fb49510ccbe38655eecfd3513eb3a0687b7010e065bb93a50a3c2514008c5805ff358acde8b658b70e995e49731da67c94a1e9915c048e0bda7d4f

Download Submit
C:\Windows\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe

Filesize
216KB

MD5
97bde692c4a5067b2e6cc46dc49e18be

SHA1
d2407147efa8dceda2bd26ddc75ce915c0d97ba9

SHA256
a9ac313f5b9bd059f84f172a39a087cfff37f8cd08737c9ded673fc52f2abdb0

SHA512
980f09c6f42b8e5c6761e0dff4754bc663b6a862b404e9f5ca041c8718d7796f4d35dc55df681644412848199769ce043ad232a96dd7eae66db9f005c2f9fcca

Download Submit
C:\Windows\{59FBC99F-31BF-47c9-AA93-36C3EFF0A9B2}.exe

Filesize
216KB

MD5
97bde692c4a5067b2e6cc46dc49e18be

SHA1
d2407147efa8dceda2bd26ddc75ce915c0d97ba9

SHA256
a9ac313f5b9bd059f84f172a39a087cfff37f8cd08737c9ded673fc52f2abdb0

SHA512
980f09c6f42b8e5c6761e0dff4754bc663b6a862b404e9f5ca041c8718d7796f4d35dc55df681644412848199769ce043ad232a96dd7eae66db9f005c2f9fcca

Download Submit
C:\Windows\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe

Filesize
216KB

MD5
400a08667979b89922b515b2099229dd

SHA1
177d39f6f5a6afb7421940c57903ed91f633acd0

SHA256
aafe80a034f9ace5d6fe29e671c5facc3a24cd16c9acfa23e987ee95f5e5afc5

SHA512
bf71ad62d4915894f9dea0af64c378673fec8a08a3754fd07916e5ca5eae5219e99eff712a974873afb3fa45e9feda1c909ad179b8163946bbe7ac9f5109aa47

Download Submit
C:\Windows\{63183D28-CE3E-4fc3-A13D-B210A8A5C0EB}.exe

Filesize
216KB

MD5
400a08667979b89922b515b2099229dd

SHA1
177d39f6f5a6afb7421940c57903ed91f633acd0

SHA256
aafe80a034f9ace5d6fe29e671c5facc3a24cd16c9acfa23e987ee95f5e5afc5

SHA512
bf71ad62d4915894f9dea0af64c378673fec8a08a3754fd07916e5ca5eae5219e99eff712a974873afb3fa45e9feda1c909ad179b8163946bbe7ac9f5109aa47

Download Submit
C:\Windows\{738F080C-321B-4523-BF46-E6A00A92F52F}.exe

Filesize
216KB

MD5
01b4a6325c44a0d7332678f57af3d24b

SHA1
dd4ffe96f7514be40433ffe2ff9439426a42d3cd

SHA256
8ca1cec837537023f9c87b192792d02b4c6b31801c8dd62b6c7ec8a0e876a036

SHA512
0c79cc3c920c7f395cf794dd27efde6484905525b5807fe735d496e951d1a559e20cc59bf6ebab51995e36f46e1d2bb8854e329a6efb46232932d1636144ac8a

Download Submit
C:\Windows\{738F080C-321B-4523-BF46-E6A00A92F52F}.exe

Filesize
216KB

MD5
01b4a6325c44a0d7332678f57af3d24b

SHA1
dd4ffe96f7514be40433ffe2ff9439426a42d3cd

SHA256
8ca1cec837537023f9c87b192792d02b4c6b31801c8dd62b6c7ec8a0e876a036

SHA512
0c79cc3c920c7f395cf794dd27efde6484905525b5807fe735d496e951d1a559e20cc59bf6ebab51995e36f46e1d2bb8854e329a6efb46232932d1636144ac8a

Download Submit
C:\Windows\{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe

Filesize
216KB

MD5
6c0ccc835a4f256d184edc88c515b1a0

SHA1
b752cc4bd10e04e0c298b8398674ff60673187ef

SHA256
ee62a2ec653822d3b43e8eda82716928e43f22ed830a662ee9eb31ccc259b68f

SHA512
2f638b99c3f96b045e646bada1abb106b6ac7f0c58c82bcea56fb4ef5a40c07af84ad4bcf20366c07c5deae4b0d141fe220621faaa50b41a39b7ed92fabaf016

Download Submit
C:\Windows\{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe

Filesize
216KB

MD5
6c0ccc835a4f256d184edc88c515b1a0

SHA1
b752cc4bd10e04e0c298b8398674ff60673187ef

SHA256
ee62a2ec653822d3b43e8eda82716928e43f22ed830a662ee9eb31ccc259b68f

SHA512
2f638b99c3f96b045e646bada1abb106b6ac7f0c58c82bcea56fb4ef5a40c07af84ad4bcf20366c07c5deae4b0d141fe220621faaa50b41a39b7ed92fabaf016

Download Submit
C:\Windows\{74083692-9732-4f76-907E-CDFFBE0FD0A3}.exe

Filesize
216KB

MD5
6c0ccc835a4f256d184edc88c515b1a0

SHA1
b752cc4bd10e04e0c298b8398674ff60673187ef

SHA256
ee62a2ec653822d3b43e8eda82716928e43f22ed830a662ee9eb31ccc259b68f

SHA512
2f638b99c3f96b045e646bada1abb106b6ac7f0c58c82bcea56fb4ef5a40c07af84ad4bcf20366c07c5deae4b0d141fe220621faaa50b41a39b7ed92fabaf016

Download Submit
C:\Windows\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe

Filesize
216KB

MD5
1eb2040fe623e74a0667e58f5f2ca49f

SHA1
b3eb14908b30eef9726a0b66b3c058ee68d31105

SHA256
1d0751b66b32d9b25073049806cafc7b7ece5b41695f81c3651ed17ecc687b48

SHA512
f90fed47a1a3ec77254c48eb7294790c861a71303ab31c5f3316dc5caea2b11dfd6b4c1a64edba54a67cde957892dc4767ae9ec970d9eef9b6095214d72b20f5

Download Submit
C:\Windows\{7EDD308C-0D8C-4343-92C5-B7EE83BB5E4A}.exe

Filesize
216KB

MD5
1eb2040fe623e74a0667e58f5f2ca49f

SHA1
b3eb14908b30eef9726a0b66b3c058ee68d31105

SHA256
1d0751b66b32d9b25073049806cafc7b7ece5b41695f81c3651ed17ecc687b48

SHA512
f90fed47a1a3ec77254c48eb7294790c861a71303ab31c5f3316dc5caea2b11dfd6b4c1a64edba54a67cde957892dc4767ae9ec970d9eef9b6095214d72b20f5

Download Submit
C:\Windows\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe

Filesize
216KB

MD5
7fbbd0d81f078869395681306d88126b

SHA1
03ac7fe2a7c2c0622de1a16d3776e210540dafa9

SHA256
b653d2604dca079e1ee59c93fc5a7cd72d42a4a3261710963cf489979a481f01

SHA512
bc7c4fc508275c042e7f140993d297e86f9a5c85d1580e084270c445246fa394f9637a2ed98567387afc6f350bcc9b9d901144f8e8291d4c43687e1d412faf92

Download Submit
C:\Windows\{984A4518-6A47-49ab-8AEF-481FD5DA1E4C}.exe

Filesize
216KB

MD5
7fbbd0d81f078869395681306d88126b

SHA1
03ac7fe2a7c2c0622de1a16d3776e210540dafa9

SHA256
b653d2604dca079e1ee59c93fc5a7cd72d42a4a3261710963cf489979a481f01

SHA512
bc7c4fc508275c042e7f140993d297e86f9a5c85d1580e084270c445246fa394f9637a2ed98567387afc6f350bcc9b9d901144f8e8291d4c43687e1d412faf92

Download Submit
C:\Windows\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe

Filesize
216KB

MD5
0c4dcbf1e816a6903f53b895536378c9

SHA1
dc4c3800d350099997880e4fda26c1bdb578c7da

SHA256
926a6a4930d6ca8f3ea8a841dc2d61244e1ea52fe67e5ea0da569dd0c9fcdc9d

SHA512
f377166de3e3004fe058ad6c12e305da6b7979888ffbef1d2468f12baae3647c1feec0521a14112302c51cb00f97661846d8b00e60dbbcadcb42cc18b5074bf6

Download Submit
C:\Windows\{99FA11BF-A62B-4cbe-9C76-AA4DF018086B}.exe

Filesize
216KB

MD5
0c4dcbf1e816a6903f53b895536378c9

SHA1
dc4c3800d350099997880e4fda26c1bdb578c7da

SHA256
926a6a4930d6ca8f3ea8a841dc2d61244e1ea52fe67e5ea0da569dd0c9fcdc9d

SHA512
f377166de3e3004fe058ad6c12e305da6b7979888ffbef1d2468f12baae3647c1feec0521a14112302c51cb00f97661846d8b00e60dbbcadcb42cc18b5074bf6

Download Submit
C:\Windows\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe

Filesize
216KB

MD5
f1e5c8f2c9fce16215005b1ace84c7ed

SHA1
44491688bb87ee995330f8e4a6a03584739bdb80

SHA256
5cd91c01d8b55b4a061a36f17044990f0f0a781d219fc39a77d0ba52b95e2a01

SHA512
5f0f4aa38d1e650459ce219f1215984859d03bd7f4a7790acb7262e82af7cbfa4cd1eaa27f0b1c3823f22bfb91a5508fbd323b085d7288d4ef660aa142fdc251

Download Submit
C:\Windows\{F1C398D3-9FDF-4992-9E78-D4C68B7C8DF7}.exe

Filesize
216KB

MD5
f1e5c8f2c9fce16215005b1ace84c7ed

SHA1
44491688bb87ee995330f8e4a6a03584739bdb80

SHA256
5cd91c01d8b55b4a061a36f17044990f0f0a781d219fc39a77d0ba52b95e2a01

SHA512
5f0f4aa38d1e650459ce219f1215984859d03bd7f4a7790acb7262e82af7cbfa4cd1eaa27f0b1c3823f22bfb91a5508fbd323b085d7288d4ef660aa142fdc251

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads