93241cf333b19bc2872de58724359c9adcee84fffaacc67ea9eda6d5c7cac52b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Size

408KB
MD5

73efc7b1182d52acddcb2d39510e4787
SHA1

7f8b1ca78758aeeae11c3ec1642b8ce560b33c52
SHA256

93241cf333b19bc2872de58724359c9adcee84fffaacc67ea9eda6d5c7cac52b
SHA512

368870ba3c6d3611b3d184d1c976a6da5919f2b26f4f236e733acd4bf4362c8a6b2243c210f8f925a63db684a77a415e0935f2833b90e8c1de05d961751bb720
SSDEEP

3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG8ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3172F4C3-2B17-4e97-8E28-31B563876259}	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE370A29-38FD-4145-8BBC-9720CA3830EA}	{11298674-643B-4d1f-A424-F70529E1175F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE370A29-38FD-4145-8BBC-9720CA3830EA}\stubpath = "C:\\Windows\\{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe"	{11298674-643B-4d1f-A424-F70529E1175F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6154953-F56C-4f7b-8A55-76DCF1C81271}	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6154953-F56C-4f7b-8A55-76DCF1C81271}\stubpath = "C:\\Windows\\{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe"	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}\stubpath = "C:\\Windows\\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe"	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}\stubpath = "C:\\Windows\\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe"	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}	{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11298674-643B-4d1f-A424-F70529E1175F}\stubpath = "C:\\Windows\\{11298674-643B-4d1f-A424-F70529E1175F}.exe"	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}\stubpath = "C:\\Windows\\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe"	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109DED29-EB02-4c54-A5D3-CAD359614EF9}\stubpath = "C:\\Windows\\{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe"	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}\stubpath = "C:\\Windows\\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe"	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}\stubpath = "C:\\Windows\\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}.exe"	{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}\stubpath = "C:\\Windows\\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe"	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3172F4C3-2B17-4e97-8E28-31B563876259}\stubpath = "C:\\Windows\\{3172F4C3-2B17-4e97-8E28-31B563876259}.exe"	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}\stubpath = "C:\\Windows\\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe"	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109DED29-EB02-4c54-A5D3-CAD359614EF9}	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11298674-643B-4d1f-A424-F70529E1175F}	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe

Executes dropped EXE 12 IoCs

pid	Process
4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe
4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe
3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe
2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe
4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe
1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe
976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe
3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe
2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe
4000	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe
3948	{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe
4964	{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe
File created	C:\Windows\{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe
File created	C:\Windows\{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe	{11298674-643B-4d1f-A424-F70529E1175F}.exe
File created	C:\Windows\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe
File created	C:\Windows\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}.exe	{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe
File created	C:\Windows\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
File created	C:\Windows\{3172F4C3-2B17-4e97-8E28-31B563876259}.exe	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe
File created	C:\Windows\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe
File created	C:\Windows\{11298674-643B-4d1f-A424-F70529E1175F}.exe	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe
File created	C:\Windows\{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe
File created	C:\Windows\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe
File created	C:\Windows\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2464	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe
Token: SeIncBasePriorityPrivilege	4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe
Token: SeIncBasePriorityPrivilege	3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe
Token: SeIncBasePriorityPrivilege	2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe
Token: SeIncBasePriorityPrivilege	4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe
Token: SeIncBasePriorityPrivilege	1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe
Token: SeIncBasePriorityPrivilege	976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe
Token: SeIncBasePriorityPrivilege	3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe
Token: SeIncBasePriorityPrivilege	2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe
Token: SeIncBasePriorityPrivilege	4000	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe
Token: SeIncBasePriorityPrivilege	3948	{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4500	2464	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	101
PID 2464 wrote to memory of 4500	2464	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	101
PID 2464 wrote to memory of 4500	2464	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	101
PID 2464 wrote to memory of 3648	2464	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	102
PID 2464 wrote to memory of 3648	2464	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	102
PID 2464 wrote to memory of 3648	2464	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	102
PID 4500 wrote to memory of 4840	4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe	103
PID 4500 wrote to memory of 4840	4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe	103
PID 4500 wrote to memory of 4840	4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe	103
PID 4500 wrote to memory of 2004	4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe	104
PID 4500 wrote to memory of 2004	4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe	104
PID 4500 wrote to memory of 2004	4500	{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe	104
PID 4840 wrote to memory of 3872	4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe	109
PID 4840 wrote to memory of 3872	4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe	109
PID 4840 wrote to memory of 3872	4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe	109
PID 4840 wrote to memory of 5056	4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe	108
PID 4840 wrote to memory of 5056	4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe	108
PID 4840 wrote to memory of 5056	4840	{3172F4C3-2B17-4e97-8E28-31B563876259}.exe	108
PID 3872 wrote to memory of 2160	3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe	115
PID 3872 wrote to memory of 2160	3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe	115
PID 3872 wrote to memory of 2160	3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe	115
PID 3872 wrote to memory of 1116	3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe	116
PID 3872 wrote to memory of 1116	3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe	116
PID 3872 wrote to memory of 1116	3872	{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe	116
PID 2160 wrote to memory of 4724	2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe	117
PID 2160 wrote to memory of 4724	2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe	117
PID 2160 wrote to memory of 4724	2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe	117
PID 2160 wrote to memory of 4188	2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe	118
PID 2160 wrote to memory of 4188	2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe	118
PID 2160 wrote to memory of 4188	2160	{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe	118
PID 4724 wrote to memory of 1200	4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe	120
PID 4724 wrote to memory of 1200	4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe	120
PID 4724 wrote to memory of 1200	4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe	120
PID 4724 wrote to memory of 1672	4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe	121
PID 4724 wrote to memory of 1672	4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe	121
PID 4724 wrote to memory of 1672	4724	{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe	121
PID 1200 wrote to memory of 976	1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe	122
PID 1200 wrote to memory of 976	1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe	122
PID 1200 wrote to memory of 976	1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe	122
PID 1200 wrote to memory of 3988	1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe	123
PID 1200 wrote to memory of 3988	1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe	123
PID 1200 wrote to memory of 3988	1200	{11298674-643B-4d1f-A424-F70529E1175F}.exe	123
PID 976 wrote to memory of 3068	976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe	124
PID 976 wrote to memory of 3068	976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe	124
PID 976 wrote to memory of 3068	976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe	124
PID 976 wrote to memory of 1344	976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe	125
PID 976 wrote to memory of 1344	976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe	125
PID 976 wrote to memory of 1344	976	{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe	125
PID 3068 wrote to memory of 2724	3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe	126
PID 3068 wrote to memory of 2724	3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe	126
PID 3068 wrote to memory of 2724	3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe	126
PID 3068 wrote to memory of 5008	3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe	127
PID 3068 wrote to memory of 5008	3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe	127
PID 3068 wrote to memory of 5008	3068	{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe	127
PID 2724 wrote to memory of 4000	2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe	128
PID 2724 wrote to memory of 4000	2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe	128
PID 2724 wrote to memory of 4000	2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe	128
PID 2724 wrote to memory of 5000	2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe	129
PID 2724 wrote to memory of 5000	2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe	129
PID 2724 wrote to memory of 5000	2724	{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe	129
PID 4000 wrote to memory of 3948	4000	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe	130
PID 4000 wrote to memory of 3948	4000	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe	130
PID 4000 wrote to memory of 3948	4000	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe	130
PID 4000 wrote to memory of 880	4000	{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe	131

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe
  C:\Windows\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\{3172F4C3-2B17-4e97-8E28-31B563876259}.exe
    C:\Windows\{3172F4C3-2B17-4e97-8E28-31B563876259}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3172F~1.EXE > nul
      4⤵
      PID:5056
  - - C:\Windows\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe
      C:\Windows\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe
        
        C:\Windows\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe
        
        C:\Windows\{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{11298674-643B-4d1f-A424-F70529E1175F}.exe
        
        C:\Windows\{11298674-643B-4d1f-A424-F70529E1175F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe
        
        C:\Windows\{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe
        
        C:\Windows\{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe
        
        C:\Windows\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe
        
        C:\Windows\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe
        
        C:\Windows\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}.exe
        
        C:\Windows\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}.exe
        13⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1CDA~1.EXE > nul
        13⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8766C~1.EXE > nul
        12⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22BD4~1.EXE > nul
        11⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6154~1.EXE > nul
        10⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE370~1.EXE > nul
        9⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11298~1.EXE > nul
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{109DE~1.EXE > nul
        7⤵
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E0F5~1.EXE > nul
        6⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCAC3~1.EXE > nul
        5⤵
        
        PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE0A~1.EXE > nul
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe

Filesize
408KB

MD5
cb561bd2f99c0f29c8c487561aa5ac80

SHA1
ecaf64adeddddd93ea2053d0323abba62cebc55c

SHA256
85c8c5b242cecbd6305715659adb34f889f2a6e58aeeee4e3585036b5b4939f1

SHA512
b21235200215deb1e8b177555145adc4d4940663a4b42ebe1e586f4404e0b0034d4adc29b39dff7d57bc4d2ae2de89f1a565a1bf0b0b6da9a5e004e7d4485c56

Download Submit
C:\Windows\{109DED29-EB02-4c54-A5D3-CAD359614EF9}.exe

Filesize
408KB

MD5
cb561bd2f99c0f29c8c487561aa5ac80

SHA1
ecaf64adeddddd93ea2053d0323abba62cebc55c

SHA256
85c8c5b242cecbd6305715659adb34f889f2a6e58aeeee4e3585036b5b4939f1

SHA512
b21235200215deb1e8b177555145adc4d4940663a4b42ebe1e586f4404e0b0034d4adc29b39dff7d57bc4d2ae2de89f1a565a1bf0b0b6da9a5e004e7d4485c56

Download Submit
C:\Windows\{11298674-643B-4d1f-A424-F70529E1175F}.exe

Filesize
408KB

MD5
2909abfcfe5899744c18ef6d46850e98

SHA1
110761b56169fbd24fb76522e31c8e5ef26ea478

SHA256
8076dec53804c1e1111092cf6e30a40545846bc07ae603939b6b05565559fbb1

SHA512
ff9135ea0d3df38f6414d3842586bc7d52b43476a3ce9a22e0577ada98ae0d18b6c872db002380acf56fcbe0253d3fe2027445d388a5144ace30a13f9ff45eea

Download Submit
C:\Windows\{11298674-643B-4d1f-A424-F70529E1175F}.exe

Filesize
408KB

MD5
2909abfcfe5899744c18ef6d46850e98

SHA1
110761b56169fbd24fb76522e31c8e5ef26ea478

SHA256
8076dec53804c1e1111092cf6e30a40545846bc07ae603939b6b05565559fbb1

SHA512
ff9135ea0d3df38f6414d3842586bc7d52b43476a3ce9a22e0577ada98ae0d18b6c872db002380acf56fcbe0253d3fe2027445d388a5144ace30a13f9ff45eea

Download Submit
C:\Windows\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe

Filesize
408KB

MD5
033b1911c2fd5a6c9c23e22ac7b34485

SHA1
8e08d995221d3dae18821728aeee101f57aa3f8a

SHA256
1e2af1e3a47ad119dd5e470498dd77b58983f2cbf420dbf1e20057e419754d3a

SHA512
0474ff03e355ef6a16e864162e05d71d4c8bbcbf4d65f294f43714d3d393870039cdcb0ae91e95b3b00810a534bf9cdbcd12aadf403b7383eb3ee5a8b5ecdf22

Download Submit
C:\Windows\{22BD478A-8BC7-47c5-BEAC-9860F8C5BD45}.exe

Filesize
408KB

MD5
033b1911c2fd5a6c9c23e22ac7b34485

SHA1
8e08d995221d3dae18821728aeee101f57aa3f8a

SHA256
1e2af1e3a47ad119dd5e470498dd77b58983f2cbf420dbf1e20057e419754d3a

SHA512
0474ff03e355ef6a16e864162e05d71d4c8bbcbf4d65f294f43714d3d393870039cdcb0ae91e95b3b00810a534bf9cdbcd12aadf403b7383eb3ee5a8b5ecdf22

Download Submit
C:\Windows\{3172F4C3-2B17-4e97-8E28-31B563876259}.exe

Filesize
408KB

MD5
3db62e134f046778fd197b795c044087

SHA1
edd21c5c4fa6b80b48124b98e448b352e31e513d

SHA256
ef04f05d4a0affcd31333cf6dda026f06656a043634cb9447ea8bf91315056cf

SHA512
6f7d4565a244654affb391610a75370b86168412edd845ec1194fbc1eacdcf09a5c9a8f4b39a2c0c371b6ce3f3de296c584c133719146d9ed55dedd2c36a4e2e

Download Submit
C:\Windows\{3172F4C3-2B17-4e97-8E28-31B563876259}.exe

Filesize
408KB

MD5
3db62e134f046778fd197b795c044087

SHA1
edd21c5c4fa6b80b48124b98e448b352e31e513d

SHA256
ef04f05d4a0affcd31333cf6dda026f06656a043634cb9447ea8bf91315056cf

SHA512
6f7d4565a244654affb391610a75370b86168412edd845ec1194fbc1eacdcf09a5c9a8f4b39a2c0c371b6ce3f3de296c584c133719146d9ed55dedd2c36a4e2e

Download Submit
C:\Windows\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}.exe

Filesize
408KB

MD5
d217bfa795c932301cd12fc681015859

SHA1
ae2a371880554d91b275f4bb9818beb8a9b883f0

SHA256
bfacab9658914343efcd809a00cb13fc8db29dbb8ab403670b52302e6a8a9488

SHA512
e6773796d4fd55052813f9ecd4e400e4048f544b4dc0ea2e219116a266f1331a361b73683cba4bdc56959587b8889fa4901faca99110468b24fef4dba101356b

Download Submit
C:\Windows\{5F76AED0-F248-4e52-9E7F-44BAD645A9F3}.exe

Filesize
408KB

MD5
d217bfa795c932301cd12fc681015859

SHA1
ae2a371880554d91b275f4bb9818beb8a9b883f0

SHA256
bfacab9658914343efcd809a00cb13fc8db29dbb8ab403670b52302e6a8a9488

SHA512
e6773796d4fd55052813f9ecd4e400e4048f544b4dc0ea2e219116a266f1331a361b73683cba4bdc56959587b8889fa4901faca99110468b24fef4dba101356b

Download Submit
C:\Windows\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe

Filesize
408KB

MD5
9579f7fb308956f3c208cc3baeee50a9

SHA1
c30f4b6fe6b957962b84ce4540889e5ffe755ac5

SHA256
02b4692779d842bab86a816492a306205be697f5b72a19e6498b667f1f08e089

SHA512
c2950c18f6658868054f6e878c723f5676e9a0b30358d19d00ea242dabebd4651fe359765596720f32e82d97d2e3bf47fc6fe939217566563190966b6e8d1ae6

Download Submit
C:\Windows\{6E0F5DF2-5570-4f14-8529-1AF41A91D358}.exe

Filesize
408KB

MD5
9579f7fb308956f3c208cc3baeee50a9

SHA1
c30f4b6fe6b957962b84ce4540889e5ffe755ac5

SHA256
02b4692779d842bab86a816492a306205be697f5b72a19e6498b667f1f08e089

SHA512
c2950c18f6658868054f6e878c723f5676e9a0b30358d19d00ea242dabebd4651fe359765596720f32e82d97d2e3bf47fc6fe939217566563190966b6e8d1ae6

Download Submit
C:\Windows\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe

Filesize
408KB

MD5
dcc46700436280a77cd932fcffb27b1e

SHA1
3be4c5393de5fd63be95ec825be12dd4ca9e8da8

SHA256
1716c7ab21b8e305ed5fe84032f7be7fef918af9963374a888a0612f4bb348aa

SHA512
379068f812a03fba2dfb0ebacfa164193f1698f62d73b45e7e403deaf0388cdacae4685a02f32db49f6ca96e564a0e714ea17be1c9f45b1d9a85a3dff64a5b51

Download Submit
C:\Windows\{8766C3A7-CEB7-4349-93BE-D81CF9D3CD77}.exe

Filesize
408KB

MD5
dcc46700436280a77cd932fcffb27b1e

SHA1
3be4c5393de5fd63be95ec825be12dd4ca9e8da8

SHA256
1716c7ab21b8e305ed5fe84032f7be7fef918af9963374a888a0612f4bb348aa

SHA512
379068f812a03fba2dfb0ebacfa164193f1698f62d73b45e7e403deaf0388cdacae4685a02f32db49f6ca96e564a0e714ea17be1c9f45b1d9a85a3dff64a5b51

Download Submit
C:\Windows\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe

Filesize
408KB

MD5
da2a44c6c28a56f295ae6d64f73a43c8

SHA1
1a0998ea76ff833ec82248c7908bb55d732eed38

SHA256
c4aeea51453f545f6fe6b194405f3cc26ce018d27ff079fd8ed8976be725198e

SHA512
5c3213b7ffb65bb9cbe5d4a32a9be7d767cdc44fca0a64c0ee549f939809d175777c691789c6c79390f352230d5edaca30d40c6a5b9a805d7946087d11fd38d6

Download Submit
C:\Windows\{8CE0A362-5203-4d2a-8339-E2943A07C5E1}.exe

Filesize
408KB

MD5
da2a44c6c28a56f295ae6d64f73a43c8

SHA1
1a0998ea76ff833ec82248c7908bb55d732eed38

SHA256
c4aeea51453f545f6fe6b194405f3cc26ce018d27ff079fd8ed8976be725198e

SHA512
5c3213b7ffb65bb9cbe5d4a32a9be7d767cdc44fca0a64c0ee549f939809d175777c691789c6c79390f352230d5edaca30d40c6a5b9a805d7946087d11fd38d6

Download Submit
C:\Windows\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe

Filesize
408KB

MD5
0b7f47fc4e555bdba7e7b16487894ede

SHA1
a93a759798b43451e569350a9ad9183865037049

SHA256
354c7283725eb7d1cf0ba552b9eee894204afef6cf4e0d112869ab17f5197ac8

SHA512
710ea9fb4cf76d099ed4e1ebf2162cb2817d39cb86be48525c1adce28798aa0c927f55263bbdbc5953cf4a11d072c0aef2b653b34a441651daa7c74f34e67608

Download Submit
C:\Windows\{A1CDAEB1-D3FF-4f43-A3B4-51180B0A5F7C}.exe

Filesize
408KB

MD5
0b7f47fc4e555bdba7e7b16487894ede

SHA1
a93a759798b43451e569350a9ad9183865037049

SHA256
354c7283725eb7d1cf0ba552b9eee894204afef6cf4e0d112869ab17f5197ac8

SHA512
710ea9fb4cf76d099ed4e1ebf2162cb2817d39cb86be48525c1adce28798aa0c927f55263bbdbc5953cf4a11d072c0aef2b653b34a441651daa7c74f34e67608

Download Submit
C:\Windows\{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe

Filesize
408KB

MD5
dcdee3e8fad2b332d06ac885710ba3ff

SHA1
a5fa8efe34da8b5f651fc8c84f6dc99b4ec06685

SHA256
03fd473abe0bb598a19d96cf5ee1fd8c1b82192e81c57a8d303fea96456dd929

SHA512
d029d18f1716e3c7283505b2797b51c8f1f69bce23e4b6ccbd8034c2ac5e73852cd620e29e0d1d83ac3d0c1727484eef634fbc5b3c4ccd17f9ddbe0688e1868d

Download Submit
C:\Windows\{A6154953-F56C-4f7b-8A55-76DCF1C81271}.exe

Filesize
408KB

MD5
dcdee3e8fad2b332d06ac885710ba3ff

SHA1
a5fa8efe34da8b5f651fc8c84f6dc99b4ec06685

SHA256
03fd473abe0bb598a19d96cf5ee1fd8c1b82192e81c57a8d303fea96456dd929

SHA512
d029d18f1716e3c7283505b2797b51c8f1f69bce23e4b6ccbd8034c2ac5e73852cd620e29e0d1d83ac3d0c1727484eef634fbc5b3c4ccd17f9ddbe0688e1868d

Download Submit
C:\Windows\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe

Filesize
408KB

MD5
737307c128c230a0577be1c8536d5c6b

SHA1
005eca2d73eab64ca4e21e35504e420eae3c2756

SHA256
ed19476164583fcdd0ffe60f97f0b29ab659a54d1dde2a0f3921d631a4af54bf

SHA512
fac6ed46e0db2b3be4499eef500d841cb40ec03b3ca6a76e64d3e801f3be07cb066a3461d5475b525f357d50e637ed3564df7578146663eec7e1efe57fefc30f

Download Submit
C:\Windows\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe

Filesize
408KB

MD5
737307c128c230a0577be1c8536d5c6b

SHA1
005eca2d73eab64ca4e21e35504e420eae3c2756

SHA256
ed19476164583fcdd0ffe60f97f0b29ab659a54d1dde2a0f3921d631a4af54bf

SHA512
fac6ed46e0db2b3be4499eef500d841cb40ec03b3ca6a76e64d3e801f3be07cb066a3461d5475b525f357d50e637ed3564df7578146663eec7e1efe57fefc30f

Download Submit
C:\Windows\{CCAC33BA-FB57-4068-8AAA-1A6B75D0B4E2}.exe

Filesize
408KB

MD5
737307c128c230a0577be1c8536d5c6b

SHA1
005eca2d73eab64ca4e21e35504e420eae3c2756

SHA256
ed19476164583fcdd0ffe60f97f0b29ab659a54d1dde2a0f3921d631a4af54bf

SHA512
fac6ed46e0db2b3be4499eef500d841cb40ec03b3ca6a76e64d3e801f3be07cb066a3461d5475b525f357d50e637ed3564df7578146663eec7e1efe57fefc30f

Download Submit
C:\Windows\{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe

Filesize
408KB

MD5
c44a063c4cfdd985de10a16215f83939

SHA1
dcd81ddc1ca85bc4c104282ab935454eafea234f

SHA256
d534a9008e0a48893d4489292a3f66b4960e85d5c71d463bf93d6441873b8bd7

SHA512
8815f7a5a530ce738c022fd66896caba65615c843e27b89ef3ab5444fbb6a6f3987228508d0be9b9c24c9b77dcabc906250e8eff79d24095e62fdfb49860ea56

Download Submit
C:\Windows\{EE370A29-38FD-4145-8BBC-9720CA3830EA}.exe

Filesize
408KB

MD5
c44a063c4cfdd985de10a16215f83939

SHA1
dcd81ddc1ca85bc4c104282ab935454eafea234f

SHA256
d534a9008e0a48893d4489292a3f66b4960e85d5c71d463bf93d6441873b8bd7

SHA512
8815f7a5a530ce738c022fd66896caba65615c843e27b89ef3ab5444fbb6a6f3987228508d0be9b9c24c9b77dcabc906250e8eff79d24095e62fdfb49860ea56

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads