26bd9b80b6882f73f61f45c2da4a7e6a46f9d53136289c4350c50f35e4f4ddad

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Size

408KB
MD5

b9cc41becacc96fd0f4ffaf7d63b554b
SHA1

08a9c2a44b0454eaa364b57cdd6995fc605c1ca8
SHA256

26bd9b80b6882f73f61f45c2da4a7e6a46f9d53136289c4350c50f35e4f4ddad
SHA512

c44e65f99fc24612a245c2c1e3b2e752384f830c3ae78593a325ceae4975ee2649af22f6c4c9ecd68ae513b13dc862b8dd6f830e908a76a688249a42522d33b3
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D59547F7-F697-4a4d-9F67-0A4453A8942A}	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159E3247-5934-4958-B958-31348C038E82}\stubpath = "C:\\Windows\\{159E3247-5934-4958-B958-31348C038E82}.exe"	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4990219-8CB9-41f1-84BF-996E8D834CA6}	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}\stubpath = "C:\\Windows\\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe"	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}\stubpath = "C:\\Windows\\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}.exe"	{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679DD824-921B-4157-85E7-BE539F1ED7C7}	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679DD824-921B-4157-85E7-BE539F1ED7C7}\stubpath = "C:\\Windows\\{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe"	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D59547F7-F697-4a4d-9F67-0A4453A8942A}\stubpath = "C:\\Windows\\{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe"	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}\stubpath = "C:\\Windows\\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe"	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B86B752B-4141-4638-93CD-EDBA3440B541}	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}\stubpath = "C:\\Windows\\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe"	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}\stubpath = "C:\\Windows\\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe"	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159E3247-5934-4958-B958-31348C038E82}	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}\stubpath = "C:\\Windows\\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe"	{159E3247-5934-4958-B958-31348C038E82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4990219-8CB9-41f1-84BF-996E8D834CA6}\stubpath = "C:\\Windows\\{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe"	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}\stubpath = "C:\\Windows\\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe"	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}	{159E3247-5934-4958-B958-31348C038E82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B86B752B-4141-4638-93CD-EDBA3440B541}\stubpath = "C:\\Windows\\{B86B752B-4141-4638-93CD-EDBA3440B541}.exe"	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}	{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe

Executes dropped EXE 12 IoCs

pid	Process
1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe
3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe
5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe
3444	{159E3247-5934-4958-B958-31348C038E82}.exe
2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe
4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe
2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe
4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe
1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe
4976	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe
5072	{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe
4808	{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe
File created	C:\Windows\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe
File created	C:\Windows\{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
File created	C:\Windows\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe
File created	C:\Windows\{159E3247-5934-4958-B958-31348C038E82}.exe	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe
File created	C:\Windows\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe	{159E3247-5934-4958-B958-31348C038E82}.exe
File created	C:\Windows\{B86B752B-4141-4638-93CD-EDBA3440B541}.exe	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe
File created	C:\Windows\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe
File created	C:\Windows\{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe
File created	C:\Windows\{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe
File created	C:\Windows\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe
File created	C:\Windows\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}.exe	{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3920	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe
Token: SeIncBasePriorityPrivilege	3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe
Token: SeIncBasePriorityPrivilege	5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe
Token: SeIncBasePriorityPrivilege	3444	{159E3247-5934-4958-B958-31348C038E82}.exe
Token: SeIncBasePriorityPrivilege	2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe
Token: SeIncBasePriorityPrivilege	4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe
Token: SeIncBasePriorityPrivilege	2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe
Token: SeIncBasePriorityPrivilege	4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe
Token: SeIncBasePriorityPrivilege	1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe
Token: SeIncBasePriorityPrivilege	4976	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe
Token: SeIncBasePriorityPrivilege	5072	{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1580	3920	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	84
PID 3920 wrote to memory of 1580	3920	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	84
PID 3920 wrote to memory of 1580	3920	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	84
PID 3920 wrote to memory of 2840	3920	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	85
PID 3920 wrote to memory of 2840	3920	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	85
PID 3920 wrote to memory of 2840	3920	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	85
PID 1580 wrote to memory of 3992	1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe	86
PID 1580 wrote to memory of 3992	1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe	86
PID 1580 wrote to memory of 3992	1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe	86
PID 1580 wrote to memory of 4916	1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe	87
PID 1580 wrote to memory of 4916	1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe	87
PID 1580 wrote to memory of 4916	1580	{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe	87
PID 3992 wrote to memory of 5116	3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe	89
PID 3992 wrote to memory of 5116	3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe	89
PID 3992 wrote to memory of 5116	3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe	89
PID 3992 wrote to memory of 2260	3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe	88
PID 3992 wrote to memory of 2260	3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe	88
PID 3992 wrote to memory of 2260	3992	{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe	88
PID 5116 wrote to memory of 3444	5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe	90
PID 5116 wrote to memory of 3444	5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe	90
PID 5116 wrote to memory of 3444	5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe	90
PID 5116 wrote to memory of 1804	5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe	91
PID 5116 wrote to memory of 1804	5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe	91
PID 5116 wrote to memory of 1804	5116	{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe	91
PID 3444 wrote to memory of 2824	3444	{159E3247-5934-4958-B958-31348C038E82}.exe	92
PID 3444 wrote to memory of 2824	3444	{159E3247-5934-4958-B958-31348C038E82}.exe	92
PID 3444 wrote to memory of 2824	3444	{159E3247-5934-4958-B958-31348C038E82}.exe	92
PID 3444 wrote to memory of 1168	3444	{159E3247-5934-4958-B958-31348C038E82}.exe	93
PID 3444 wrote to memory of 1168	3444	{159E3247-5934-4958-B958-31348C038E82}.exe	93
PID 3444 wrote to memory of 1168	3444	{159E3247-5934-4958-B958-31348C038E82}.exe	93
PID 2824 wrote to memory of 4900	2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe	94
PID 2824 wrote to memory of 4900	2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe	94
PID 2824 wrote to memory of 4900	2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe	94
PID 2824 wrote to memory of 1156	2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe	95
PID 2824 wrote to memory of 1156	2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe	95
PID 2824 wrote to memory of 1156	2824	{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe	95
PID 4900 wrote to memory of 2528	4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe	96
PID 4900 wrote to memory of 2528	4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe	96
PID 4900 wrote to memory of 2528	4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe	96
PID 4900 wrote to memory of 1696	4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe	97
PID 4900 wrote to memory of 1696	4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe	97
PID 4900 wrote to memory of 1696	4900	{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe	97
PID 2528 wrote to memory of 4516	2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe	98
PID 2528 wrote to memory of 4516	2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe	98
PID 2528 wrote to memory of 4516	2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe	98
PID 2528 wrote to memory of 3704	2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe	99
PID 2528 wrote to memory of 3704	2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe	99
PID 2528 wrote to memory of 3704	2528	{B86B752B-4141-4638-93CD-EDBA3440B541}.exe	99
PID 4516 wrote to memory of 1248	4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe	100
PID 4516 wrote to memory of 1248	4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe	100
PID 4516 wrote to memory of 1248	4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe	100
PID 4516 wrote to memory of 2240	4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe	101
PID 4516 wrote to memory of 2240	4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe	101
PID 4516 wrote to memory of 2240	4516	{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe	101
PID 1248 wrote to memory of 4976	1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe	102
PID 1248 wrote to memory of 4976	1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe	102
PID 1248 wrote to memory of 4976	1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe	102
PID 1248 wrote to memory of 4756	1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe	103
PID 1248 wrote to memory of 4756	1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe	103
PID 1248 wrote to memory of 4756	1248	{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe	103
PID 4976 wrote to memory of 5072	4976	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe	104
PID 4976 wrote to memory of 5072	4976	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe	104
PID 4976 wrote to memory of 5072	4976	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe	104
PID 4976 wrote to memory of 4960	4976	{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe
  C:\Windows\{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe
    C:\Windows\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B910~1.EXE > nul
      4⤵
      PID:2260
  - - C:\Windows\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe
      C:\Windows\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\{159E3247-5934-4958-B958-31348C038E82}.exe
        
        C:\Windows\{159E3247-5934-4958-B958-31348C038E82}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3444
      - C:\Windows\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe
        
        C:\Windows\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe
        
        C:\Windows\{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{B86B752B-4141-4638-93CD-EDBA3440B541}.exe
        
        C:\Windows\{B86B752B-4141-4638-93CD-EDBA3440B541}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe
        
        C:\Windows\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe
        
        C:\Windows\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe
        
        C:\Windows\{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe
        
        C:\Windows\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}.exe
        
        C:\Windows\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}.exe
        13⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2F62~1.EXE > nul
        13⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{679DD~1.EXE > nul
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EAB2~1.EXE > nul
        11⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCFE1~1.EXE > nul
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B86B7~1.EXE > nul
        9⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4990~1.EXE > nul
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F428~1.EXE > nul
        7⤵
        
        PID:1156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{159E3~1.EXE > nul
        6⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18CF7~1.EXE > nul
        5⤵
        
        PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D5954~1.EXE > nul
    3⤵
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{159E3247-5934-4958-B958-31348C038E82}.exe

Filesize
408KB

MD5
b5162982da39b6b53a85f4d9d0253498

SHA1
895953bef208266ea9d3fed8dce11dab5172e09f

SHA256
fa3683fcffefa19171fc3b9e524af8b08a36c0acea844a283393b7f5266e4a52

SHA512
c3da157ec0a0c27d32b0ff624a0d04222f5dc2b1765046d8065f1641fda4c9288189a5e252559ca1a123ae6d051639ecccc8190a8f00b1d27ac09405eba19f2f

Download Submit
C:\Windows\{159E3247-5934-4958-B958-31348C038E82}.exe

Filesize
408KB

MD5
b5162982da39b6b53a85f4d9d0253498

SHA1
895953bef208266ea9d3fed8dce11dab5172e09f

SHA256
fa3683fcffefa19171fc3b9e524af8b08a36c0acea844a283393b7f5266e4a52

SHA512
c3da157ec0a0c27d32b0ff624a0d04222f5dc2b1765046d8065f1641fda4c9288189a5e252559ca1a123ae6d051639ecccc8190a8f00b1d27ac09405eba19f2f

Download Submit
C:\Windows\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe

Filesize
408KB

MD5
1753c25e6aefdc1b73f4fa2f99751201

SHA1
fa550da883a35d62f8a58126f9170253c9a466d4

SHA256
2b6080a2acf051335a56b0c21ce528d06f36ed407cc295d13126a53bdf39c374

SHA512
d16923af6a3bc33fa98d8391efcd050d582a2f86ea5e40176b15dd836c9b2e18080d313aaee7430fde61a18f0843a6787eb13e8edeb1c268707cbee7a00a9142

Download Submit
C:\Windows\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe

Filesize
408KB

MD5
1753c25e6aefdc1b73f4fa2f99751201

SHA1
fa550da883a35d62f8a58126f9170253c9a466d4

SHA256
2b6080a2acf051335a56b0c21ce528d06f36ed407cc295d13126a53bdf39c374

SHA512
d16923af6a3bc33fa98d8391efcd050d582a2f86ea5e40176b15dd836c9b2e18080d313aaee7430fde61a18f0843a6787eb13e8edeb1c268707cbee7a00a9142

Download Submit
C:\Windows\{18CF70AF-69C5-48fe-B9F7-293947EBB24E}.exe

Filesize
408KB

MD5
1753c25e6aefdc1b73f4fa2f99751201

SHA1
fa550da883a35d62f8a58126f9170253c9a466d4

SHA256
2b6080a2acf051335a56b0c21ce528d06f36ed407cc295d13126a53bdf39c374

SHA512
d16923af6a3bc33fa98d8391efcd050d582a2f86ea5e40176b15dd836c9b2e18080d313aaee7430fde61a18f0843a6787eb13e8edeb1c268707cbee7a00a9142

Download Submit
C:\Windows\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe

Filesize
408KB

MD5
00801dc2fe201fc842cae6f009d03125

SHA1
860c92000bed3461be199b1baa6f7c0d7cbd5eee

SHA256
084916cddcfe8d86f52a73e41fd3ed5c775c147cc587e9d9d510ab259783ec6e

SHA512
765eb62e68b43cb759821f21004549d35a7830a9a7dd4ac9a9fb31e87f87df64191ab3a9bcf2d15e594a49ca48783b4bb23f4ff6f771250a4bc2aaed629e3e3d

Download Submit
C:\Windows\{1B910EEB-8AE4-483e-BAEB-A5CD5AD2490B}.exe

Filesize
408KB

MD5
00801dc2fe201fc842cae6f009d03125

SHA1
860c92000bed3461be199b1baa6f7c0d7cbd5eee

SHA256
084916cddcfe8d86f52a73e41fd3ed5c775c147cc587e9d9d510ab259783ec6e

SHA512
765eb62e68b43cb759821f21004549d35a7830a9a7dd4ac9a9fb31e87f87df64191ab3a9bcf2d15e594a49ca48783b4bb23f4ff6f771250a4bc2aaed629e3e3d

Download Submit
C:\Windows\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe

Filesize
408KB

MD5
a01318d1ba38a677bf26ee074417746c

SHA1
7baf21f472847fa3b7c6b261b5e53ddd8025c870

SHA256
5ed6035ef9415acea3450f2e5066b4e0211dbd76c83362b60d6b5029de6102ce

SHA512
9b8dcb1a79ef6a3b3a1863c5004488da4dee24bc75fc11ab607463803593bf0a017eb96e131c6ecb59ca8dfe65903a01c11f546fa309b1d04210c1193457db2c

Download Submit
C:\Windows\{2F428C00-E67D-4d84-AF1F-8CEB5C948D1B}.exe

Filesize
408KB

MD5
a01318d1ba38a677bf26ee074417746c

SHA1
7baf21f472847fa3b7c6b261b5e53ddd8025c870

SHA256
5ed6035ef9415acea3450f2e5066b4e0211dbd76c83362b60d6b5029de6102ce

SHA512
9b8dcb1a79ef6a3b3a1863c5004488da4dee24bc75fc11ab607463803593bf0a017eb96e131c6ecb59ca8dfe65903a01c11f546fa309b1d04210c1193457db2c

Download Submit
C:\Windows\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe

Filesize
408KB

MD5
7e7a2817757d29a3425c8b12e187b00b

SHA1
830f21c58b477bfd8a4ec5366420b27733dc8fcf

SHA256
49545cde94fff2d3230255b97a697ab42eef5ff0a1a716581b024c2e88340308

SHA512
25309ea0a44c5ee38a7ec94209f06e728c7ce7c748656bb77fb7f864ed83fcc17ef88dd69e8624da921e0c97f52e41539ae19f41f50c4ee5dba055da2cf5d81c

Download Submit
C:\Windows\{4EAB28ED-21FB-49ce-8CD7-1E238BCACE14}.exe

Filesize
408KB

MD5
7e7a2817757d29a3425c8b12e187b00b

SHA1
830f21c58b477bfd8a4ec5366420b27733dc8fcf

SHA256
49545cde94fff2d3230255b97a697ab42eef5ff0a1a716581b024c2e88340308

SHA512
25309ea0a44c5ee38a7ec94209f06e728c7ce7c748656bb77fb7f864ed83fcc17ef88dd69e8624da921e0c97f52e41539ae19f41f50c4ee5dba055da2cf5d81c

Download Submit
C:\Windows\{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe

Filesize
408KB

MD5
05eb14557fda00bd2216bb9b21d64229

SHA1
3528841727f6d701de5ba4e2a59b870b5d27a94d

SHA256
47d1f103f0f9814aba3b4e4c16493ae2ad6cd310ed8725de7afe515fae4f1856

SHA512
1793c533aa6e24ba6c4408f2e65eef907b3582cb6c5d905cb914313184d113e627cef6783a6e641edb1e44d55efd03b993539ead78a89b87ff546d8a656cbecc

Download Submit
C:\Windows\{679DD824-921B-4157-85E7-BE539F1ED7C7}.exe

Filesize
408KB

MD5
05eb14557fda00bd2216bb9b21d64229

SHA1
3528841727f6d701de5ba4e2a59b870b5d27a94d

SHA256
47d1f103f0f9814aba3b4e4c16493ae2ad6cd310ed8725de7afe515fae4f1856

SHA512
1793c533aa6e24ba6c4408f2e65eef907b3582cb6c5d905cb914313184d113e627cef6783a6e641edb1e44d55efd03b993539ead78a89b87ff546d8a656cbecc

Download Submit
C:\Windows\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe

Filesize
408KB

MD5
9e29a5b1bb616242f877b10f6aded79d

SHA1
191e367509d94a9b2c6c6131c32373668ae98f6a

SHA256
a39b5bc0d9f1eb0b51652e1d9b1c0ee349bbff4bfadf254f3fba6ce0fcc5306d

SHA512
5fbb15ec0c035d95b2fe7d8f78d54726c3752c3ff9ea706826b4614c4efa65c7283643f94e6eff800db1df0660867452a19fb8af4ec43db811044275c5296592

Download Submit
C:\Windows\{A2F6208A-41AA-4f11-97C0-78B73DCC789F}.exe

Filesize
408KB

MD5
9e29a5b1bb616242f877b10f6aded79d

SHA1
191e367509d94a9b2c6c6131c32373668ae98f6a

SHA256
a39b5bc0d9f1eb0b51652e1d9b1c0ee349bbff4bfadf254f3fba6ce0fcc5306d

SHA512
5fbb15ec0c035d95b2fe7d8f78d54726c3752c3ff9ea706826b4614c4efa65c7283643f94e6eff800db1df0660867452a19fb8af4ec43db811044275c5296592

Download Submit
C:\Windows\{B86B752B-4141-4638-93CD-EDBA3440B541}.exe

Filesize
408KB

MD5
06e059f2bd9f76f88b42d1a12cda0e19

SHA1
92bebccbda3a3cd5a8e60cdd94c4400276b0e486

SHA256
1a966b45ffa83f749c8a6b9fc5758bc98761acf18e3948c9777f1b34a89a1dfc

SHA512
bca5862a2c000cdeee7ce07d57d8c3ba2967a870cd6c74608ccc2f443b7ba1252eaafcc96d1827e63d23a9281845d3491f1ee10564a2808efc149168d4207c4f

Download Submit
C:\Windows\{B86B752B-4141-4638-93CD-EDBA3440B541}.exe

Filesize
408KB

MD5
06e059f2bd9f76f88b42d1a12cda0e19

SHA1
92bebccbda3a3cd5a8e60cdd94c4400276b0e486

SHA256
1a966b45ffa83f749c8a6b9fc5758bc98761acf18e3948c9777f1b34a89a1dfc

SHA512
bca5862a2c000cdeee7ce07d57d8c3ba2967a870cd6c74608ccc2f443b7ba1252eaafcc96d1827e63d23a9281845d3491f1ee10564a2808efc149168d4207c4f

Download Submit
C:\Windows\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe

Filesize
408KB

MD5
f311a95356e38512c7f1a60a526dfba5

SHA1
a0e12da8435940eeca5df834f13a8c9eec08b53b

SHA256
926cb419bf30cef6252eaf893d53d88cc15975ce1266f2ce00c170e6ac73eab2

SHA512
65051865a27e07316a6a3adc79f22f403d0a33ec7be22399607056109c26f4a3e1422bb370e989663b3c76a15ff4282e93fe8e3c96b4ede49d4ea8babc0a8bb4

Download Submit
C:\Windows\{BCFE18CB-5935-49c3-9C7D-8C6ACECB6D38}.exe

Filesize
408KB

MD5
f311a95356e38512c7f1a60a526dfba5

SHA1
a0e12da8435940eeca5df834f13a8c9eec08b53b

SHA256
926cb419bf30cef6252eaf893d53d88cc15975ce1266f2ce00c170e6ac73eab2

SHA512
65051865a27e07316a6a3adc79f22f403d0a33ec7be22399607056109c26f4a3e1422bb370e989663b3c76a15ff4282e93fe8e3c96b4ede49d4ea8babc0a8bb4

Download Submit
C:\Windows\{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe

Filesize
408KB

MD5
c45f1756550ba4bcedbda9575f7a3f61

SHA1
912974d7485dc39baa02a96c25840c5503b2869d

SHA256
c94ff3734f13c63fb87f3c331154537372ca6804da67c6cd0199e195ef9657b1

SHA512
2659c0cf3226e60ed104d13ac362ff42db5c530e5202d5ed82392a0d97b5e0a29c59a326ee3864e15060dfb87c187ee21121adf173bf457e0d6caecf1bc2b97d

Download Submit
C:\Windows\{D4990219-8CB9-41f1-84BF-996E8D834CA6}.exe

Filesize
408KB

MD5
c45f1756550ba4bcedbda9575f7a3f61

SHA1
912974d7485dc39baa02a96c25840c5503b2869d

SHA256
c94ff3734f13c63fb87f3c331154537372ca6804da67c6cd0199e195ef9657b1

SHA512
2659c0cf3226e60ed104d13ac362ff42db5c530e5202d5ed82392a0d97b5e0a29c59a326ee3864e15060dfb87c187ee21121adf173bf457e0d6caecf1bc2b97d

Download Submit
C:\Windows\{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe

Filesize
408KB

MD5
be44b461ca53c5c07701a39d813076fe

SHA1
c78b2f3a069501631da2e70401a1b1d9e9295878

SHA256
fc5d682eaa390ffaab829998bff74d72093161eaadc30c3382ac952193bd68e5

SHA512
468806d9ae1401eaaaf709e9a8db81dca27a8cc0ce99cdf06118f379303150d1e2e1b0c298bb8c277f75d8b481018714a3623c1df5c5ba8bb7b96b877bcc6ca8

Download Submit
C:\Windows\{D59547F7-F697-4a4d-9F67-0A4453A8942A}.exe

Filesize
408KB

MD5
be44b461ca53c5c07701a39d813076fe

SHA1
c78b2f3a069501631da2e70401a1b1d9e9295878

SHA256
fc5d682eaa390ffaab829998bff74d72093161eaadc30c3382ac952193bd68e5

SHA512
468806d9ae1401eaaaf709e9a8db81dca27a8cc0ce99cdf06118f379303150d1e2e1b0c298bb8c277f75d8b481018714a3623c1df5c5ba8bb7b96b877bcc6ca8

Download Submit
C:\Windows\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}.exe

Filesize
408KB

MD5
12b745c0376b74308d5fee2a9acafeca

SHA1
53419a1a7952d7b7c23bfb0ec5099b4465622d69

SHA256
d2fcf93090e1580e8e7b6f242b2e4e398cc044e1ac2f34633efa7c4f9c7227f7

SHA512
98ae9d65e770be12dfa963cd636d41c4ce9585bd359c35a986b3547027df319ee9e2b5b39575b2b7ca13439c5b333c27e7c65515495ff15a4836e78e1dfc12a1

Download Submit
C:\Windows\{E05AAA4B-7A05-4859-A78B-D2B0E67BC556}.exe

Filesize
408KB

MD5
12b745c0376b74308d5fee2a9acafeca

SHA1
53419a1a7952d7b7c23bfb0ec5099b4465622d69

SHA256
d2fcf93090e1580e8e7b6f242b2e4e398cc044e1ac2f34633efa7c4f9c7227f7

SHA512
98ae9d65e770be12dfa963cd636d41c4ce9585bd359c35a986b3547027df319ee9e2b5b39575b2b7ca13439c5b333c27e7c65515495ff15a4836e78e1dfc12a1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads