c70f6bfe1ab21270b99bfe2e2b45d19961bd8815a1547f2af4f44fc181446699

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Size

380KB
MD5

f48e0cd81aa9dca2437067d8b4b14e83
SHA1

7baf4335782a0f95787eb9119353fecc527ab0ab
SHA256

c70f6bfe1ab21270b99bfe2e2b45d19961bd8815a1547f2af4f44fc181446699
SHA512

2eaac94e313bc3628de02a59405475b2668e0f8808cdac71589412cf08ab99f2b4761d45af9e9e438f34cd369a5922e6f32a91f9d1864a110e1bcde4571d87d8
SSDEEP

3072:mEGh0oslPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGal7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D34050D9-262C-487f-9D24-E8FCDC88521D}	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6111648-199F-4965-A7F9-7D21D95EC085}	{27296498-474A-418b-A37A-68B51D579D73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6111648-199F-4965-A7F9-7D21D95EC085}\stubpath = "C:\\Windows\\{A6111648-199F-4965-A7F9-7D21D95EC085}.exe"	{27296498-474A-418b-A37A-68B51D579D73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}\stubpath = "C:\\Windows\\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe"	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAE6303E-B473-4293-BA49-37C64A10E7EA}\stubpath = "C:\\Windows\\{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe"	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}\stubpath = "C:\\Windows\\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe"	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D80886B-9745-49e1-B3D3-4D7929BA6B16}	{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D80886B-9745-49e1-B3D3-4D7929BA6B16}\stubpath = "C:\\Windows\\{2D80886B-9745-49e1-B3D3-4D7929BA6B16}.exe"	{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27296498-474A-418b-A37A-68B51D579D73}	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}\stubpath = "C:\\Windows\\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe"	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAFDF532-B85A-436f-9F75-177145BA8D27}	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAFDF532-B85A-436f-9F75-177145BA8D27}\stubpath = "C:\\Windows\\{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe"	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0212913E-3F28-4f86-99E1-684425E1D03A}	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAE6303E-B473-4293-BA49-37C64A10E7EA}	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5171966A-E33F-417e-88C6-B2162BCB5767}\stubpath = "C:\\Windows\\{5171966A-E33F-417e-88C6-B2162BCB5767}.exe"	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D34050D9-262C-487f-9D24-E8FCDC88521D}\stubpath = "C:\\Windows\\{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe"	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27296498-474A-418b-A37A-68B51D579D73}\stubpath = "C:\\Windows\\{27296498-474A-418b-A37A-68B51D579D73}.exe"	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}\stubpath = "C:\\Windows\\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe"	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5171966A-E33F-417e-88C6-B2162BCB5767}	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0212913E-3F28-4f86-99E1-684425E1D03A}\stubpath = "C:\\Windows\\{0212913E-3F28-4f86-99E1-684425E1D03A}.exe"	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe

Executes dropped EXE 11 IoCs

pid	Process
3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe
3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe
2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe
408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe
1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe
3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe
2916	{27296498-474A-418b-A37A-68B51D579D73}.exe
2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe
3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe
3536	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe
3368	{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe
File created	C:\Windows\{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe
File created	C:\Windows\{27296498-474A-418b-A37A-68B51D579D73}.exe	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe
File created	C:\Windows\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe
File created	C:\Windows\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe
File created	C:\Windows\{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe
File created	C:\Windows\{0212913E-3F28-4f86-99E1-684425E1D03A}.exe	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe
File created	C:\Windows\{A6111648-199F-4965-A7F9-7D21D95EC085}.exe	{27296498-474A-418b-A37A-68B51D579D73}.exe
File created	C:\Windows\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe
File created	C:\Windows\{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe
File created	C:\Windows\{2D80886B-9745-49e1-B3D3-4D7929BA6B16}.exe	{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe
File created	C:\Windows\{5171966A-E33F-417e-88C6-B2162BCB5767}.exe	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe
Token: SeIncBasePriorityPrivilege	3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe
Token: SeIncBasePriorityPrivilege	2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe
Token: SeIncBasePriorityPrivilege	408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe
Token: SeIncBasePriorityPrivilege	1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe
Token: SeIncBasePriorityPrivilege	3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe
Token: SeIncBasePriorityPrivilege	2916	{27296498-474A-418b-A37A-68B51D579D73}.exe
Token: SeIncBasePriorityPrivilege	2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe
Token: SeIncBasePriorityPrivilege	3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe
Token: SeIncBasePriorityPrivilege	3536	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3460	4240	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	94
PID 4240 wrote to memory of 3460	4240	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	94
PID 4240 wrote to memory of 3460	4240	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	94
PID 4240 wrote to memory of 1748	4240	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	95
PID 4240 wrote to memory of 1748	4240	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	95
PID 4240 wrote to memory of 1748	4240	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	95
PID 3460 wrote to memory of 3144	3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe	97
PID 3460 wrote to memory of 3144	3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe	97
PID 3460 wrote to memory of 3144	3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe	97
PID 3460 wrote to memory of 4288	3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe	98
PID 3460 wrote to memory of 4288	3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe	98
PID 3460 wrote to memory of 4288	3460	{5171966A-E33F-417e-88C6-B2162BCB5767}.exe	98
PID 3144 wrote to memory of 2096	3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe	103
PID 3144 wrote to memory of 2096	3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe	103
PID 3144 wrote to memory of 2096	3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe	103
PID 3144 wrote to memory of 2068	3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe	104
PID 3144 wrote to memory of 2068	3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe	104
PID 3144 wrote to memory of 2068	3144	{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe	104
PID 2096 wrote to memory of 408	2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe	110
PID 2096 wrote to memory of 408	2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe	110
PID 2096 wrote to memory of 408	2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe	110
PID 2096 wrote to memory of 704	2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe	111
PID 2096 wrote to memory of 704	2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe	111
PID 2096 wrote to memory of 704	2096	{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe	111
PID 408 wrote to memory of 1760	408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe	112
PID 408 wrote to memory of 1760	408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe	112
PID 408 wrote to memory of 1760	408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe	112
PID 408 wrote to memory of 1788	408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe	113
PID 408 wrote to memory of 1788	408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe	113
PID 408 wrote to memory of 1788	408	{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe	113
PID 1760 wrote to memory of 3616	1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe	114
PID 1760 wrote to memory of 3616	1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe	114
PID 1760 wrote to memory of 3616	1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe	114
PID 1760 wrote to memory of 2112	1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe	115
PID 1760 wrote to memory of 2112	1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe	115
PID 1760 wrote to memory of 2112	1760	{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe	115
PID 3616 wrote to memory of 2916	3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe	117
PID 3616 wrote to memory of 2916	3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe	117
PID 3616 wrote to memory of 2916	3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe	117
PID 3616 wrote to memory of 3144	3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe	118
PID 3616 wrote to memory of 3144	3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe	118
PID 3616 wrote to memory of 3144	3616	{0212913E-3F28-4f86-99E1-684425E1D03A}.exe	118
PID 2916 wrote to memory of 2880	2916	{27296498-474A-418b-A37A-68B51D579D73}.exe	119
PID 2916 wrote to memory of 2880	2916	{27296498-474A-418b-A37A-68B51D579D73}.exe	119
PID 2916 wrote to memory of 2880	2916	{27296498-474A-418b-A37A-68B51D579D73}.exe	119
PID 2916 wrote to memory of 3992	2916	{27296498-474A-418b-A37A-68B51D579D73}.exe	120
PID 2916 wrote to memory of 3992	2916	{27296498-474A-418b-A37A-68B51D579D73}.exe	120
PID 2916 wrote to memory of 3992	2916	{27296498-474A-418b-A37A-68B51D579D73}.exe	120
PID 2880 wrote to memory of 3728	2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe	121
PID 2880 wrote to memory of 3728	2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe	121
PID 2880 wrote to memory of 3728	2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe	121
PID 2880 wrote to memory of 4672	2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe	122
PID 2880 wrote to memory of 4672	2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe	122
PID 2880 wrote to memory of 4672	2880	{A6111648-199F-4965-A7F9-7D21D95EC085}.exe	122
PID 3728 wrote to memory of 3536	3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe	123
PID 3728 wrote to memory of 3536	3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe	123
PID 3728 wrote to memory of 3536	3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe	123
PID 3728 wrote to memory of 4032	3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe	124
PID 3728 wrote to memory of 4032	3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe	124
PID 3728 wrote to memory of 4032	3728	{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe	124
PID 3536 wrote to memory of 3368	3536	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe	125
PID 3536 wrote to memory of 3368	3536	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe	125
PID 3536 wrote to memory of 3368	3536	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe	125
PID 3536 wrote to memory of 4084	3536	{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe	126

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\{5171966A-E33F-417e-88C6-B2162BCB5767}.exe
  C:\Windows\{5171966A-E33F-417e-88C6-B2162BCB5767}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe
    C:\Windows\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe
      C:\Windows\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe
        
        C:\Windows\{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe
        
        C:\Windows\{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{0212913E-3F28-4f86-99E1-684425E1D03A}.exe
        
        C:\Windows\{0212913E-3F28-4f86-99E1-684425E1D03A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\{27296498-474A-418b-A37A-68B51D579D73}.exe
        
        C:\Windows\{27296498-474A-418b-A37A-68B51D579D73}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{A6111648-199F-4965-A7F9-7D21D95EC085}.exe
        
        C:\Windows\{A6111648-199F-4965-A7F9-7D21D95EC085}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe
        
        C:\Windows\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe
        
        C:\Windows\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe
        
        C:\Windows\{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91D81~1.EXE > nul
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB0B4~1.EXE > nul
        11⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6111~1.EXE > nul
        10⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27296~1.EXE > nul
        9⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02129~1.EXE > nul
        8⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAFDF~1.EXE > nul
        7⤵
        
        PID:2112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3405~1.EXE > nul
        6⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7640D~1.EXE > nul
        5⤵
        
        PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75D8D~1.EXE > nul
      4⤵
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51719~1.EXE > nul
    3⤵
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0212913E-3F28-4f86-99E1-684425E1D03A}.exe

Filesize
380KB

MD5
d8a37d493887d0118818abb121f71eb7

SHA1
7318063dd8fdb416852215a09734360cb2e03fe2

SHA256
7ece81d1136d4884774dd2193671c8cacabc25c4d8420a747890f68690e24f8f

SHA512
0e83ff4c535250016fb674263079f0cd37740385b2869e6458dae8b75e984251bcd6551deb0064a49f3c9339875e23fa2ea303188140ca60397cac19169b26a3

Download Submit
C:\Windows\{0212913E-3F28-4f86-99E1-684425E1D03A}.exe

Filesize
380KB

MD5
d8a37d493887d0118818abb121f71eb7

SHA1
7318063dd8fdb416852215a09734360cb2e03fe2

SHA256
7ece81d1136d4884774dd2193671c8cacabc25c4d8420a747890f68690e24f8f

SHA512
0e83ff4c535250016fb674263079f0cd37740385b2869e6458dae8b75e984251bcd6551deb0064a49f3c9339875e23fa2ea303188140ca60397cac19169b26a3

Download Submit
C:\Windows\{27296498-474A-418b-A37A-68B51D579D73}.exe

Filesize
380KB

MD5
1c0fcc18ba1078926a30e0b49a0dad05

SHA1
ed7baebce1c52ca64c688784ecb352d28adea423

SHA256
85d30973a3f2c9f3e9a78f635f8971c6cddc547e2b35dd37689d01baa297e232

SHA512
76ecba2f3ab189877c636652d813abb19bf987030fb3d60d78ca3962074b9ac9ce5173d32e6ccb9ff96e55f6ac0ba75db601a16d5b06e25d0716e2c6aebdb506

Download Submit
C:\Windows\{27296498-474A-418b-A37A-68B51D579D73}.exe

Filesize
380KB

MD5
1c0fcc18ba1078926a30e0b49a0dad05

SHA1
ed7baebce1c52ca64c688784ecb352d28adea423

SHA256
85d30973a3f2c9f3e9a78f635f8971c6cddc547e2b35dd37689d01baa297e232

SHA512
76ecba2f3ab189877c636652d813abb19bf987030fb3d60d78ca3962074b9ac9ce5173d32e6ccb9ff96e55f6ac0ba75db601a16d5b06e25d0716e2c6aebdb506

Download Submit
C:\Windows\{5171966A-E33F-417e-88C6-B2162BCB5767}.exe

Filesize
380KB

MD5
4b88fb81890cb80a8ec7b9f7d142b829

SHA1
0c43a667acb81839ea4a37a17678a5515d68d47d

SHA256
cadcab8f74ac4a4f20b6aef08809acedbb7dafaed7020b6b0c115a306df6ec35

SHA512
3327f9461696f14631fc27d74cd1a0d84434f9d47ad9e00380270242b0fef7319dbf718b425c27e9b705af5661978022c929287cf8fca17de6938a4631e53ca0

Download Submit
C:\Windows\{5171966A-E33F-417e-88C6-B2162BCB5767}.exe

Filesize
380KB

MD5
4b88fb81890cb80a8ec7b9f7d142b829

SHA1
0c43a667acb81839ea4a37a17678a5515d68d47d

SHA256
cadcab8f74ac4a4f20b6aef08809acedbb7dafaed7020b6b0c115a306df6ec35

SHA512
3327f9461696f14631fc27d74cd1a0d84434f9d47ad9e00380270242b0fef7319dbf718b425c27e9b705af5661978022c929287cf8fca17de6938a4631e53ca0

Download Submit
C:\Windows\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe

Filesize
380KB

MD5
72033df599c10b21a177ac3afb16e6b6

SHA1
c1e8ed9bb94b1b46ca45f170764da13adec22f4d

SHA256
91b87bd89c11221f208d00ba56a973999720fe970642b6af11a3351cd62509f3

SHA512
c7c29e97182f229574d9a5ddb55b8b96ca49de944d3007fa8101b45cae33e3923e086c95752781519ed944fb59d815007e28f915c2f0abeea14c5d4edd6e3d0b

Download Submit
C:\Windows\{75D8D9E7-C5AF-4335-9A31-7281CB3D7429}.exe

Filesize
380KB

MD5
72033df599c10b21a177ac3afb16e6b6

SHA1
c1e8ed9bb94b1b46ca45f170764da13adec22f4d

SHA256
91b87bd89c11221f208d00ba56a973999720fe970642b6af11a3351cd62509f3

SHA512
c7c29e97182f229574d9a5ddb55b8b96ca49de944d3007fa8101b45cae33e3923e086c95752781519ed944fb59d815007e28f915c2f0abeea14c5d4edd6e3d0b

Download Submit
C:\Windows\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe

Filesize
380KB

MD5
ff713f0d23df13cc109b10ac81f17af1

SHA1
d11883a03effa66def24f3592ca54201bbdd1ed4

SHA256
e9f33310d27697d16bab4db782865259723575f0368fb99c6d2bedf406900a82

SHA512
ffcd543cc4b0dd8e593fc29941a827f48e3bc43a00f68267562514759443cac041cf05558c414a0cde8bbb0bb9fdf0371a63e943b5ba3ab7fbca55f87152a6d9

Download Submit
C:\Windows\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe

Filesize
380KB

MD5
ff713f0d23df13cc109b10ac81f17af1

SHA1
d11883a03effa66def24f3592ca54201bbdd1ed4

SHA256
e9f33310d27697d16bab4db782865259723575f0368fb99c6d2bedf406900a82

SHA512
ffcd543cc4b0dd8e593fc29941a827f48e3bc43a00f68267562514759443cac041cf05558c414a0cde8bbb0bb9fdf0371a63e943b5ba3ab7fbca55f87152a6d9

Download Submit
C:\Windows\{7640D1EF-92B8-4b3d-B0B3-B622B5654E8B}.exe

Filesize
380KB

MD5
ff713f0d23df13cc109b10ac81f17af1

SHA1
d11883a03effa66def24f3592ca54201bbdd1ed4

SHA256
e9f33310d27697d16bab4db782865259723575f0368fb99c6d2bedf406900a82

SHA512
ffcd543cc4b0dd8e593fc29941a827f48e3bc43a00f68267562514759443cac041cf05558c414a0cde8bbb0bb9fdf0371a63e943b5ba3ab7fbca55f87152a6d9

Download Submit
C:\Windows\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe

Filesize
380KB

MD5
dc9caf1da4f71b7ece4595beaafef3cb

SHA1
07aff3f68a204a7b09eff903652e85ca5d23dae4

SHA256
34395c489e2a20cba8b7a8b318ccc8762187e3dec61638913238e7954bb46872

SHA512
1b5ca6402495af1e19ed7282c2a69bbaaa4d45261ce09ad28cc8e84e9918d4b63461afdfd042f6301024800c3ba5ddf5ece7e0c82ae53214daad952a085be202

Download Submit
C:\Windows\{91D8162E-BEEF-4afb-A791-AD3DC64B8BCB}.exe

Filesize
380KB

MD5
dc9caf1da4f71b7ece4595beaafef3cb

SHA1
07aff3f68a204a7b09eff903652e85ca5d23dae4

SHA256
34395c489e2a20cba8b7a8b318ccc8762187e3dec61638913238e7954bb46872

SHA512
1b5ca6402495af1e19ed7282c2a69bbaaa4d45261ce09ad28cc8e84e9918d4b63461afdfd042f6301024800c3ba5ddf5ece7e0c82ae53214daad952a085be202

Download Submit
C:\Windows\{A6111648-199F-4965-A7F9-7D21D95EC085}.exe

Filesize
380KB

MD5
e842c98d68f9e31183ea304435d28d55

SHA1
f75d255f5feaf12446a7333bca65d771c4e89889

SHA256
7d3284dd3e985bcf65b18a4564d1faa413b5807067e36f40243bc11bbe85d02b

SHA512
27cf8bcbd2cfb18f51ffc430d46517057997ec0a0ca8cd9a04ced983a6ff0bd9637febda8e8db981efaf528316d9113858bc1b758a1842a766bcc1a2110536cb

Download Submit
C:\Windows\{A6111648-199F-4965-A7F9-7D21D95EC085}.exe

Filesize
380KB

MD5
e842c98d68f9e31183ea304435d28d55

SHA1
f75d255f5feaf12446a7333bca65d771c4e89889

SHA256
7d3284dd3e985bcf65b18a4564d1faa413b5807067e36f40243bc11bbe85d02b

SHA512
27cf8bcbd2cfb18f51ffc430d46517057997ec0a0ca8cd9a04ced983a6ff0bd9637febda8e8db981efaf528316d9113858bc1b758a1842a766bcc1a2110536cb

Download Submit
C:\Windows\{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe

Filesize
380KB

MD5
14ea3cf448ee7d8187b131227a7f26af

SHA1
011413ac087d07e819c7cf9b6f2cb103633f1d23

SHA256
a44c9b8dbcea3abb526579fd7db6157c6a95d0c8f9759e241a3668c1c925b527

SHA512
49620f121e6a8ddaba892306d714de41c19be9279fefb5174319afcb6f9853cf18ee651f9ae8e397b82eb411abfb8065790a53775c4b8a6b036dec07bfa1450a

Download Submit
C:\Windows\{AAE6303E-B473-4293-BA49-37C64A10E7EA}.exe

Filesize
380KB

MD5
14ea3cf448ee7d8187b131227a7f26af

SHA1
011413ac087d07e819c7cf9b6f2cb103633f1d23

SHA256
a44c9b8dbcea3abb526579fd7db6157c6a95d0c8f9759e241a3668c1c925b527

SHA512
49620f121e6a8ddaba892306d714de41c19be9279fefb5174319afcb6f9853cf18ee651f9ae8e397b82eb411abfb8065790a53775c4b8a6b036dec07bfa1450a

Download Submit
C:\Windows\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe

Filesize
380KB

MD5
33036ad558ab3924d356dfd49fc9a27b

SHA1
f85c9ae27750fe24d016fa25b5348309c85c4abf

SHA256
1119ab9065dbfdb29aa562cdeb2012625159d31676a2d47e0dd5481a6dcc83de

SHA512
ff9712a45f757ac76034dcb53797c2c45e3057930caf951021017ae7094dd08d84e2c1f8cf16be469ba3c2a834f37301e715d72f40945f61e6c3a233fb1d026a

Download Submit
C:\Windows\{CB0B4FCE-459E-46dc-BC7F-7D8BE212E34A}.exe

Filesize
380KB

MD5
33036ad558ab3924d356dfd49fc9a27b

SHA1
f85c9ae27750fe24d016fa25b5348309c85c4abf

SHA256
1119ab9065dbfdb29aa562cdeb2012625159d31676a2d47e0dd5481a6dcc83de

SHA512
ff9712a45f757ac76034dcb53797c2c45e3057930caf951021017ae7094dd08d84e2c1f8cf16be469ba3c2a834f37301e715d72f40945f61e6c3a233fb1d026a

Download Submit
C:\Windows\{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe

Filesize
380KB

MD5
97750139b0bb2999b4e35d6d4a4f7b4c

SHA1
d5a3e99cb205579bfacb0f7a5365d6d6635e849a

SHA256
4cb448cc62381a647eedd42028a34a8a24a255bf60240bc400dee90c86717a41

SHA512
dd7d36313af95e102ca44382d8de161fe996dc71972155b6eddab18ea7cc6fa58e1c88f4848fda70e37ed924ab6e0d8a712d32f4a430e03ef5b181fe375cae30

Download Submit
C:\Windows\{D34050D9-262C-487f-9D24-E8FCDC88521D}.exe

Filesize
380KB

MD5
97750139b0bb2999b4e35d6d4a4f7b4c

SHA1
d5a3e99cb205579bfacb0f7a5365d6d6635e849a

SHA256
4cb448cc62381a647eedd42028a34a8a24a255bf60240bc400dee90c86717a41

SHA512
dd7d36313af95e102ca44382d8de161fe996dc71972155b6eddab18ea7cc6fa58e1c88f4848fda70e37ed924ab6e0d8a712d32f4a430e03ef5b181fe375cae30

Download Submit
C:\Windows\{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe

Filesize
380KB

MD5
b6aebe345e444b7ef8d6a1c984cb662f

SHA1
e031fbaa79123022b1e66b356d3962f0cf1ee5a9

SHA256
b00772d4676aeaa9fac1d49449903730c3140897c367121a8c818b2e805c8f87

SHA512
42b7e0883f32a4262cb610d585244849ee0f322ad10a5c9ecfcfee268038848f6baf34f2b5fbf159817368ddf9c862560455fabf5bbf841684d5c797a28ad488

Download Submit
C:\Windows\{DAFDF532-B85A-436f-9F75-177145BA8D27}.exe

Filesize
380KB

MD5
b6aebe345e444b7ef8d6a1c984cb662f

SHA1
e031fbaa79123022b1e66b356d3962f0cf1ee5a9

SHA256
b00772d4676aeaa9fac1d49449903730c3140897c367121a8c818b2e805c8f87

SHA512
42b7e0883f32a4262cb610d585244849ee0f322ad10a5c9ecfcfee268038848f6baf34f2b5fbf159817368ddf9c862560455fabf5bbf841684d5c797a28ad488

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads