34be959ae71151965171b144e5a2c84bde60882b7df7de24643a96ca3d3b9c41

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe
Size

408KB
MD5

dc9bc9200fcd1115af2beffce6c0840c
SHA1

ee780633077a14166fc9f4938537446c016dfdfd
SHA256

34be959ae71151965171b144e5a2c84bde60882b7df7de24643a96ca3d3b9c41
SHA512

2101cf3102976b860ae307a48fb50c0f18c3a108f46fcbd64456b634e8ebaa7a3a87caa4d0fc56e44395c8b4741e188b7b3d1c87e5186da00df010e8ddcfb41a
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40F49750-4F2D-4507-87C4-F2096EEF34D0}\stubpath = "C:\\Windows\\{40F49750-4F2D-4507-87C4-F2096EEF34D0}.exe"	{8AA51C1F-0820-4713-942E-569E45F65853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}\stubpath = "C:\\Windows\\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe"	{C048B838-2456-4581-8815-5E5682BE2122}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}\stubpath = "C:\\Windows\\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe"	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C518304-2C3E-4c81-AC39-80C619CC6096}	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C518304-2C3E-4c81-AC39-80C619CC6096}\stubpath = "C:\\Windows\\{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe"	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C048B838-2456-4581-8815-5E5682BE2122}\stubpath = "C:\\Windows\\{C048B838-2456-4581-8815-5E5682BE2122}.exe"	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}	{C048B838-2456-4581-8815-5E5682BE2122}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C048B838-2456-4581-8815-5E5682BE2122}	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}\stubpath = "C:\\Windows\\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe"	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}\stubpath = "C:\\Windows\\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe"	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}\stubpath = "C:\\Windows\\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe"	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}\stubpath = "C:\\Windows\\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe"	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}\stubpath = "C:\\Windows\\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe"	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AA51C1F-0820-4713-942E-569E45F65853}	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AA51C1F-0820-4713-942E-569E45F65853}\stubpath = "C:\\Windows\\{8AA51C1F-0820-4713-942E-569E45F65853}.exe"	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40F49750-4F2D-4507-87C4-F2096EEF34D0}	{8AA51C1F-0820-4713-942E-569E45F65853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98A7051-475D-4155-ADBB-3278CC4B7919}	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98A7051-475D-4155-ADBB-3278CC4B7919}\stubpath = "C:\\Windows\\{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe"	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe

Executes dropped EXE 12 IoCs

pid	Process
1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe
3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe
4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe
1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe
1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe
5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe
228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe
1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe
2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe
4904	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe
4968	{8AA51C1F-0820-4713-942E-569E45F65853}.exe
3544	{40F49750-4F2D-4507-87C4-F2096EEF34D0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe	{C048B838-2456-4581-8815-5E5682BE2122}.exe
File created	C:\Windows\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe
File created	C:\Windows\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe
File created	C:\Windows\{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe
File created	C:\Windows\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe
File created	C:\Windows\{8AA51C1F-0820-4713-942E-569E45F65853}.exe	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe
File created	C:\Windows\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe
File created	C:\Windows\{C048B838-2456-4581-8815-5E5682BE2122}.exe	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe
File created	C:\Windows\{40F49750-4F2D-4507-87C4-F2096EEF34D0}.exe	{8AA51C1F-0820-4713-942E-569E45F65853}.exe
File created	C:\Windows\{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe
File created	C:\Windows\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe
File created	C:\Windows\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3820	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe
Token: SeIncBasePriorityPrivilege	3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe
Token: SeIncBasePriorityPrivilege	4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe
Token: SeIncBasePriorityPrivilege	1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe
Token: SeIncBasePriorityPrivilege	1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe
Token: SeIncBasePriorityPrivilege	5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe
Token: SeIncBasePriorityPrivilege	228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe
Token: SeIncBasePriorityPrivilege	1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe
Token: SeIncBasePriorityPrivilege	2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe
Token: SeIncBasePriorityPrivilege	4904	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe
Token: SeIncBasePriorityPrivilege	4968	{8AA51C1F-0820-4713-942E-569E45F65853}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 1356	3820	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe	91
PID 3820 wrote to memory of 1356	3820	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe	91
PID 3820 wrote to memory of 1356	3820	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe	91
PID 3820 wrote to memory of 4728	3820	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe	92
PID 3820 wrote to memory of 4728	3820	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe	92
PID 3820 wrote to memory of 4728	3820	NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe	92
PID 1356 wrote to memory of 3172	1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe	96
PID 1356 wrote to memory of 3172	1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe	96
PID 1356 wrote to memory of 3172	1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe	96
PID 1356 wrote to memory of 4092	1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe	97
PID 1356 wrote to memory of 4092	1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe	97
PID 1356 wrote to memory of 4092	1356	{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe	97
PID 3172 wrote to memory of 4064	3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe	99
PID 3172 wrote to memory of 4064	3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe	99
PID 3172 wrote to memory of 4064	3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe	99
PID 3172 wrote to memory of 1788	3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe	100
PID 3172 wrote to memory of 1788	3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe	100
PID 3172 wrote to memory of 1788	3172	{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe	100
PID 4064 wrote to memory of 1640	4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe	109
PID 4064 wrote to memory of 1640	4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe	109
PID 4064 wrote to memory of 1640	4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe	109
PID 4064 wrote to memory of 4548	4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe	108
PID 4064 wrote to memory of 4548	4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe	108
PID 4064 wrote to memory of 4548	4064	{C048B838-2456-4581-8815-5E5682BE2122}.exe	108
PID 1640 wrote to memory of 1036	1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe	110
PID 1640 wrote to memory of 1036	1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe	110
PID 1640 wrote to memory of 1036	1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe	110
PID 1640 wrote to memory of 3716	1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe	111
PID 1640 wrote to memory of 3716	1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe	111
PID 1640 wrote to memory of 3716	1640	{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe	111
PID 1036 wrote to memory of 5088	1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe	112
PID 1036 wrote to memory of 5088	1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe	112
PID 1036 wrote to memory of 5088	1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe	112
PID 1036 wrote to memory of 5008	1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe	113
PID 1036 wrote to memory of 5008	1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe	113
PID 1036 wrote to memory of 5008	1036	{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe	113
PID 5088 wrote to memory of 228	5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe	115
PID 5088 wrote to memory of 228	5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe	115
PID 5088 wrote to memory of 228	5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe	115
PID 5088 wrote to memory of 1768	5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe	116
PID 5088 wrote to memory of 1768	5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe	116
PID 5088 wrote to memory of 1768	5088	{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe	116
PID 228 wrote to memory of 1820	228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe	117
PID 228 wrote to memory of 1820	228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe	117
PID 228 wrote to memory of 1820	228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe	117
PID 228 wrote to memory of 2004	228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe	118
PID 228 wrote to memory of 2004	228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe	118
PID 228 wrote to memory of 2004	228	{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe	118
PID 1820 wrote to memory of 2396	1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe	119
PID 1820 wrote to memory of 2396	1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe	119
PID 1820 wrote to memory of 2396	1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe	119
PID 1820 wrote to memory of 1420	1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe	120
PID 1820 wrote to memory of 1420	1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe	120
PID 1820 wrote to memory of 1420	1820	{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe	120
PID 2396 wrote to memory of 4904	2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe	121
PID 2396 wrote to memory of 4904	2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe	121
PID 2396 wrote to memory of 4904	2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe	121
PID 2396 wrote to memory of 3560	2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe	122
PID 2396 wrote to memory of 3560	2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe	122
PID 2396 wrote to memory of 3560	2396	{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe	122
PID 4904 wrote to memory of 4968	4904	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe	123
PID 4904 wrote to memory of 4968	4904	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe	123
PID 4904 wrote to memory of 4968	4904	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe	123
PID 4904 wrote to memory of 4692	4904	{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe	124

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-25_dc9bc9200fcd1115af2beffce6c0840c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe
  C:\Windows\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe
    C:\Windows\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\{C048B838-2456-4581-8815-5E5682BE2122}.exe
      C:\Windows\{C048B838-2456-4581-8815-5E5682BE2122}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C048B~1.EXE > nul
        5⤵
        
        PID:4548
    - - C:\Windows\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe
        
        C:\Windows\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe
        
        C:\Windows\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe
        
        C:\Windows\{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe
        
        C:\Windows\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe
        
        C:\Windows\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe
        
        C:\Windows\{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe
        
        C:\Windows\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\{8AA51C1F-0820-4713-942E-569E45F65853}.exe
        
        C:\Windows\{8AA51C1F-0820-4713-942E-569E45F65853}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Windows\{40F49750-4F2D-4507-87C4-F2096EEF34D0}.exe
        
        C:\Windows\{40F49750-4F2D-4507-87C4-F2096EEF34D0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA51~1.EXE > nul
        13⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1DA0~1.EXE > nul
        12⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C518~1.EXE > nul
        11⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7830~1.EXE > nul
        10⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C723D~1.EXE > nul
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B98A7~1.EXE > nul
        8⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBEF0~1.EXE > nul
        7⤵
        
        PID:5008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B33AC~1.EXE > nul
        6⤵
        
        PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E315B~1.EXE > nul
      4⤵
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FE49A~1.EXE > nul
    3⤵
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe

Filesize
408KB

MD5
120c74ef03cbfb25fbbd356d42bd31a7

SHA1
d4b1bc81fbb2effc5af98c2a740916095d00b6c0

SHA256
3ed69b042007ef954df242521847b40c3efecf408baf88f55aa45def7ae742cb

SHA512
4ef52a70c668f8a72e9a4ac2238f9d8831e8e8bbdefde8baa79d6642a625d44c328e84e909d697ed8e5d4a6a06141bf78fd8f4cfe96578029896a7826b4761a6

Download Submit
C:\Windows\{1C518304-2C3E-4c81-AC39-80C619CC6096}.exe

Filesize
408KB

MD5
120c74ef03cbfb25fbbd356d42bd31a7

SHA1
d4b1bc81fbb2effc5af98c2a740916095d00b6c0

SHA256
3ed69b042007ef954df242521847b40c3efecf408baf88f55aa45def7ae742cb

SHA512
4ef52a70c668f8a72e9a4ac2238f9d8831e8e8bbdefde8baa79d6642a625d44c328e84e909d697ed8e5d4a6a06141bf78fd8f4cfe96578029896a7826b4761a6

Download Submit
C:\Windows\{40F49750-4F2D-4507-87C4-F2096EEF34D0}.exe

Filesize
408KB

MD5
c3be1eecbe32c6f35d2801a55c0dabb6

SHA1
c5af9b5751049b472d04fff35b7d140cdb4581e3

SHA256
50c98d9e37b9d0e11732cdaddfb806ee264c53100e746e9b6758b74e7d510d4d

SHA512
d5d29545595ecd05e6c7bd1f1b876ebe559c069843436aff18bccf41c90cc36285e49f309b6f902a1881a7db843250a3a51fc55e64dc48cd5fbc12982d9f7189

Download Submit
C:\Windows\{40F49750-4F2D-4507-87C4-F2096EEF34D0}.exe

Filesize
408KB

MD5
c3be1eecbe32c6f35d2801a55c0dabb6

SHA1
c5af9b5751049b472d04fff35b7d140cdb4581e3

SHA256
50c98d9e37b9d0e11732cdaddfb806ee264c53100e746e9b6758b74e7d510d4d

SHA512
d5d29545595ecd05e6c7bd1f1b876ebe559c069843436aff18bccf41c90cc36285e49f309b6f902a1881a7db843250a3a51fc55e64dc48cd5fbc12982d9f7189

Download Submit
C:\Windows\{8AA51C1F-0820-4713-942E-569E45F65853}.exe

Filesize
408KB

MD5
acfb95c674b5c3baef71eb246164adf2

SHA1
2f91ec9d46b424919de2739058dfbd389cc4fd16

SHA256
ed907bf7f9f9a5e6c1379f4072b928c4c344d46f8140686403f858c002b61c3f

SHA512
7dfa669207ec2f7887fa3360c7c53ac946777f9abee58176e247315fbcff6340f6d08ba4c917b1eabc305fc50c33489ea48f732f8c02d669526f55b7d30fb740

Download Submit
C:\Windows\{8AA51C1F-0820-4713-942E-569E45F65853}.exe

Filesize
408KB

MD5
acfb95c674b5c3baef71eb246164adf2

SHA1
2f91ec9d46b424919de2739058dfbd389cc4fd16

SHA256
ed907bf7f9f9a5e6c1379f4072b928c4c344d46f8140686403f858c002b61c3f

SHA512
7dfa669207ec2f7887fa3360c7c53ac946777f9abee58176e247315fbcff6340f6d08ba4c917b1eabc305fc50c33489ea48f732f8c02d669526f55b7d30fb740

Download Submit
C:\Windows\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe

Filesize
408KB

MD5
999ff4d0c1a41a9fd636b7bfc1906561

SHA1
9ec45cc9f144477cd3f331b2114d693f507e8e2b

SHA256
fc55280ba2c996d882c129c639d58c486b97f628a4f6c72235d5c0d77fc803c7

SHA512
adb5b4bf164133131781147a3650c84ff91fa7f21b23da6d50b041c93916f36180e03c83e810357d0422ebc88b5d5018e782a1818044c968df14c8b84834dd61

Download Submit
C:\Windows\{B33AC112-07F5-4bf6-84B6-38AEA8B26C99}.exe

Filesize
408KB

MD5
999ff4d0c1a41a9fd636b7bfc1906561

SHA1
9ec45cc9f144477cd3f331b2114d693f507e8e2b

SHA256
fc55280ba2c996d882c129c639d58c486b97f628a4f6c72235d5c0d77fc803c7

SHA512
adb5b4bf164133131781147a3650c84ff91fa7f21b23da6d50b041c93916f36180e03c83e810357d0422ebc88b5d5018e782a1818044c968df14c8b84834dd61

Download Submit
C:\Windows\{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe

Filesize
408KB

MD5
f610d7d08fe7c04bdbc2c565bd4acf4c

SHA1
f30b1e696da085c0fbaf2deec048f82147a5b745

SHA256
bd099c43c38954d1b5aa33e91c026dfc89773c8358a5c85fc922f8a9cfcde282

SHA512
e021e5a1e759db65292a9d1b0cf8a0134caba20ba4e6bc240f3a4b77edb05785c23a549ff760bebe9e9615c2475707978c63a33581e702b9a557c6e62a99879b

Download Submit
C:\Windows\{B98A7051-475D-4155-ADBB-3278CC4B7919}.exe

Filesize
408KB

MD5
f610d7d08fe7c04bdbc2c565bd4acf4c

SHA1
f30b1e696da085c0fbaf2deec048f82147a5b745

SHA256
bd099c43c38954d1b5aa33e91c026dfc89773c8358a5c85fc922f8a9cfcde282

SHA512
e021e5a1e759db65292a9d1b0cf8a0134caba20ba4e6bc240f3a4b77edb05785c23a549ff760bebe9e9615c2475707978c63a33581e702b9a557c6e62a99879b

Download Submit
C:\Windows\{C048B838-2456-4581-8815-5E5682BE2122}.exe

Filesize
408KB

MD5
32f57b340acdebe9b7cce6cb72ee80ae

SHA1
c259b52219a7c8e65e271c1a60cbfed287c68bbf

SHA256
b8eeb6517c3704272e3da66d06f8b2e01cb1a8d8886da8c861dea56623e41c58

SHA512
ef45e24f6fa4355a3c3d7536220472eebb84bdcb971287ede7a010b63abe47fa7704dac66782224762d3b1c9096bd5487426dff2fff0e4cdf6dfc278590ae2a9

Download Submit
C:\Windows\{C048B838-2456-4581-8815-5E5682BE2122}.exe

Filesize
408KB

MD5
32f57b340acdebe9b7cce6cb72ee80ae

SHA1
c259b52219a7c8e65e271c1a60cbfed287c68bbf

SHA256
b8eeb6517c3704272e3da66d06f8b2e01cb1a8d8886da8c861dea56623e41c58

SHA512
ef45e24f6fa4355a3c3d7536220472eebb84bdcb971287ede7a010b63abe47fa7704dac66782224762d3b1c9096bd5487426dff2fff0e4cdf6dfc278590ae2a9

Download Submit
C:\Windows\{C048B838-2456-4581-8815-5E5682BE2122}.exe

Filesize
408KB

MD5
32f57b340acdebe9b7cce6cb72ee80ae

SHA1
c259b52219a7c8e65e271c1a60cbfed287c68bbf

SHA256
b8eeb6517c3704272e3da66d06f8b2e01cb1a8d8886da8c861dea56623e41c58

SHA512
ef45e24f6fa4355a3c3d7536220472eebb84bdcb971287ede7a010b63abe47fa7704dac66782224762d3b1c9096bd5487426dff2fff0e4cdf6dfc278590ae2a9

Download Submit
C:\Windows\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe

Filesize
408KB

MD5
bc1c1d9ee5a34ccfba05781d11e5fa25

SHA1
3bc679f8fa64fc59bd6abfeb7746a7802a6a54fc

SHA256
d8c915dde7fccbd49e7110d977dc7ba69fb428e780213ffd1f3392eaeebbb485

SHA512
202feacb14b901c9ddc7d16ded2be7df302c050aba9ac59a8a55698fefeef7247493ded84e994e769a24666cc8497f8e6a5a28430c36490b566dbaceb76bafe4

Download Submit
C:\Windows\{C723D2A1-7CCA-4f78-A2CD-F6047B861D24}.exe

Filesize
408KB

MD5
bc1c1d9ee5a34ccfba05781d11e5fa25

SHA1
3bc679f8fa64fc59bd6abfeb7746a7802a6a54fc

SHA256
d8c915dde7fccbd49e7110d977dc7ba69fb428e780213ffd1f3392eaeebbb485

SHA512
202feacb14b901c9ddc7d16ded2be7df302c050aba9ac59a8a55698fefeef7247493ded84e994e769a24666cc8497f8e6a5a28430c36490b566dbaceb76bafe4

Download Submit
C:\Windows\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe

Filesize
408KB

MD5
e1c074bcf4d3f4ce454a804e5ebd556f

SHA1
86b2b4b7a2ec66c060796ae6c45402b581b2c81a

SHA256
93adaaf9db4140178b892c22c89168ae4d2cf5071dfd03cce43ecbdba8a9ccc9

SHA512
886277de7383b6013183a86ad5ab1ecfcfa8b570eb60a6a1ed3b88a0f70abfca249592623186406830fdfcb2e35523462cec1928ebfe77f4e6f35844746069e1

Download Submit
C:\Windows\{C78309FB-0969-4626-B8EE-CF7D3BAD7B8A}.exe

Filesize
408KB

MD5
e1c074bcf4d3f4ce454a804e5ebd556f

SHA1
86b2b4b7a2ec66c060796ae6c45402b581b2c81a

SHA256
93adaaf9db4140178b892c22c89168ae4d2cf5071dfd03cce43ecbdba8a9ccc9

SHA512
886277de7383b6013183a86ad5ab1ecfcfa8b570eb60a6a1ed3b88a0f70abfca249592623186406830fdfcb2e35523462cec1928ebfe77f4e6f35844746069e1

Download Submit
C:\Windows\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe

Filesize
408KB

MD5
91ce474e7016b7e43c265e616fe02b5f

SHA1
7db99a96ece7d331dd6b7b03d47a61845e39049e

SHA256
94a55f888c8c70668fe9af59acaac4775f54f91f221a9324262121ef64f96b89

SHA512
5d92e13be794ef2882dd142ba47b062a457a0d206c0aef1ed9a029716ac64f15b262d7cf390961a2bf7a49908d55ba7bce886cab4be1738f21d437d5212fadad

Download Submit
C:\Windows\{D1DA05F3-EC30-4134-B0CF-E59C5D117846}.exe

Filesize
408KB

MD5
91ce474e7016b7e43c265e616fe02b5f

SHA1
7db99a96ece7d331dd6b7b03d47a61845e39049e

SHA256
94a55f888c8c70668fe9af59acaac4775f54f91f221a9324262121ef64f96b89

SHA512
5d92e13be794ef2882dd142ba47b062a457a0d206c0aef1ed9a029716ac64f15b262d7cf390961a2bf7a49908d55ba7bce886cab4be1738f21d437d5212fadad

Download Submit
C:\Windows\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe

Filesize
408KB

MD5
e2d858932c834c22ab1ca3a0a032a8b3

SHA1
c32ad78c24076bf3548737c78a1bcdb94936752e

SHA256
ec357803913c2722c709d30d67a8d5a86d4b4a5b7b97c14a0bff8e7dea2bb4dc

SHA512
ab338bcb4f22d5e4c280e0fb4bdf41cbc795ea3bc086957b23d9c267d776d8f325d65289fbc34741e2f2a3bf740327363a00f7742b36e58d56126c33a28df51b

Download Submit
C:\Windows\{DBEF0E3C-861A-424c-9B10-DA6BE36E04A1}.exe

Filesize
408KB

MD5
e2d858932c834c22ab1ca3a0a032a8b3

SHA1
c32ad78c24076bf3548737c78a1bcdb94936752e

SHA256
ec357803913c2722c709d30d67a8d5a86d4b4a5b7b97c14a0bff8e7dea2bb4dc

SHA512
ab338bcb4f22d5e4c280e0fb4bdf41cbc795ea3bc086957b23d9c267d776d8f325d65289fbc34741e2f2a3bf740327363a00f7742b36e58d56126c33a28df51b

Download Submit
C:\Windows\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe

Filesize
408KB

MD5
7df3329fc5c616541843d200ecc6f6aa

SHA1
0760070289ffdc906a51127494c2f0760605931e

SHA256
44edd3996d3ba9f87bb011110faca2b61d48366fc493c7b96dd9236f5915b75b

SHA512
f1c80e8aa207b76908a9986d059e99159f3e68c475a28081a43cb9ace01a840825899d6cddcb444314a42a44099c1a226abe9d3ad6064a2352d7dea34a9453d6

Download Submit
C:\Windows\{E315BEBF-8258-42a1-8AF1-3FAF99D9EFC6}.exe

Filesize
408KB

MD5
7df3329fc5c616541843d200ecc6f6aa

SHA1
0760070289ffdc906a51127494c2f0760605931e

SHA256
44edd3996d3ba9f87bb011110faca2b61d48366fc493c7b96dd9236f5915b75b

SHA512
f1c80e8aa207b76908a9986d059e99159f3e68c475a28081a43cb9ace01a840825899d6cddcb444314a42a44099c1a226abe9d3ad6064a2352d7dea34a9453d6

Download Submit
C:\Windows\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe

Filesize
408KB

MD5
6c912322b885119423f4726670948770

SHA1
b504de28e05f4e9bbea710d6d08e8897ae2077f4

SHA256
37f8738a834743c071a89357d4991312159b8635508b204e7810eb07bb31962b

SHA512
8db1b5aa3241aebc42d4f3fb6274fc53a5b96d9519fbecd5f676c915473ce8a337897473f6a8fc39e2c54d617ee4efd1409f09c08b4820ed140e5d973d404f30

Download Submit
C:\Windows\{FE49AD83-F776-4d30-8C26-0E6FB3E07874}.exe

Filesize
408KB

MD5
6c912322b885119423f4726670948770

SHA1
b504de28e05f4e9bbea710d6d08e8897ae2077f4

SHA256
37f8738a834743c071a89357d4991312159b8635508b204e7810eb07bb31962b

SHA512
8db1b5aa3241aebc42d4f3fb6274fc53a5b96d9519fbecd5f676c915473ce8a337897473f6a8fc39e2c54d617ee4efd1409f09c08b4820ed140e5d973d404f30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads