5da0cbe9379b128876bee526ded508a00a5a5110fcc3308ed3a439952e614f47

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Size

380KB
MD5

5396539bc01bc2ce4b6595740997c0a1
SHA1

8db110a0c7c67ae47412e656dafac811b404458a
SHA256

5da0cbe9379b128876bee526ded508a00a5a5110fcc3308ed3a439952e614f47
SHA512

764a407880ba9e3747d2daef385b6734dd3cf750a907507f292dac4ccd9ce0f40c51f3c11ca1277b52c487090d1ba3fdaedf5292a943c19e4fb38065e8f523e4
SSDEEP

3072:mEGh0oUlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG+l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0125A081-E977-4093-9926-CB3E85963E7D}\stubpath = "C:\\Windows\\{0125A081-E977-4093-9926-CB3E85963E7D}.exe"	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}\stubpath = "C:\\Windows\\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe"	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82050368-AAD8-4ab1-B7EA-084739863B20}	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}\stubpath = "C:\\Windows\\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}.exe"	{00539837-6903-40e5-A831-3AB54B0F52C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA938777-7E5E-4dda-8469-EDA053989F7E}\stubpath = "C:\\Windows\\{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe"	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88ACD72B-487A-4b54-9351-0A21AEE45B45}	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82050368-AAD8-4ab1-B7EA-084739863B20}\stubpath = "C:\\Windows\\{82050368-AAD8-4ab1-B7EA-084739863B20}.exe"	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}	{00539837-6903-40e5-A831-3AB54B0F52C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B07783DE-188B-4400-AAFB-9C14352FD96F}\stubpath = "C:\\Windows\\{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe"	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}\stubpath = "C:\\Windows\\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe"	{0125A081-E977-4093-9926-CB3E85963E7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B07783DE-188B-4400-AAFB-9C14352FD96F}	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77A728-6D1D-4145-BE11-1ACF368230C2}	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD77A728-6D1D-4145-BE11-1ACF368230C2}\stubpath = "C:\\Windows\\{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe"	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00539837-6903-40e5-A831-3AB54B0F52C4}\stubpath = "C:\\Windows\\{00539837-6903-40e5-A831-3AB54B0F52C4}.exe"	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA938777-7E5E-4dda-8469-EDA053989F7E}	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}	{0125A081-E977-4093-9926-CB3E85963E7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88ACD72B-487A-4b54-9351-0A21AEE45B45}\stubpath = "C:\\Windows\\{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe"	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}\stubpath = "C:\\Windows\\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe"	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}\stubpath = "C:\\Windows\\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe"	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00539837-6903-40e5-A831-3AB54B0F52C4}	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0125A081-E977-4093-9926-CB3E85963E7D}	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe
420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe
1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe
2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe
3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe
2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe
2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe
1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe
736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe
4244	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe
1256	{00539837-6903-40e5-A831-3AB54B0F52C4}.exe
4176	{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0125A081-E977-4093-9926-CB3E85963E7D}.exe	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe
File created	C:\Windows\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe	{0125A081-E977-4093-9926-CB3E85963E7D}.exe
File created	C:\Windows\{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe
File created	C:\Windows\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe
File created	C:\Windows\{00539837-6903-40e5-A831-3AB54B0F52C4}.exe	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe
File created	C:\Windows\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}.exe	{00539837-6903-40e5-A831-3AB54B0F52C4}.exe
File created	C:\Windows\{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
File created	C:\Windows\{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe
File created	C:\Windows\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe
File created	C:\Windows\{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe
File created	C:\Windows\{82050368-AAD8-4ab1-B7EA-084739863B20}.exe	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe
File created	C:\Windows\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1860	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe
Token: SeIncBasePriorityPrivilege	420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe
Token: SeIncBasePriorityPrivilege	1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe
Token: SeIncBasePriorityPrivilege	2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe
Token: SeIncBasePriorityPrivilege	3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe
Token: SeIncBasePriorityPrivilege	2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe
Token: SeIncBasePriorityPrivilege	2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe
Token: SeIncBasePriorityPrivilege	1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe
Token: SeIncBasePriorityPrivilege	736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe
Token: SeIncBasePriorityPrivilege	4244	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe
Token: SeIncBasePriorityPrivilege	1256	{00539837-6903-40e5-A831-3AB54B0F52C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4080	1860	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	98
PID 1860 wrote to memory of 4080	1860	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	98
PID 1860 wrote to memory of 4080	1860	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	98
PID 1860 wrote to memory of 2596	1860	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	99
PID 1860 wrote to memory of 2596	1860	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	99
PID 1860 wrote to memory of 2596	1860	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	99
PID 4080 wrote to memory of 420	4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe	100
PID 4080 wrote to memory of 420	4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe	100
PID 4080 wrote to memory of 420	4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe	100
PID 4080 wrote to memory of 2160	4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe	101
PID 4080 wrote to memory of 2160	4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe	101
PID 4080 wrote to memory of 2160	4080	{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe	101
PID 420 wrote to memory of 1840	420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe	104
PID 420 wrote to memory of 1840	420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe	104
PID 420 wrote to memory of 1840	420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe	104
PID 420 wrote to memory of 2732	420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe	105
PID 420 wrote to memory of 2732	420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe	105
PID 420 wrote to memory of 2732	420	{0125A081-E977-4093-9926-CB3E85963E7D}.exe	105
PID 1840 wrote to memory of 2264	1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe	106
PID 1840 wrote to memory of 2264	1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe	106
PID 1840 wrote to memory of 2264	1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe	106
PID 1840 wrote to memory of 3180	1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe	107
PID 1840 wrote to memory of 3180	1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe	107
PID 1840 wrote to memory of 3180	1840	{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe	107
PID 2264 wrote to memory of 3216	2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe	108
PID 2264 wrote to memory of 3216	2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe	108
PID 2264 wrote to memory of 3216	2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe	108
PID 2264 wrote to memory of 4228	2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe	109
PID 2264 wrote to memory of 4228	2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe	109
PID 2264 wrote to memory of 4228	2264	{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe	109
PID 3216 wrote to memory of 2808	3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe	111
PID 3216 wrote to memory of 2808	3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe	111
PID 3216 wrote to memory of 2808	3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe	111
PID 3216 wrote to memory of 3824	3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe	112
PID 3216 wrote to memory of 3824	3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe	112
PID 3216 wrote to memory of 3824	3216	{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe	112
PID 2808 wrote to memory of 2640	2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe	113
PID 2808 wrote to memory of 2640	2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe	113
PID 2808 wrote to memory of 2640	2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe	113
PID 2808 wrote to memory of 8	2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe	114
PID 2808 wrote to memory of 8	2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe	114
PID 2808 wrote to memory of 8	2808	{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe	114
PID 2640 wrote to memory of 1532	2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe	115
PID 2640 wrote to memory of 1532	2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe	115
PID 2640 wrote to memory of 1532	2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe	115
PID 2640 wrote to memory of 2096	2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe	116
PID 2640 wrote to memory of 2096	2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe	116
PID 2640 wrote to memory of 2096	2640	{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe	116
PID 1532 wrote to memory of 736	1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe	124
PID 1532 wrote to memory of 736	1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe	124
PID 1532 wrote to memory of 736	1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe	124
PID 1532 wrote to memory of 4880	1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe	125
PID 1532 wrote to memory of 4880	1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe	125
PID 1532 wrote to memory of 4880	1532	{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe	125
PID 736 wrote to memory of 4244	736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe	126
PID 736 wrote to memory of 4244	736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe	126
PID 736 wrote to memory of 4244	736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe	126
PID 736 wrote to memory of 2672	736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe	127
PID 736 wrote to memory of 2672	736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe	127
PID 736 wrote to memory of 2672	736	{82050368-AAD8-4ab1-B7EA-084739863B20}.exe	127
PID 4244 wrote to memory of 1256	4244	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe	132
PID 4244 wrote to memory of 1256	4244	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe	132
PID 4244 wrote to memory of 1256	4244	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe	132
PID 4244 wrote to memory of 212	4244	{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe	131

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe
  C:\Windows\{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\{0125A081-E977-4093-9926-CB3E85963E7D}.exe
    C:\Windows\{0125A081-E977-4093-9926-CB3E85963E7D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Windows\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe
      C:\Windows\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe
        
        C:\Windows\{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe
        
        C:\Windows\{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe
        
        C:\Windows\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe
        
        C:\Windows\{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe
        
        C:\Windows\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{82050368-AAD8-4ab1-B7EA-084739863B20}.exe
        
        C:\Windows\{82050368-AAD8-4ab1-B7EA-084739863B20}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe
        
        C:\Windows\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A756~1.EXE > nul
        12⤵
        
        PID:212
        
        C:\Windows\{00539837-6903-40e5-A831-3AB54B0F52C4}.exe
        
        C:\Windows\{00539837-6903-40e5-A831-3AB54B0F52C4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}.exe
        
        C:\Windows\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}.exe
        13⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00539~1.EXE > nul
        13⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82050~1.EXE > nul
        11⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24728~1.EXE > nul
        10⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88ACD~1.EXE > nul
        9⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24FB8~1.EXE > nul
        8⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD77A~1.EXE > nul
        7⤵
        
        PID:3824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0778~1.EXE > nul
        6⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF221~1.EXE > nul
        5⤵
        
        PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0125A~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA938~1.EXE > nul
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00539837-6903-40e5-A831-3AB54B0F52C4}.exe

Filesize
380KB

MD5
e77b79bd819b65ef47c5f7453d0e6cce

SHA1
68c2b209452a7a2fe09c02523cc25ec70bbaf356

SHA256
d05c370abd2e3f455a32d49018ca4c0306e7369f5e3cb312ee18b240848dc535

SHA512
f4dc60656d49910a3b288414a44654a1b364d19482539ebe29120c967ebff79a268607b3e14b30a4ee14a571b6c51d1c1e8cb2a1dd3a426a56ed8edc7b82a444

Download Submit
C:\Windows\{00539837-6903-40e5-A831-3AB54B0F52C4}.exe

Filesize
380KB

MD5
e77b79bd819b65ef47c5f7453d0e6cce

SHA1
68c2b209452a7a2fe09c02523cc25ec70bbaf356

SHA256
d05c370abd2e3f455a32d49018ca4c0306e7369f5e3cb312ee18b240848dc535

SHA512
f4dc60656d49910a3b288414a44654a1b364d19482539ebe29120c967ebff79a268607b3e14b30a4ee14a571b6c51d1c1e8cb2a1dd3a426a56ed8edc7b82a444

Download Submit
C:\Windows\{0125A081-E977-4093-9926-CB3E85963E7D}.exe

Filesize
380KB

MD5
9e7bcfa15d9720526a0857a7de50bb47

SHA1
113ec87a0c614a38ef0053887e597c80688f4119

SHA256
e8c656d7c1cf48895def812c5ab49e1ac4a8deed599510bce34aebfd06529e69

SHA512
c5e6367cb910e1a1d7572d3800279c492ea5c97d5e8d59a9ed27abb9f6f9b6756952eaae32517dd146d9c0fcbd8441028c03fdae40dcbb63e9e933bae550b58d

Download Submit
C:\Windows\{0125A081-E977-4093-9926-CB3E85963E7D}.exe

Filesize
380KB

MD5
9e7bcfa15d9720526a0857a7de50bb47

SHA1
113ec87a0c614a38ef0053887e597c80688f4119

SHA256
e8c656d7c1cf48895def812c5ab49e1ac4a8deed599510bce34aebfd06529e69

SHA512
c5e6367cb910e1a1d7572d3800279c492ea5c97d5e8d59a9ed27abb9f6f9b6756952eaae32517dd146d9c0fcbd8441028c03fdae40dcbb63e9e933bae550b58d

Download Submit
C:\Windows\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe

Filesize
380KB

MD5
769c631c3de16452c5f3a0a28d87a0b4

SHA1
2e19983c8860523ce4dc0f87a4d9a230e25b2e68

SHA256
04e41f0611e5a549cf55082ca78aab12289e82c8fe1027b87a29618843e9fff6

SHA512
949de29653c28a05311d08323a9a5d17d743e31f786e27af090f81a8cff9537058c48f31b070d452c2cfa384c9f8723b0ecb20d3968c367f039fc4ad885780ad

Download Submit
C:\Windows\{24728E25-48C2-4ad5-8313-D873F5EE6AA8}.exe

Filesize
380KB

MD5
769c631c3de16452c5f3a0a28d87a0b4

SHA1
2e19983c8860523ce4dc0f87a4d9a230e25b2e68

SHA256
04e41f0611e5a549cf55082ca78aab12289e82c8fe1027b87a29618843e9fff6

SHA512
949de29653c28a05311d08323a9a5d17d743e31f786e27af090f81a8cff9537058c48f31b070d452c2cfa384c9f8723b0ecb20d3968c367f039fc4ad885780ad

Download Submit
C:\Windows\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe

Filesize
380KB

MD5
a1dbac586006648b79e62d699eb15919

SHA1
9b9804425e6203577abcd1df959d831049557580

SHA256
e94a1e3fb791ad957a9cf250fc07ddd9c02eea350532a0a9f6b2941daa8d1e5b

SHA512
a2d5d5813819dfeeb497ff5bbe628444a6522c02a0972aea8d87cf152a69f19e09db2d5d0c99faffb808303a11be460bbfaa638f725a12168e527ba4951c457c

Download Submit
C:\Windows\{24FB81B2-99F6-4082-9C3A-AEC5B87F279E}.exe

Filesize
380KB

MD5
a1dbac586006648b79e62d699eb15919

SHA1
9b9804425e6203577abcd1df959d831049557580

SHA256
e94a1e3fb791ad957a9cf250fc07ddd9c02eea350532a0a9f6b2941daa8d1e5b

SHA512
a2d5d5813819dfeeb497ff5bbe628444a6522c02a0972aea8d87cf152a69f19e09db2d5d0c99faffb808303a11be460bbfaa638f725a12168e527ba4951c457c

Download Submit
C:\Windows\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe

Filesize
380KB

MD5
8565afcc8014c93c0e6ef7f8a77e4dc8

SHA1
99d874bd23fd1cf0503a949597f1f99cddf75eec

SHA256
a2cd421cf8a18931e9df22a362bdf5c1735cf3e2deda18ca56c58b6bb7464e22

SHA512
697fad9af06aded4eee4f4330fbd155b454276962600a24d5f4dd56b256eddb5d6ace736c2c70883c48913260bf955f5d3be33313af8851930aa26e9bfe3868a

Download Submit
C:\Windows\{2A756359-E12E-4ab9-B1FA-7F529E6A7C22}.exe

Filesize
380KB

MD5
8565afcc8014c93c0e6ef7f8a77e4dc8

SHA1
99d874bd23fd1cf0503a949597f1f99cddf75eec

SHA256
a2cd421cf8a18931e9df22a362bdf5c1735cf3e2deda18ca56c58b6bb7464e22

SHA512
697fad9af06aded4eee4f4330fbd155b454276962600a24d5f4dd56b256eddb5d6ace736c2c70883c48913260bf955f5d3be33313af8851930aa26e9bfe3868a

Download Submit
C:\Windows\{82050368-AAD8-4ab1-B7EA-084739863B20}.exe

Filesize
380KB

MD5
d246a44e5e227605b66639e70f08ece4

SHA1
4d761138a6a094b55436963df14f5bd820e74da7

SHA256
27c410a441f9a84f96cbf56adda78a91dc94fa6247d906d8d29cd98f4b3cc2c4

SHA512
e22405f94c6e2efefae0cab57c74682feb716f0a331b8147b99bf68561d2f255174d9b457a26d58000e1ceba0557737915be0f4c780ac86c2e3c8e49776e85df

Download Submit
C:\Windows\{82050368-AAD8-4ab1-B7EA-084739863B20}.exe

Filesize
380KB

MD5
d246a44e5e227605b66639e70f08ece4

SHA1
4d761138a6a094b55436963df14f5bd820e74da7

SHA256
27c410a441f9a84f96cbf56adda78a91dc94fa6247d906d8d29cd98f4b3cc2c4

SHA512
e22405f94c6e2efefae0cab57c74682feb716f0a331b8147b99bf68561d2f255174d9b457a26d58000e1ceba0557737915be0f4c780ac86c2e3c8e49776e85df

Download Submit
C:\Windows\{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe

Filesize
380KB

MD5
71e18842b56d8adab0f1618132630cce

SHA1
1a2c943f8c65dd209e4e01d5277b4177fd83acc6

SHA256
a6930a8bb9cc49ae65ce7c58bf88e1876a1dfbaf95091b3df5bbeb95d0b7b98c

SHA512
3cec00c830ea8db72098e34f79d35451cccd850614d9511549fb2a8b06c4d01693dfc1faa6d011025764ea9f9ab0c40b7337e20baa946062ec15b3f006b515c3

Download Submit
C:\Windows\{88ACD72B-487A-4b54-9351-0A21AEE45B45}.exe

Filesize
380KB

MD5
71e18842b56d8adab0f1618132630cce

SHA1
1a2c943f8c65dd209e4e01d5277b4177fd83acc6

SHA256
a6930a8bb9cc49ae65ce7c58bf88e1876a1dfbaf95091b3df5bbeb95d0b7b98c

SHA512
3cec00c830ea8db72098e34f79d35451cccd850614d9511549fb2a8b06c4d01693dfc1faa6d011025764ea9f9ab0c40b7337e20baa946062ec15b3f006b515c3

Download Submit
C:\Windows\{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe

Filesize
380KB

MD5
6784baaec32ee4744a1b2f1be14e3618

SHA1
8a19fec272a624c66f66fdf201643ed9811c20b1

SHA256
a806e70b8ed706bc93c037dcfcf3be3885da37f43d8f763f1a96fd2f38438223

SHA512
bad5b82ab692401881831352b66ae06b24d9fdb0b36e9813a0eec599a45d6c200daa374c857f3a10aef54760331b81d71cb141ca31e6b02371e058c10bc0b84f

Download Submit
C:\Windows\{AD77A728-6D1D-4145-BE11-1ACF368230C2}.exe

Filesize
380KB

MD5
6784baaec32ee4744a1b2f1be14e3618

SHA1
8a19fec272a624c66f66fdf201643ed9811c20b1

SHA256
a806e70b8ed706bc93c037dcfcf3be3885da37f43d8f763f1a96fd2f38438223

SHA512
bad5b82ab692401881831352b66ae06b24d9fdb0b36e9813a0eec599a45d6c200daa374c857f3a10aef54760331b81d71cb141ca31e6b02371e058c10bc0b84f

Download Submit
C:\Windows\{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe

Filesize
380KB

MD5
34a17e5333034fb1aa3057675f61e9ca

SHA1
5701436b8b4b6861dae9558c8d3a0069d3c4a222

SHA256
089d81d65bb2da41c9ac5390c3f0b8d9f45c5c28b30c20bf3d6f026d7cd6550f

SHA512
73333f029d954f3c2541c74ea3d8a516ad18772b2295200e27713b80389c04a41d651db34a4728cd849c2b16e9afdcca9fc0404dfa6b281940af5af237030eb3

Download Submit
C:\Windows\{B07783DE-188B-4400-AAFB-9C14352FD96F}.exe

Filesize
380KB

MD5
34a17e5333034fb1aa3057675f61e9ca

SHA1
5701436b8b4b6861dae9558c8d3a0069d3c4a222

SHA256
089d81d65bb2da41c9ac5390c3f0b8d9f45c5c28b30c20bf3d6f026d7cd6550f

SHA512
73333f029d954f3c2541c74ea3d8a516ad18772b2295200e27713b80389c04a41d651db34a4728cd849c2b16e9afdcca9fc0404dfa6b281940af5af237030eb3

Download Submit
C:\Windows\{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe

Filesize
380KB

MD5
fb0aff878714bf800285ba7c4f8e78ff

SHA1
5c8ec5db5e3b5b6f4458d032aa0a4c700e1d516e

SHA256
f5b308f88ac6bec167bd5db6acf406016acbe47a796a91c8c4ac7ac82947e976

SHA512
e675733a758e59982c3553df29ed2736b1ac2391bacd3be9c1ed5c76d3e05a5a46bfdaf8fa3c4e948624b0eb20dbf0f2dbdaaf94a7f02610d507cf7870a86b9f

Download Submit
C:\Windows\{CA938777-7E5E-4dda-8469-EDA053989F7E}.exe

Filesize
380KB

MD5
fb0aff878714bf800285ba7c4f8e78ff

SHA1
5c8ec5db5e3b5b6f4458d032aa0a4c700e1d516e

SHA256
f5b308f88ac6bec167bd5db6acf406016acbe47a796a91c8c4ac7ac82947e976

SHA512
e675733a758e59982c3553df29ed2736b1ac2391bacd3be9c1ed5c76d3e05a5a46bfdaf8fa3c4e948624b0eb20dbf0f2dbdaaf94a7f02610d507cf7870a86b9f

Download Submit
C:\Windows\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe

Filesize
380KB

MD5
9fcd71fbf1a7f7861628c3f59806227c

SHA1
ac7cf1f44f928b66541cf3f0b49310ae7801921c

SHA256
aa05b3d3034817f5238147307cb94b5275f0ef2c0fe0b17c4bf06fe4039315fb

SHA512
e75c190756ea0ac4ae2df84526b5835949791b6ce17c39d57f6d37d4acad14fd3e7a276f95b98fa0aa27cbabc584fd5d1fbb265113b6574008d9df25452a2375

Download Submit
C:\Windows\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe

Filesize
380KB

MD5
9fcd71fbf1a7f7861628c3f59806227c

SHA1
ac7cf1f44f928b66541cf3f0b49310ae7801921c

SHA256
aa05b3d3034817f5238147307cb94b5275f0ef2c0fe0b17c4bf06fe4039315fb

SHA512
e75c190756ea0ac4ae2df84526b5835949791b6ce17c39d57f6d37d4acad14fd3e7a276f95b98fa0aa27cbabc584fd5d1fbb265113b6574008d9df25452a2375

Download Submit
C:\Windows\{CF221431-5221-4a69-A0B9-C8ADFB99CA08}.exe

Filesize
380KB

MD5
9fcd71fbf1a7f7861628c3f59806227c

SHA1
ac7cf1f44f928b66541cf3f0b49310ae7801921c

SHA256
aa05b3d3034817f5238147307cb94b5275f0ef2c0fe0b17c4bf06fe4039315fb

SHA512
e75c190756ea0ac4ae2df84526b5835949791b6ce17c39d57f6d37d4acad14fd3e7a276f95b98fa0aa27cbabc584fd5d1fbb265113b6574008d9df25452a2375

Download Submit
C:\Windows\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}.exe

Filesize
380KB

MD5
4b4d9bd84ee59a0f319e6726e7bb91ea

SHA1
a5cf07e7fbefc094ba0bd000eee714f93b105744

SHA256
2af78f37947d52e964651162b3f57985e08ffecd11a1b14dfa5c29e9d9ecebae

SHA512
e9403a4f280ac55c7ca8199e518c3e96157b7567c953ce401f92b24cbc51affa475f7f4654bb1cbd96764c3d6af44ae6ac6d02c3d3088bc9fb374c7bd45d6199

Download Submit
C:\Windows\{EB4E3848-C953-4182-8ACA-7EEC1D9BC089}.exe

Filesize
380KB

MD5
4b4d9bd84ee59a0f319e6726e7bb91ea

SHA1
a5cf07e7fbefc094ba0bd000eee714f93b105744

SHA256
2af78f37947d52e964651162b3f57985e08ffecd11a1b14dfa5c29e9d9ecebae

SHA512
e9403a4f280ac55c7ca8199e518c3e96157b7567c953ce401f92b24cbc51affa475f7f4654bb1cbd96764c3d6af44ae6ac6d02c3d3088bc9fb374c7bd45d6199

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads