ebd80508ef73e48298b2c797407c1daf1fc964321a71a6319c9e9a7faae980be

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Size

380KB
MD5

725eb2ae7e39241349cc3a3828801505
SHA1

f062100e623e9011edf497cd42dcc290988ff080
SHA256

ebd80508ef73e48298b2c797407c1daf1fc964321a71a6319c9e9a7faae980be
SHA512

292cc3f675633ccadcfe3a1b759ef85dafa4b39d97be3b2299636d31232bfc873229f40379257680df4cdbb258883238e08c57de3863141f7eb947de864c85a4
SSDEEP

3072:mEGh0ohlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGfl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}\stubpath = "C:\\Windows\\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe"	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41004682-86E7-4fce-8564-DF9EC0FB4513}\stubpath = "C:\\Windows\\{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe"	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8433B66A-133C-4ce2-9661-62521C905545}	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2704DF9-7EE1-4f4b-B72B-073F07984740}	{8433B66A-133C-4ce2-9661-62521C905545}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85188A32-576B-4a66-98DB-B4E0B7F532BF}	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}\stubpath = "C:\\Windows\\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe"	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8433B66A-133C-4ce2-9661-62521C905545}\stubpath = "C:\\Windows\\{8433B66A-133C-4ce2-9661-62521C905545}.exe"	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2704DF9-7EE1-4f4b-B72B-073F07984740}\stubpath = "C:\\Windows\\{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe"	{8433B66A-133C-4ce2-9661-62521C905545}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1F295A-0572-4450-9DCF-7ED17BE02893}\stubpath = "C:\\Windows\\{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe"	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85188A32-576B-4a66-98DB-B4E0B7F532BF}\stubpath = "C:\\Windows\\{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe"	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}\stubpath = "C:\\Windows\\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}.exe"	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}\stubpath = "C:\\Windows\\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe"	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4CB200B-BB5D-4c59-B398-339E9425E57E}	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41004682-86E7-4fce-8564-DF9EC0FB4513}	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1F295A-0572-4450-9DCF-7ED17BE02893}	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4CB200B-BB5D-4c59-B398-339E9425E57E}\stubpath = "C:\\Windows\\{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe"	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}\stubpath = "C:\\Windows\\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe"	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe

Executes dropped EXE 11 IoCs

pid	Process
2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe
3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe
4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe
396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe
3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe
5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe
4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe
1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe
4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe
4092	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe
4892	{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe
File created	C:\Windows\{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe
File created	C:\Windows\{8433B66A-133C-4ce2-9661-62521C905545}.exe	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe
File created	C:\Windows\{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe
File created	C:\Windows\{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe	{8433B66A-133C-4ce2-9661-62521C905545}.exe
File created	C:\Windows\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}.exe	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe
File created	C:\Windows\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
File created	C:\Windows\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe
File created	C:\Windows\{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe
File created	C:\Windows\{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe
File created	C:\Windows\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4648	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe
Token: SeIncBasePriorityPrivilege	3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe
Token: SeIncBasePriorityPrivilege	4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe
Token: SeIncBasePriorityPrivilege	396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe
Token: SeIncBasePriorityPrivilege	3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe
Token: SeIncBasePriorityPrivilege	5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe
Token: SeIncBasePriorityPrivilege	4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe
Token: SeIncBasePriorityPrivilege	1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe
Token: SeIncBasePriorityPrivilege	4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe
Token: SeIncBasePriorityPrivilege	4092	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2200	4648	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	99
PID 4648 wrote to memory of 2200	4648	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	99
PID 4648 wrote to memory of 2200	4648	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	99
PID 4648 wrote to memory of 1452	4648	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	100
PID 4648 wrote to memory of 1452	4648	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	100
PID 4648 wrote to memory of 1452	4648	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	100
PID 2200 wrote to memory of 3724	2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe	102
PID 2200 wrote to memory of 3724	2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe	102
PID 2200 wrote to memory of 3724	2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe	102
PID 2200 wrote to memory of 2596	2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe	103
PID 2200 wrote to memory of 2596	2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe	103
PID 2200 wrote to memory of 2596	2200	{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe	103
PID 3724 wrote to memory of 4736	3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe	107
PID 3724 wrote to memory of 4736	3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe	107
PID 3724 wrote to memory of 4736	3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe	107
PID 3724 wrote to memory of 3064	3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe	106
PID 3724 wrote to memory of 3064	3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe	106
PID 3724 wrote to memory of 3064	3724	{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe	106
PID 4736 wrote to memory of 396	4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe	114
PID 4736 wrote to memory of 396	4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe	114
PID 4736 wrote to memory of 396	4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe	114
PID 4736 wrote to memory of 4896	4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe	115
PID 4736 wrote to memory of 4896	4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe	115
PID 4736 wrote to memory of 4896	4736	{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe	115
PID 396 wrote to memory of 3432	396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe	116
PID 396 wrote to memory of 3432	396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe	116
PID 396 wrote to memory of 3432	396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe	116
PID 396 wrote to memory of 772	396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe	117
PID 396 wrote to memory of 772	396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe	117
PID 396 wrote to memory of 772	396	{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe	117
PID 3432 wrote to memory of 5084	3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe	118
PID 3432 wrote to memory of 5084	3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe	118
PID 3432 wrote to memory of 5084	3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe	118
PID 3432 wrote to memory of 1544	3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe	119
PID 3432 wrote to memory of 1544	3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe	119
PID 3432 wrote to memory of 1544	3432	{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe	119
PID 5084 wrote to memory of 4140	5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe	121
PID 5084 wrote to memory of 4140	5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe	121
PID 5084 wrote to memory of 4140	5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe	121
PID 5084 wrote to memory of 3940	5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe	122
PID 5084 wrote to memory of 3940	5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe	122
PID 5084 wrote to memory of 3940	5084	{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe	122
PID 4140 wrote to memory of 1464	4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe	123
PID 4140 wrote to memory of 1464	4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe	123
PID 4140 wrote to memory of 1464	4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe	123
PID 4140 wrote to memory of 1396	4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe	124
PID 4140 wrote to memory of 1396	4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe	124
PID 4140 wrote to memory of 1396	4140	{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe	124
PID 1464 wrote to memory of 4684	1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe	125
PID 1464 wrote to memory of 4684	1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe	125
PID 1464 wrote to memory of 4684	1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe	125
PID 1464 wrote to memory of 2196	1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe	126
PID 1464 wrote to memory of 2196	1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe	126
PID 1464 wrote to memory of 2196	1464	{8433B66A-133C-4ce2-9661-62521C905545}.exe	126
PID 4684 wrote to memory of 4092	4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe	127
PID 4684 wrote to memory of 4092	4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe	127
PID 4684 wrote to memory of 4092	4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe	127
PID 4684 wrote to memory of 536	4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe	128
PID 4684 wrote to memory of 536	4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe	128
PID 4684 wrote to memory of 536	4684	{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe	128
PID 4092 wrote to memory of 4892	4092	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe	129
PID 4092 wrote to memory of 4892	4092	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe	129
PID 4092 wrote to memory of 4892	4092	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe	129
PID 4092 wrote to memory of 4872	4092	{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe	130

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe
  C:\Windows\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe
    C:\Windows\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3A27~1.EXE > nul
      4⤵
      PID:3064
  - - C:\Windows\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe
      C:\Windows\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe
        
        C:\Windows\{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe
        
        C:\Windows\{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe
        
        C:\Windows\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe
        
        C:\Windows\{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\{8433B66A-133C-4ce2-9661-62521C905545}.exe
        
        C:\Windows\{8433B66A-133C-4ce2-9661-62521C905545}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe
        
        C:\Windows\{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe
        
        C:\Windows\{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}.exe
        
        C:\Windows\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}.exe
        12⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85188~1.EXE > nul
        12⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2704~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8433B~1.EXE > nul
        10⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A1F2~1.EXE > nul
        9⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B2C2~1.EXE > nul
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41004~1.EXE > nul
        7⤵
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4CB2~1.EXE > nul
        6⤵
        
        PID:772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4521D~1.EXE > nul
        5⤵
        
        PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C7FF~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe

Filesize
380KB

MD5
163115c4eaa655b3cfeeab42ed2ab6e1

SHA1
092ff6c9889c3f209b0ac7eda8b4b04f5789deb9

SHA256
263152ece65b810365283d3711ce89a2ba278b24c3e1c25241223ef594e1e4f0

SHA512
d8795c60f981c44a303a7a890f7f1b31c49ad7cc338816e48677c6b862cd4d099b631481b2e95ca498b0aeb1958778034103ef3dc3653bf804f8378900fb6514

Download Submit
C:\Windows\{0A1F295A-0572-4450-9DCF-7ED17BE02893}.exe

Filesize
380KB

MD5
163115c4eaa655b3cfeeab42ed2ab6e1

SHA1
092ff6c9889c3f209b0ac7eda8b4b04f5789deb9

SHA256
263152ece65b810365283d3711ce89a2ba278b24c3e1c25241223ef594e1e4f0

SHA512
d8795c60f981c44a303a7a890f7f1b31c49ad7cc338816e48677c6b862cd4d099b631481b2e95ca498b0aeb1958778034103ef3dc3653bf804f8378900fb6514

Download Submit
C:\Windows\{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe

Filesize
380KB

MD5
959d5b3ac8f9006a7377492144bfd00e

SHA1
b7c63e40907872cb681afdbacd34363ceece7b95

SHA256
c796caa7ee4a965915e2c257f39b53b0814b8fdc6bc653ea5276b2c4f061aff4

SHA512
1a070dea275e78f05fad59e4ad5395fdc2077fac8ded9c7ecfea97218f7751845d1cf3004790161c24aecc5778045d2861c92d80f97956fc68350473ab94a35e

Download Submit
C:\Windows\{41004682-86E7-4fce-8564-DF9EC0FB4513}.exe

Filesize
380KB

MD5
959d5b3ac8f9006a7377492144bfd00e

SHA1
b7c63e40907872cb681afdbacd34363ceece7b95

SHA256
c796caa7ee4a965915e2c257f39b53b0814b8fdc6bc653ea5276b2c4f061aff4

SHA512
1a070dea275e78f05fad59e4ad5395fdc2077fac8ded9c7ecfea97218f7751845d1cf3004790161c24aecc5778045d2861c92d80f97956fc68350473ab94a35e

Download Submit
C:\Windows\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe

Filesize
380KB

MD5
73f66d9c4982c5c597c1e8e6e44b19d2

SHA1
e42c4210467dfa43242f47ff78c21d053d5c53c5

SHA256
56cdd85e1ebd202efa2ea4f624b62f61f2e95781955af56aea4fe18842e92c66

SHA512
49d57250c3ec485a08a80b582e75ede986908bb2932177fea0b438509124d818b337c41a9ca8202c0cc08e771eb1a8ea0844c72723e35eb16816e6f1edee3b43

Download Submit
C:\Windows\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe

Filesize
380KB

MD5
73f66d9c4982c5c597c1e8e6e44b19d2

SHA1
e42c4210467dfa43242f47ff78c21d053d5c53c5

SHA256
56cdd85e1ebd202efa2ea4f624b62f61f2e95781955af56aea4fe18842e92c66

SHA512
49d57250c3ec485a08a80b582e75ede986908bb2932177fea0b438509124d818b337c41a9ca8202c0cc08e771eb1a8ea0844c72723e35eb16816e6f1edee3b43

Download Submit
C:\Windows\{4521DC3D-75EF-426a-B1FC-FD120D7614FA}.exe

Filesize
380KB

MD5
73f66d9c4982c5c597c1e8e6e44b19d2

SHA1
e42c4210467dfa43242f47ff78c21d053d5c53c5

SHA256
56cdd85e1ebd202efa2ea4f624b62f61f2e95781955af56aea4fe18842e92c66

SHA512
49d57250c3ec485a08a80b582e75ede986908bb2932177fea0b438509124d818b337c41a9ca8202c0cc08e771eb1a8ea0844c72723e35eb16816e6f1edee3b43

Download Submit
C:\Windows\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}.exe

Filesize
380KB

MD5
d349a2c43e0c630294d0d49b804fab92

SHA1
6f775f4fd30bc636e965b62a6673cce1ae217922

SHA256
f4b875a1d6be6d40cbe69db62af42dbc43ee1b2ab0256affc3aa570e21ee5f83

SHA512
3b5c4d7e1bf1791a6b81c89baea02e7213cd8c918f1f5ecb3429cf24952b3af5e87200ff143c2f7ec4bda6015079decda8a567ca314db4ad09119b8dd3431e79

Download Submit
C:\Windows\{7D8F5CE9-2838-4ea8-B70D-B21DABDE4C31}.exe

Filesize
380KB

MD5
d349a2c43e0c630294d0d49b804fab92

SHA1
6f775f4fd30bc636e965b62a6673cce1ae217922

SHA256
f4b875a1d6be6d40cbe69db62af42dbc43ee1b2ab0256affc3aa570e21ee5f83

SHA512
3b5c4d7e1bf1791a6b81c89baea02e7213cd8c918f1f5ecb3429cf24952b3af5e87200ff143c2f7ec4bda6015079decda8a567ca314db4ad09119b8dd3431e79

Download Submit
C:\Windows\{8433B66A-133C-4ce2-9661-62521C905545}.exe

Filesize
380KB

MD5
4cd697172fdcd93fa97dc00a56b3bd0a

SHA1
c1eb7c9415ecc2296a5dbd986f85397005c84046

SHA256
1fe11cb71c972fd9cc97420687dab507dc7bef7832b1ea9ea43f5152ca44da07

SHA512
c57b8cbb1127458d0730804fc09a8a8da694537db7644e5a94c4eee53b47b0b483602ce3de11ab35220f4b064657843fd232f5db947c264bad61e4642f70615a

Download Submit
C:\Windows\{8433B66A-133C-4ce2-9661-62521C905545}.exe

Filesize
380KB

MD5
4cd697172fdcd93fa97dc00a56b3bd0a

SHA1
c1eb7c9415ecc2296a5dbd986f85397005c84046

SHA256
1fe11cb71c972fd9cc97420687dab507dc7bef7832b1ea9ea43f5152ca44da07

SHA512
c57b8cbb1127458d0730804fc09a8a8da694537db7644e5a94c4eee53b47b0b483602ce3de11ab35220f4b064657843fd232f5db947c264bad61e4642f70615a

Download Submit
C:\Windows\{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe

Filesize
380KB

MD5
a60b0c9366a317dab58ba3a68ec525b6

SHA1
5b4f6c2a97feef831b877378b2a0d8b7a963128d

SHA256
f98133ead2740f6b7d98ef82e76461431a5a5c1c5f7ee1e892da796b054bcdea

SHA512
3fd76f78cf7a8fef6f1ef39bc560364ff916ff5ab7a342ddaf531481731d9fb593a76ded40d6083ba32dfba65bf27d220ddd2c9a175b57556232bb891d6a3786

Download Submit
C:\Windows\{85188A32-576B-4a66-98DB-B4E0B7F532BF}.exe

Filesize
380KB

MD5
a60b0c9366a317dab58ba3a68ec525b6

SHA1
5b4f6c2a97feef831b877378b2a0d8b7a963128d

SHA256
f98133ead2740f6b7d98ef82e76461431a5a5c1c5f7ee1e892da796b054bcdea

SHA512
3fd76f78cf7a8fef6f1ef39bc560364ff916ff5ab7a342ddaf531481731d9fb593a76ded40d6083ba32dfba65bf27d220ddd2c9a175b57556232bb891d6a3786

Download Submit
C:\Windows\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe

Filesize
380KB

MD5
22caf14894b550cae53b8664146fa5f8

SHA1
2099c7d3b90cd92e87a29ffe070d8c12b8e39aa3

SHA256
5230b4cd0ea59f3a2c7542b23af1cdd12ed1cf8fac1dd15d93870366aca8251e

SHA512
724bda22b40fbc3ded0d9a72c1b8f10672beaab34187cda61cea7d2386c06c222f414b9d2e832afe07b4d32cf6686d52a9350cb2ee9e877774e68644fa51e7c5

Download Submit
C:\Windows\{8B2C28AD-CA57-4fdd-A6D5-66A07B70C63C}.exe

Filesize
380KB

MD5
22caf14894b550cae53b8664146fa5f8

SHA1
2099c7d3b90cd92e87a29ffe070d8c12b8e39aa3

SHA256
5230b4cd0ea59f3a2c7542b23af1cdd12ed1cf8fac1dd15d93870366aca8251e

SHA512
724bda22b40fbc3ded0d9a72c1b8f10672beaab34187cda61cea7d2386c06c222f414b9d2e832afe07b4d32cf6686d52a9350cb2ee9e877774e68644fa51e7c5

Download Submit
C:\Windows\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe

Filesize
380KB

MD5
25837328b58011ea8746ab907fcab7c2

SHA1
eeaca097b7c786d35d36b91f3a723077648910b5

SHA256
aacd1f0a579e9af51928471630d75f55aee7c457201b5f45fd460760b5f6deff

SHA512
17be8eb9993e0b2236f367677e8a1aec96857d75e5cdaf144a5e97e53288cabb47fb959ef9f1b5ce74fa7a9332b5fae33dbae9d815bc2fc878665ff41b9e44a4

Download Submit
C:\Windows\{8C7FFB01-96E4-4dbc-9200-82204AD9D255}.exe

Filesize
380KB

MD5
25837328b58011ea8746ab907fcab7c2

SHA1
eeaca097b7c786d35d36b91f3a723077648910b5

SHA256
aacd1f0a579e9af51928471630d75f55aee7c457201b5f45fd460760b5f6deff

SHA512
17be8eb9993e0b2236f367677e8a1aec96857d75e5cdaf144a5e97e53288cabb47fb959ef9f1b5ce74fa7a9332b5fae33dbae9d815bc2fc878665ff41b9e44a4

Download Submit
C:\Windows\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe

Filesize
380KB

MD5
4eff75b12bc531f423eb3da33607a96d

SHA1
0e7232d0ea7e857e38e21a3dd622b7fd3e34062e

SHA256
5571dc82f3f1f1991062dfb55613fcbeced648bb7851689f32ff7e42a75d92fa

SHA512
f65af650dbb050fafa69804f1dacc16d0953f27ba8939f0384188cae3b9ab468800a711b79c2eb037a99e5f2b5d2a2b0ae4bc72bb00b0de89a59d8d9779a3ff1

Download Submit
C:\Windows\{B3A27B22-9066-4e2f-99B6-14976EA7DAD4}.exe

Filesize
380KB

MD5
4eff75b12bc531f423eb3da33607a96d

SHA1
0e7232d0ea7e857e38e21a3dd622b7fd3e34062e

SHA256
5571dc82f3f1f1991062dfb55613fcbeced648bb7851689f32ff7e42a75d92fa

SHA512
f65af650dbb050fafa69804f1dacc16d0953f27ba8939f0384188cae3b9ab468800a711b79c2eb037a99e5f2b5d2a2b0ae4bc72bb00b0de89a59d8d9779a3ff1

Download Submit
C:\Windows\{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe

Filesize
380KB

MD5
6f4e874c5ef49cea5beac714505ef34f

SHA1
221ecea752a31ee4f0f79733f5eec6a0c87da003

SHA256
459a474bd32fb2a961a76eebec2e2d54d33758400d833646bc68bb8670432f2b

SHA512
c115f55d2b32b8a2da105f1cc4489e3d6238f03a6b3375d2656d66136cf8c11adab8a4765b1c636261e22d7b631b4e58bd47e584a3124ddd967fea1304dc4703

Download Submit
C:\Windows\{D2704DF9-7EE1-4f4b-B72B-073F07984740}.exe

Filesize
380KB

MD5
6f4e874c5ef49cea5beac714505ef34f

SHA1
221ecea752a31ee4f0f79733f5eec6a0c87da003

SHA256
459a474bd32fb2a961a76eebec2e2d54d33758400d833646bc68bb8670432f2b

SHA512
c115f55d2b32b8a2da105f1cc4489e3d6238f03a6b3375d2656d66136cf8c11adab8a4765b1c636261e22d7b631b4e58bd47e584a3124ddd967fea1304dc4703

Download Submit
C:\Windows\{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe

Filesize
380KB

MD5
338fe9bb065acd9bf39fcc4b31a2b8ac

SHA1
630bd2f0c86365e36f0235aaa1e70eb9dc2084d1

SHA256
505cfe135a892d49feda0cf66fd72c009fb8139b6f8e64895479cb021b48074f

SHA512
16d973cb900406f2e2882b462bf566088760d6800c10a14c244b6f894bdd90be4abee69ee6bb7a0adb19ae51ef3f476019a40e094b8a9d36b212bc689647df86

Download Submit
C:\Windows\{D4CB200B-BB5D-4c59-B398-339E9425E57E}.exe

Filesize
380KB

MD5
338fe9bb065acd9bf39fcc4b31a2b8ac

SHA1
630bd2f0c86365e36f0235aaa1e70eb9dc2084d1

SHA256
505cfe135a892d49feda0cf66fd72c009fb8139b6f8e64895479cb021b48074f

SHA512
16d973cb900406f2e2882b462bf566088760d6800c10a14c244b6f894bdd90be4abee69ee6bb7a0adb19ae51ef3f476019a40e094b8a9d36b212bc689647df86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads