35e956347367c16452e62a78cd4727adcec5a3a2f9b55c7d50fb6e1c95677f49

Analysis

max time kernel
163s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Size

168KB
MD5

e4135739ecf0793970ab3b43497f591c
SHA1

809c0ca61247735186b6cf488a15d600453f6803
SHA256

35e956347367c16452e62a78cd4727adcec5a3a2f9b55c7d50fb6e1c95677f49
SHA512

b03cc13c1fe8f6bc2d132990b38ee03494a1c59bbfbfcdb17fefe43fb8ccb4b4eb8944d0d03b09e3ae0b66c3ca2f2a2c7f383c046ada46a59092c0ded7ed64d5
SSDEEP

1536:1EGh0oKli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6CFF7C1-3970-44b5-B227-9B1174713750}\stubpath = "C:\\Windows\\{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe"	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}	{59A875A7-68F3-490f-A18A-D12E59247B16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}\stubpath = "C:\\Windows\\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}.exe"	{59A875A7-68F3-490f-A18A-D12E59247B16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E619EE-BE91-4d21-908F-16DDF61393C3}\stubpath = "C:\\Windows\\{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe"	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C494CD13-3AC2-4bb7-8571-8728954899B0}	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C494CD13-3AC2-4bb7-8571-8728954899B0}\stubpath = "C:\\Windows\\{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe"	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}\stubpath = "C:\\Windows\\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe"	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}\stubpath = "C:\\Windows\\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe"	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0BE455-2251-4d08-B1A2-11921B19019D}	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E619EE-BE91-4d21-908F-16DDF61393C3}	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5A19B1A-35ED-46a1-A568-92A417E246A6}	{7560E693-8908-4a04-A123-35A400F0432A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6CFF7C1-3970-44b5-B227-9B1174713750}	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0BE455-2251-4d08-B1A2-11921B19019D}\stubpath = "C:\\Windows\\{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe"	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{879383CA-2025-4bfa-90EA-74D5A1FB3420}\stubpath = "C:\\Windows\\{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe"	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7560E693-8908-4a04-A123-35A400F0432A}\stubpath = "C:\\Windows\\{7560E693-8908-4a04-A123-35A400F0432A}.exe"	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5A19B1A-35ED-46a1-A568-92A417E246A6}\stubpath = "C:\\Windows\\{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe"	{7560E693-8908-4a04-A123-35A400F0432A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59A875A7-68F3-490f-A18A-D12E59247B16}\stubpath = "C:\\Windows\\{59A875A7-68F3-490f-A18A-D12E59247B16}.exe"	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}\stubpath = "C:\\Windows\\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe"	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{879383CA-2025-4bfa-90EA-74D5A1FB3420}	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7560E693-8908-4a04-A123-35A400F0432A}	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59A875A7-68F3-490f-A18A-D12E59247B16}	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe

Executes dropped EXE 12 IoCs

pid	Process
3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe
1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe
2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe
4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe
3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe
1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe
2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe
5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe
2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe
4988	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe
3376	{59A875A7-68F3-490f-A18A-D12E59247B16}.exe
3340	{8F9291C3-61B5-4a31-B98B-161FF07EF97D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
File created	C:\Windows\{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe
File created	C:\Windows\{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe
File created	C:\Windows\{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe
File created	C:\Windows\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe
File created	C:\Windows\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe
File created	C:\Windows\{7560E693-8908-4a04-A123-35A400F0432A}.exe	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe
File created	C:\Windows\{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe	{7560E693-8908-4a04-A123-35A400F0432A}.exe
File created	C:\Windows\{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe
File created	C:\Windows\{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe
File created	C:\Windows\{59A875A7-68F3-490f-A18A-D12E59247B16}.exe	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe
File created	C:\Windows\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}.exe	{59A875A7-68F3-490f-A18A-D12E59247B16}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	8	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe
Token: SeIncBasePriorityPrivilege	1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe
Token: SeIncBasePriorityPrivilege	2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe
Token: SeIncBasePriorityPrivilege	4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe
Token: SeIncBasePriorityPrivilege	3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe
Token: SeIncBasePriorityPrivilege	1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe
Token: SeIncBasePriorityPrivilege	2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe
Token: SeIncBasePriorityPrivilege	5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe
Token: SeIncBasePriorityPrivilege	2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe
Token: SeIncBasePriorityPrivilege	4988	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe
Token: SeIncBasePriorityPrivilege	3376	{59A875A7-68F3-490f-A18A-D12E59247B16}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3768	8	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	95
PID 8 wrote to memory of 3768	8	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	95
PID 8 wrote to memory of 3768	8	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	95
PID 8 wrote to memory of 4872	8	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	96
PID 8 wrote to memory of 4872	8	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	96
PID 8 wrote to memory of 4872	8	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	96
PID 3768 wrote to memory of 1864	3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe	98
PID 3768 wrote to memory of 1864	3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe	98
PID 3768 wrote to memory of 1864	3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe	98
PID 3768 wrote to memory of 1364	3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe	99
PID 3768 wrote to memory of 1364	3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe	99
PID 3768 wrote to memory of 1364	3768	{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe	99
PID 1864 wrote to memory of 2880	1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe	101
PID 1864 wrote to memory of 2880	1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe	101
PID 1864 wrote to memory of 2880	1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe	101
PID 1864 wrote to memory of 1348	1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe	102
PID 1864 wrote to memory of 1348	1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe	102
PID 1864 wrote to memory of 1348	1864	{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe	102
PID 2880 wrote to memory of 4444	2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe	109
PID 2880 wrote to memory of 4444	2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe	109
PID 2880 wrote to memory of 4444	2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe	109
PID 2880 wrote to memory of 2764	2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe	110
PID 2880 wrote to memory of 2764	2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe	110
PID 2880 wrote to memory of 2764	2880	{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe	110
PID 4444 wrote to memory of 3824	4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe	111
PID 4444 wrote to memory of 3824	4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe	111
PID 4444 wrote to memory of 3824	4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe	111
PID 4444 wrote to memory of 760	4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe	112
PID 4444 wrote to memory of 760	4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe	112
PID 4444 wrote to memory of 760	4444	{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe	112
PID 3824 wrote to memory of 1060	3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe	113
PID 3824 wrote to memory of 1060	3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe	113
PID 3824 wrote to memory of 1060	3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe	113
PID 3824 wrote to memory of 4236	3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe	114
PID 3824 wrote to memory of 4236	3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe	114
PID 3824 wrote to memory of 4236	3824	{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe	114
PID 1060 wrote to memory of 2336	1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe	116
PID 1060 wrote to memory of 2336	1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe	116
PID 1060 wrote to memory of 2336	1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe	116
PID 1060 wrote to memory of 1864	1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe	117
PID 1060 wrote to memory of 1864	1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe	117
PID 1060 wrote to memory of 1864	1060	{7560E693-8908-4a04-A123-35A400F0432A}.exe	117
PID 2336 wrote to memory of 5016	2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe	118
PID 2336 wrote to memory of 5016	2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe	118
PID 2336 wrote to memory of 5016	2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe	118
PID 2336 wrote to memory of 4824	2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe	119
PID 2336 wrote to memory of 4824	2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe	119
PID 2336 wrote to memory of 4824	2336	{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe	119
PID 5016 wrote to memory of 2412	5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe	120
PID 5016 wrote to memory of 2412	5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe	120
PID 5016 wrote to memory of 2412	5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe	120
PID 5016 wrote to memory of 724	5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe	121
PID 5016 wrote to memory of 724	5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe	121
PID 5016 wrote to memory of 724	5016	{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe	121
PID 2412 wrote to memory of 4988	2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe	122
PID 2412 wrote to memory of 4988	2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe	122
PID 2412 wrote to memory of 4988	2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe	122
PID 2412 wrote to memory of 5096	2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe	123
PID 2412 wrote to memory of 5096	2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe	123
PID 2412 wrote to memory of 5096	2412	{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe	123
PID 4988 wrote to memory of 3376	4988	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe	124
PID 4988 wrote to memory of 3376	4988	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe	124
PID 4988 wrote to memory of 3376	4988	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe	124
PID 4988 wrote to memory of 2752	4988	{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe	125

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe
  C:\Windows\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe
    C:\Windows\{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe
      C:\Windows\{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe
        
        C:\Windows\{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe
        
        C:\Windows\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{7560E693-8908-4a04-A123-35A400F0432A}.exe
        
        C:\Windows\{7560E693-8908-4a04-A123-35A400F0432A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe
        
        C:\Windows\{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe
        
        C:\Windows\{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe
        
        C:\Windows\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe
        
        C:\Windows\{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{59A875A7-68F3-490f-A18A-D12E59247B16}.exe
        
        C:\Windows\{59A875A7-68F3-490f-A18A-D12E59247B16}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Windows\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}.exe
        
        C:\Windows\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}.exe
        13⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59A87~1.EXE > nul
        13⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE0BE~1.EXE > nul
        12⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFFE5~1.EXE > nul
        11⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6CFF~1.EXE > nul
        10⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5A19~1.EXE > nul
        9⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7560E~1.EXE > nul
        8⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E925E~1.EXE > nul
        7⤵
        
        PID:4236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87938~1.EXE > nul
        6⤵
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C494C~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{86E61~1.EXE > nul
      4⤵
      PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EE5AA~1.EXE > nul
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{59A875A7-68F3-490f-A18A-D12E59247B16}.exe

Filesize
168KB

MD5
b62ff2023746cc108790e2b2988b76dd

SHA1
cf54456d04f9b54b57fd878cd9df4057b90f0004

SHA256
694ec70fdcddb82821b491b3e8076b16331ab45a09a99017638368bac3796fe5

SHA512
df941baddafbaef6bf7b1d6deb291978ba8793e822e6d0d4f35a00a1ac1d4c42d8368b7994124b1706a69c4a7d6546f0ab7ac3aac3ccdc0bc5dacb4d38014305

Download Submit
C:\Windows\{59A875A7-68F3-490f-A18A-D12E59247B16}.exe

Filesize
168KB

MD5
b62ff2023746cc108790e2b2988b76dd

SHA1
cf54456d04f9b54b57fd878cd9df4057b90f0004

SHA256
694ec70fdcddb82821b491b3e8076b16331ab45a09a99017638368bac3796fe5

SHA512
df941baddafbaef6bf7b1d6deb291978ba8793e822e6d0d4f35a00a1ac1d4c42d8368b7994124b1706a69c4a7d6546f0ab7ac3aac3ccdc0bc5dacb4d38014305

Download Submit
C:\Windows\{7560E693-8908-4a04-A123-35A400F0432A}.exe

Filesize
168KB

MD5
595894bddf3cec5d698d0281a13c13b2

SHA1
ec70ddc9a7ff57ef2698796ebf0967c1a5c20bf5

SHA256
bfd1b34ddcfacd4185c9b3fd36f41c060a133cb32ff9d3fc658e7b068c83537a

SHA512
0aec2bae540d7caa68b2965bc138a16d8b2a072dd3174b08756f172016e9d5ae33c80d121e7a2e9ff6e73fb179eb9ff4ee00e489da2c86c894e88cd21e684a93

Download Submit
C:\Windows\{7560E693-8908-4a04-A123-35A400F0432A}.exe

Filesize
168KB

MD5
595894bddf3cec5d698d0281a13c13b2

SHA1
ec70ddc9a7ff57ef2698796ebf0967c1a5c20bf5

SHA256
bfd1b34ddcfacd4185c9b3fd36f41c060a133cb32ff9d3fc658e7b068c83537a

SHA512
0aec2bae540d7caa68b2965bc138a16d8b2a072dd3174b08756f172016e9d5ae33c80d121e7a2e9ff6e73fb179eb9ff4ee00e489da2c86c894e88cd21e684a93

Download Submit
C:\Windows\{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe

Filesize
168KB

MD5
57f1f81d1d515d5f2b17b48d99d260f8

SHA1
2918e2bc7cc2cf1c6fb51f0ecfd181e32b0aeb81

SHA256
62d67f542d9a13a8ed98600f7ea7c73e7238765a0e8e61c0d39d4e57b6c081da

SHA512
9ecd2363a440ad6ca2e9d2f35363b44b239233719e8363d8e2e709e90bcd1b05b185084d49ff11ef64cc763ff8eb8954d2e042fa421f4b579beabc1402e8b3b0

Download Submit
C:\Windows\{86E619EE-BE91-4d21-908F-16DDF61393C3}.exe

Filesize
168KB

MD5
57f1f81d1d515d5f2b17b48d99d260f8

SHA1
2918e2bc7cc2cf1c6fb51f0ecfd181e32b0aeb81

SHA256
62d67f542d9a13a8ed98600f7ea7c73e7238765a0e8e61c0d39d4e57b6c081da

SHA512
9ecd2363a440ad6ca2e9d2f35363b44b239233719e8363d8e2e709e90bcd1b05b185084d49ff11ef64cc763ff8eb8954d2e042fa421f4b579beabc1402e8b3b0

Download Submit
C:\Windows\{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe

Filesize
168KB

MD5
2d91e1c7872c8372d18cafad18476058

SHA1
235d00143e0de9e27630f95525ea1cfad49ca61f

SHA256
7aa10fd2698e454185b2beb1124b2126ab92a216a2936695324971b3eab1f5e1

SHA512
3dfc0eeb67ce72ba1a60c1135bbfca72d8b5d31c8e896daaba8fbfa0c9429f9d26963a1b02aaa2c0276e55aad8b49f9b6832d79c34ba94a53d03f4a4d9619243

Download Submit
C:\Windows\{879383CA-2025-4bfa-90EA-74D5A1FB3420}.exe

Filesize
168KB

MD5
2d91e1c7872c8372d18cafad18476058

SHA1
235d00143e0de9e27630f95525ea1cfad49ca61f

SHA256
7aa10fd2698e454185b2beb1124b2126ab92a216a2936695324971b3eab1f5e1

SHA512
3dfc0eeb67ce72ba1a60c1135bbfca72d8b5d31c8e896daaba8fbfa0c9429f9d26963a1b02aaa2c0276e55aad8b49f9b6832d79c34ba94a53d03f4a4d9619243

Download Submit
C:\Windows\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}.exe

Filesize
168KB

MD5
93c3da622db05d56dbbe946c05ba2725

SHA1
502eef91b1dee35e1ceafaf7f83b2f310aa9aac9

SHA256
6b714a400dd7acdb15f6e06a3bbee22f67b8d8ec89525979718df8bdc6d145ef

SHA512
f0e621ec4d803da1414779159048f0b7bc6b36c30368cf916e099f85cb9447a6011a976223b8013fb96f889be777951196ca3c2ec6eb2f8ce9a55ec13faf5bac

Download Submit
C:\Windows\{8F9291C3-61B5-4a31-B98B-161FF07EF97D}.exe

Filesize
168KB

MD5
93c3da622db05d56dbbe946c05ba2725

SHA1
502eef91b1dee35e1ceafaf7f83b2f310aa9aac9

SHA256
6b714a400dd7acdb15f6e06a3bbee22f67b8d8ec89525979718df8bdc6d145ef

SHA512
f0e621ec4d803da1414779159048f0b7bc6b36c30368cf916e099f85cb9447a6011a976223b8013fb96f889be777951196ca3c2ec6eb2f8ce9a55ec13faf5bac

Download Submit
C:\Windows\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe

Filesize
168KB

MD5
3391967b1f0a55591c3888541fa6e7dd

SHA1
cd36b18caddad13786721441c4e8d46cb2974ff3

SHA256
e5ef638388f07ec7e147a45544ee3a1eee38e6eb53dd74326597bb4356e2c378

SHA512
a2c3b5dc9827b9b50a8513cf455d7cb64ad2097189b05da8eaeab1d78d881a1c7a149d9263c714282eb6f2e12e7dc0826fcdbbc3f8e312fd98a7df88b9975c7a

Download Submit
C:\Windows\{AFFE5786-D5F8-40a4-ADF0-8C798DBD6204}.exe

Filesize
168KB

MD5
3391967b1f0a55591c3888541fa6e7dd

SHA1
cd36b18caddad13786721441c4e8d46cb2974ff3

SHA256
e5ef638388f07ec7e147a45544ee3a1eee38e6eb53dd74326597bb4356e2c378

SHA512
a2c3b5dc9827b9b50a8513cf455d7cb64ad2097189b05da8eaeab1d78d881a1c7a149d9263c714282eb6f2e12e7dc0826fcdbbc3f8e312fd98a7df88b9975c7a

Download Submit
C:\Windows\{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe

Filesize
168KB

MD5
fff45594002a2f56c56935921499bfdc

SHA1
591d8dd6bfbe06ee5e26b1ce951290363b4961a0

SHA256
acf0b6cbdb6413532320cbb25968c30886466e420d581df63190d1f7e0ac3c95

SHA512
e9def08aeeeff434793622a31a3064842d4a44dfcc54e02d02365bda24d6b999b5e11df266ec766047d1dc3759f6df43a09e184d7d7fe1968ad7202cb8e11836

Download Submit
C:\Windows\{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe

Filesize
168KB

MD5
fff45594002a2f56c56935921499bfdc

SHA1
591d8dd6bfbe06ee5e26b1ce951290363b4961a0

SHA256
acf0b6cbdb6413532320cbb25968c30886466e420d581df63190d1f7e0ac3c95

SHA512
e9def08aeeeff434793622a31a3064842d4a44dfcc54e02d02365bda24d6b999b5e11df266ec766047d1dc3759f6df43a09e184d7d7fe1968ad7202cb8e11836

Download Submit
C:\Windows\{C494CD13-3AC2-4bb7-8571-8728954899B0}.exe

Filesize
168KB

MD5
fff45594002a2f56c56935921499bfdc

SHA1
591d8dd6bfbe06ee5e26b1ce951290363b4961a0

SHA256
acf0b6cbdb6413532320cbb25968c30886466e420d581df63190d1f7e0ac3c95

SHA512
e9def08aeeeff434793622a31a3064842d4a44dfcc54e02d02365bda24d6b999b5e11df266ec766047d1dc3759f6df43a09e184d7d7fe1968ad7202cb8e11836

Download Submit
C:\Windows\{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe

Filesize
168KB

MD5
ee27926303f1d9b1ff74522f1503210e

SHA1
a650499e84d17811d2af585708f0e9e28d57eecd

SHA256
63ea8739343d0b5e1800c8f4b637c61bc92b9afae7d3a9eb0c60d785ad7b79db

SHA512
2e8df4ca75e434b262b1ab7d1ed9ded2bec1ff027f658b9c733951e542e21ede28f9d9782c51392f0053b91999858ef8df1edd25b2f3dea3697f9aca862a3072

Download Submit
C:\Windows\{CE0BE455-2251-4d08-B1A2-11921B19019D}.exe

Filesize
168KB

MD5
ee27926303f1d9b1ff74522f1503210e

SHA1
a650499e84d17811d2af585708f0e9e28d57eecd

SHA256
63ea8739343d0b5e1800c8f4b637c61bc92b9afae7d3a9eb0c60d785ad7b79db

SHA512
2e8df4ca75e434b262b1ab7d1ed9ded2bec1ff027f658b9c733951e542e21ede28f9d9782c51392f0053b91999858ef8df1edd25b2f3dea3697f9aca862a3072

Download Submit
C:\Windows\{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe

Filesize
168KB

MD5
f6c08b40084b56013ef7467a21d07848

SHA1
46d15593dc743481f4e1d171fb00d76dab643a2a

SHA256
e324ec09b04c113aea5c0815833520db7e4e536afbe2e8992d0c8b014db10f4c

SHA512
f221047e80a3e01b5d9c34e759a59f8bbc9bfc631cb02ddba4caab8e568d4754843b5236938a44e4646351ed609d7777b1916f803ba115e98093eab6b744ae0c

Download Submit
C:\Windows\{D5A19B1A-35ED-46a1-A568-92A417E246A6}.exe

Filesize
168KB

MD5
f6c08b40084b56013ef7467a21d07848

SHA1
46d15593dc743481f4e1d171fb00d76dab643a2a

SHA256
e324ec09b04c113aea5c0815833520db7e4e536afbe2e8992d0c8b014db10f4c

SHA512
f221047e80a3e01b5d9c34e759a59f8bbc9bfc631cb02ddba4caab8e568d4754843b5236938a44e4646351ed609d7777b1916f803ba115e98093eab6b744ae0c

Download Submit
C:\Windows\{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe

Filesize
168KB

MD5
ec88e8490af299e42e057160c89f69ab

SHA1
11001ef7a19bf7d1f8b53d685caa6e801186b35d

SHA256
2b01da310dbec0091b2eb472f824f1cfdd92989911af4c37732ccb06f0ac8147

SHA512
d9e78aba048571eb80b0a77bce658229e891c1b755aa1f92532da82eaabfae5e81f32fc657d77149c745a58cff86cf1fcfc076bcc65b461890055df0318aede0

Download Submit
C:\Windows\{E6CFF7C1-3970-44b5-B227-9B1174713750}.exe

Filesize
168KB

MD5
ec88e8490af299e42e057160c89f69ab

SHA1
11001ef7a19bf7d1f8b53d685caa6e801186b35d

SHA256
2b01da310dbec0091b2eb472f824f1cfdd92989911af4c37732ccb06f0ac8147

SHA512
d9e78aba048571eb80b0a77bce658229e891c1b755aa1f92532da82eaabfae5e81f32fc657d77149c745a58cff86cf1fcfc076bcc65b461890055df0318aede0

Download Submit
C:\Windows\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe

Filesize
168KB

MD5
cae89911a2e841728e96d5c0add6636f

SHA1
cf53f72fd45a215b26faf1879d2a9e5924d648c8

SHA256
a1c7f08036500c7712724a65ffaa5dab4394858303d0ecc34eb4f1eb726f6ae9

SHA512
5481bf6bf74a55aaad63c3b342bb10ba72382f94a3cc371fef040d07ce5be2add95e8adbc3793ae511271883a404e43ff7e14c64e4beec49dba9ff25aea423af

Download Submit
C:\Windows\{E925EFE1-BA95-42f7-8716-CE42E80BBBC0}.exe

Filesize
168KB

MD5
cae89911a2e841728e96d5c0add6636f

SHA1
cf53f72fd45a215b26faf1879d2a9e5924d648c8

SHA256
a1c7f08036500c7712724a65ffaa5dab4394858303d0ecc34eb4f1eb726f6ae9

SHA512
5481bf6bf74a55aaad63c3b342bb10ba72382f94a3cc371fef040d07ce5be2add95e8adbc3793ae511271883a404e43ff7e14c64e4beec49dba9ff25aea423af

Download Submit
C:\Windows\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe

Filesize
168KB

MD5
8414a78bcc9947fd8d04b94d23b6e9cc

SHA1
c1f24a2d1a0acb929d69ac0f72bb9170eef8c9d6

SHA256
b9c877896819ecbfdf63bd7793e4e6c68fb028ff1ad8b99b3ef3770f33f6a630

SHA512
a8696a83eb88b455e0d35e5a309516c4a6126226f297a8d0f11c2cc84bd45aec481eb2f72d84d3e71c65722148ed4e3a41bc4dfffaa198272e06577ee1efc965

Download Submit
C:\Windows\{EE5AA4FC-D6B8-4e62-9280-C64A5B98E69C}.exe

Filesize
168KB

MD5
8414a78bcc9947fd8d04b94d23b6e9cc

SHA1
c1f24a2d1a0acb929d69ac0f72bb9170eef8c9d6

SHA256
b9c877896819ecbfdf63bd7793e4e6c68fb028ff1ad8b99b3ef3770f33f6a630

SHA512
a8696a83eb88b455e0d35e5a309516c4a6126226f297a8d0f11c2cc84bd45aec481eb2f72d84d3e71c65722148ed4e3a41bc4dfffaa198272e06577ee1efc965

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads