cc635754814853b9e9384506eede4b83919929bc3104a6793f74c6f04401cef1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2023 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
Size

408KB
MD5

a67bae0884cf06d43ea8c9cafb4715e3
SHA1

8e0e4f18feb020117f2597f20fbdd477bcda3fec
SHA256

cc635754814853b9e9384506eede4b83919929bc3104a6793f74c6f04401cef1
SHA512

de06ff599b372b94a2f86e964f1b62901ac457ef2784de9c7e095075cff1935d72517fe6ae348f4e1582c55571277c9d84ad60ffdd59ab997643f046ae55e447
SSDEEP

3072:CEGh0oxl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGXldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60082796-F523-474d-843B-3C70F7112A01}	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C50C71-52F8-4413-AC03-45A9C1605AB6}\stubpath = "C:\\Windows\\{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe"	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{016481A9-AF35-4309-9C85-79405B4048A6}	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{016481A9-AF35-4309-9C85-79405B4048A6}\stubpath = "C:\\Windows\\{016481A9-AF35-4309-9C85-79405B4048A6}.exe"	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B214FD-C630-458c-BB80-730E25E94EB7}\stubpath = "C:\\Windows\\{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe"	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1741041B-32E2-4d45-9069-C3E9C074E307}	{016481A9-AF35-4309-9C85-79405B4048A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}\stubpath = "C:\\Windows\\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe"	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C50C71-52F8-4413-AC03-45A9C1605AB6}	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}	{60082796-F523-474d-843B-3C70F7112A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}\stubpath = "C:\\Windows\\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe"	{60082796-F523-474d-843B-3C70F7112A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}\stubpath = "C:\\Windows\\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe"	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}	{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F6BB720-99C8-4107-9D66-2117FA598450}\stubpath = "C:\\Windows\\{5F6BB720-99C8-4107-9D66-2117FA598450}.exe"	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}\stubpath = "C:\\Windows\\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe"	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60082796-F523-474d-843B-3C70F7112A01}\stubpath = "C:\\Windows\\{60082796-F523-474d-843B-3C70F7112A01}.exe"	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}\stubpath = "C:\\Windows\\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}.exe"	{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1741041B-32E2-4d45-9069-C3E9C074E307}\stubpath = "C:\\Windows\\{1741041B-32E2-4d45-9069-C3E9C074E307}.exe"	{016481A9-AF35-4309-9C85-79405B4048A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F6BB720-99C8-4107-9D66-2117FA598450}	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B214FD-C630-458c-BB80-730E25E94EB7}	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}\stubpath = "C:\\Windows\\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe"	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe

Executes dropped EXE 12 IoCs

pid	Process
1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe
4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe
4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe
2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe
5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe
4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe
2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe
1340	{60082796-F523-474d-843B-3C70F7112A01}.exe
1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe
4016	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe
2480	{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe
4172	{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe
File created	C:\Windows\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe	{60082796-F523-474d-843B-3C70F7112A01}.exe
File created	C:\Windows\{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe
File created	C:\Windows\{016481A9-AF35-4309-9C85-79405B4048A6}.exe	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
File created	C:\Windows\{1741041B-32E2-4d45-9069-C3E9C074E307}.exe	{016481A9-AF35-4309-9C85-79405B4048A6}.exe
File created	C:\Windows\{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe
File created	C:\Windows\{60082796-F523-474d-843B-3C70F7112A01}.exe	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe
File created	C:\Windows\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe
File created	C:\Windows\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}.exe	{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe
File created	C:\Windows\{5F6BB720-99C8-4107-9D66-2117FA598450}.exe	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe
File created	C:\Windows\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe
File created	C:\Windows\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4808	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe
Token: SeIncBasePriorityPrivilege	4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe
Token: SeIncBasePriorityPrivilege	4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe
Token: SeIncBasePriorityPrivilege	2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe
Token: SeIncBasePriorityPrivilege	5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe
Token: SeIncBasePriorityPrivilege	4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe
Token: SeIncBasePriorityPrivilege	2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe
Token: SeIncBasePriorityPrivilege	1340	{60082796-F523-474d-843B-3C70F7112A01}.exe
Token: SeIncBasePriorityPrivilege	1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe
Token: SeIncBasePriorityPrivilege	4016	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe
Token: SeIncBasePriorityPrivilege	2480	{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1320	4808	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	87
PID 4808 wrote to memory of 1320	4808	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	87
PID 4808 wrote to memory of 1320	4808	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	87
PID 4808 wrote to memory of 1308	4808	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	88
PID 4808 wrote to memory of 1308	4808	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	88
PID 4808 wrote to memory of 1308	4808	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	88
PID 1320 wrote to memory of 4212	1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe	91
PID 1320 wrote to memory of 4212	1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe	91
PID 1320 wrote to memory of 4212	1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe	91
PID 1320 wrote to memory of 2468	1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe	92
PID 1320 wrote to memory of 2468	1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe	92
PID 1320 wrote to memory of 2468	1320	{016481A9-AF35-4309-9C85-79405B4048A6}.exe	92
PID 4212 wrote to memory of 4112	4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe	95
PID 4212 wrote to memory of 4112	4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe	95
PID 4212 wrote to memory of 4112	4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe	95
PID 4212 wrote to memory of 3516	4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe	94
PID 4212 wrote to memory of 3516	4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe	94
PID 4212 wrote to memory of 3516	4212	{1741041B-32E2-4d45-9069-C3E9C074E307}.exe	94
PID 4112 wrote to memory of 2652	4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe	96
PID 4112 wrote to memory of 2652	4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe	96
PID 4112 wrote to memory of 2652	4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe	96
PID 4112 wrote to memory of 3676	4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe	97
PID 4112 wrote to memory of 3676	4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe	97
PID 4112 wrote to memory of 3676	4112	{5F6BB720-99C8-4107-9D66-2117FA598450}.exe	97
PID 2652 wrote to memory of 5116	2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe	98
PID 2652 wrote to memory of 5116	2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe	98
PID 2652 wrote to memory of 5116	2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe	98
PID 2652 wrote to memory of 2024	2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe	99
PID 2652 wrote to memory of 2024	2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe	99
PID 2652 wrote to memory of 2024	2652	{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe	99
PID 5116 wrote to memory of 4048	5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe	100
PID 5116 wrote to memory of 4048	5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe	100
PID 5116 wrote to memory of 4048	5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe	100
PID 5116 wrote to memory of 4892	5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe	101
PID 5116 wrote to memory of 4892	5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe	101
PID 5116 wrote to memory of 4892	5116	{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe	101
PID 4048 wrote to memory of 2108	4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe	102
PID 4048 wrote to memory of 2108	4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe	102
PID 4048 wrote to memory of 2108	4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe	102
PID 4048 wrote to memory of 4080	4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe	103
PID 4048 wrote to memory of 4080	4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe	103
PID 4048 wrote to memory of 4080	4048	{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe	103
PID 2108 wrote to memory of 1340	2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe	104
PID 2108 wrote to memory of 1340	2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe	104
PID 2108 wrote to memory of 1340	2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe	104
PID 2108 wrote to memory of 3452	2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe	105
PID 2108 wrote to memory of 3452	2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe	105
PID 2108 wrote to memory of 3452	2108	{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe	105
PID 1340 wrote to memory of 1080	1340	{60082796-F523-474d-843B-3C70F7112A01}.exe	106
PID 1340 wrote to memory of 1080	1340	{60082796-F523-474d-843B-3C70F7112A01}.exe	106
PID 1340 wrote to memory of 1080	1340	{60082796-F523-474d-843B-3C70F7112A01}.exe	106
PID 1340 wrote to memory of 4120	1340	{60082796-F523-474d-843B-3C70F7112A01}.exe	107
PID 1340 wrote to memory of 4120	1340	{60082796-F523-474d-843B-3C70F7112A01}.exe	107
PID 1340 wrote to memory of 4120	1340	{60082796-F523-474d-843B-3C70F7112A01}.exe	107
PID 1080 wrote to memory of 4016	1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe	108
PID 1080 wrote to memory of 4016	1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe	108
PID 1080 wrote to memory of 4016	1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe	108
PID 1080 wrote to memory of 4528	1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe	109
PID 1080 wrote to memory of 4528	1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe	109
PID 1080 wrote to memory of 4528	1080	{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe	109
PID 4016 wrote to memory of 2480	4016	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe	110
PID 4016 wrote to memory of 2480	4016	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe	110
PID 4016 wrote to memory of 2480	4016	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe	110
PID 4016 wrote to memory of 3228	4016	{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe	111

C:\Users\Admin\AppData\Local\Temp\a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\{016481A9-AF35-4309-9C85-79405B4048A6}.exe
  C:\Windows\{016481A9-AF35-4309-9C85-79405B4048A6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\{1741041B-32E2-4d45-9069-C3E9C074E307}.exe
    C:\Windows\{1741041B-32E2-4d45-9069-C3E9C074E307}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17410~1.EXE > nul
      4⤵
      PID:3516
  - - C:\Windows\{5F6BB720-99C8-4107-9D66-2117FA598450}.exe
      C:\Windows\{5F6BB720-99C8-4107-9D66-2117FA598450}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe
        
        C:\Windows\{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe
        
        C:\Windows\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe
        
        C:\Windows\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe
        
        C:\Windows\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{60082796-F523-474d-843B-3C70F7112A01}.exe
        
        C:\Windows\{60082796-F523-474d-843B-3C70F7112A01}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe
        
        C:\Windows\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe
        
        C:\Windows\{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe
        
        C:\Windows\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}.exe
        
        C:\Windows\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}.exe
        13⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{739A3~1.EXE > nul
        13⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28C50~1.EXE > nul
        12⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E90C~1.EXE > nul
        11⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60082~1.EXE > nul
        10⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B75C3~1.EXE > nul
        9⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF88F~1.EXE > nul
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{220D2~1.EXE > nul
        7⤵
        
        PID:4892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B21~1.EXE > nul
        6⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F6BB~1.EXE > nul
        5⤵
        
        PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{01648~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A67BAE~1.EXE > nul
  2⤵
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{016481A9-AF35-4309-9C85-79405B4048A6}.exe

Filesize
408KB

MD5
e6e4b0045afd271f90f73a782e0d9bb1

SHA1
292c17aa15861df57c1233f8cf6ec5d835a4c36f

SHA256
b3fbb4662ef72447cfafab21938b7acc347ef04cbb1af172397076f044ef11b0

SHA512
a58cde9d0e5f41ed5997adad1adeee832ab8ae5ed79140e1979035d90da9c18bb60e7f1308f838449e6d2bad41c296cea2afeafdc0b006c90d0f8465aa13c98f

Download Submit
C:\Windows\{016481A9-AF35-4309-9C85-79405B4048A6}.exe

Filesize
408KB

MD5
e6e4b0045afd271f90f73a782e0d9bb1

SHA1
292c17aa15861df57c1233f8cf6ec5d835a4c36f

SHA256
b3fbb4662ef72447cfafab21938b7acc347ef04cbb1af172397076f044ef11b0

SHA512
a58cde9d0e5f41ed5997adad1adeee832ab8ae5ed79140e1979035d90da9c18bb60e7f1308f838449e6d2bad41c296cea2afeafdc0b006c90d0f8465aa13c98f

Download Submit
C:\Windows\{1741041B-32E2-4d45-9069-C3E9C074E307}.exe

Filesize
408KB

MD5
9e3528d844d3213ba19626365ac96df4

SHA1
2d53c2be2540d0afccc2d65fd5f785837350f685

SHA256
ddf3a941d7a532622edc022e14348da4a7866a08976047e25d2b297a0bb2a1a8

SHA512
4f5545ac3f3ea4f7968517e9d1f8aa8bea35c3dd46653899d6921283430205462e144108f08dd30060b6f7383d729c157fc3941799597b0a3045959bd5bd21b0

Download Submit
C:\Windows\{1741041B-32E2-4d45-9069-C3E9C074E307}.exe

Filesize
408KB

MD5
9e3528d844d3213ba19626365ac96df4

SHA1
2d53c2be2540d0afccc2d65fd5f785837350f685

SHA256
ddf3a941d7a532622edc022e14348da4a7866a08976047e25d2b297a0bb2a1a8

SHA512
4f5545ac3f3ea4f7968517e9d1f8aa8bea35c3dd46653899d6921283430205462e144108f08dd30060b6f7383d729c157fc3941799597b0a3045959bd5bd21b0

Download Submit
C:\Windows\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe

Filesize
408KB

MD5
2ab91f5d8b96f633781fac9c4b2cb3fd

SHA1
1a233c23510598e386633d41808411e3a533fce7

SHA256
aecaa7babbe628b1a5c9141abf05ccd6b78e684597378a2a99c0ec3da681b9cd

SHA512
104e5f750288ee7b285a440ad12d2465e611f1588de65272e27002da28e11911750b01739123f7c03fb34e5c012ed4d2a4eb13dd4f4c7e1827fbc6f2790806e5

Download Submit
C:\Windows\{220D20CF-1D50-4e59-881F-F8FE7AD9941D}.exe

Filesize
408KB

MD5
2ab91f5d8b96f633781fac9c4b2cb3fd

SHA1
1a233c23510598e386633d41808411e3a533fce7

SHA256
aecaa7babbe628b1a5c9141abf05ccd6b78e684597378a2a99c0ec3da681b9cd

SHA512
104e5f750288ee7b285a440ad12d2465e611f1588de65272e27002da28e11911750b01739123f7c03fb34e5c012ed4d2a4eb13dd4f4c7e1827fbc6f2790806e5

Download Submit
C:\Windows\{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe

Filesize
408KB

MD5
d2d73c2156378f59665eb0be02274a5e

SHA1
f029b1e5e16cdfe050a656846734ca0957c97237

SHA256
696d89ddc368d52fd78adfe0f055006b9079929286058493206478e6e2bf0015

SHA512
bbc88836adc277c2d8f3622197ba9252e46925ded13ed4ab9fa318550d5a5bb92790e0ca3c7e456030ae63d47db2735a20a6341c7534013a13ce2c974dda717f

Download Submit
C:\Windows\{28C50C71-52F8-4413-AC03-45A9C1605AB6}.exe

Filesize
408KB

MD5
d2d73c2156378f59665eb0be02274a5e

SHA1
f029b1e5e16cdfe050a656846734ca0957c97237

SHA256
696d89ddc368d52fd78adfe0f055006b9079929286058493206478e6e2bf0015

SHA512
bbc88836adc277c2d8f3622197ba9252e46925ded13ed4ab9fa318550d5a5bb92790e0ca3c7e456030ae63d47db2735a20a6341c7534013a13ce2c974dda717f

Download Submit
C:\Windows\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe

Filesize
408KB

MD5
1180291ec112342101070b26141742eb

SHA1
18ad7fa7639ebae82328e7f0469c163424306203

SHA256
6c8e291ad2d90e976ef1c28d61dbb2d7f02781f4ef932cde6c21c924dc22e987

SHA512
f8e7392e2ca2aa5cd48ac0c21a809d7cbacabf40d2bf4065968a286c9e1f9be986919d84f1533d16a8dfc44f4e43e604ddde8cd2244b0712352efc1c6711a38f

Download Submit
C:\Windows\{5E90C9BF-2148-4c98-BFF1-8ADF3F639023}.exe

Filesize
408KB

MD5
1180291ec112342101070b26141742eb

SHA1
18ad7fa7639ebae82328e7f0469c163424306203

SHA256
6c8e291ad2d90e976ef1c28d61dbb2d7f02781f4ef932cde6c21c924dc22e987

SHA512
f8e7392e2ca2aa5cd48ac0c21a809d7cbacabf40d2bf4065968a286c9e1f9be986919d84f1533d16a8dfc44f4e43e604ddde8cd2244b0712352efc1c6711a38f

Download Submit
C:\Windows\{5F6BB720-99C8-4107-9D66-2117FA598450}.exe

Filesize
408KB

MD5
6c58b6b6a9d12776362b36f9c1a5e457

SHA1
dd3499b8bb10139af33a886d6c9ab77cb4e6456c

SHA256
7e4e50ef6defc8ae29868495be76d47bf355e23ad15bd5c719a71d65c82e7370

SHA512
5e601302f46535cfec12d9f20d7e7a23316e83ed0fe42e29c249e3c502eda5e5e4d8828f479bece842d98248f39e89fdb3762ae67a7f02c678969e61022e2cec

Download Submit
C:\Windows\{5F6BB720-99C8-4107-9D66-2117FA598450}.exe

Filesize
408KB

MD5
6c58b6b6a9d12776362b36f9c1a5e457

SHA1
dd3499b8bb10139af33a886d6c9ab77cb4e6456c

SHA256
7e4e50ef6defc8ae29868495be76d47bf355e23ad15bd5c719a71d65c82e7370

SHA512
5e601302f46535cfec12d9f20d7e7a23316e83ed0fe42e29c249e3c502eda5e5e4d8828f479bece842d98248f39e89fdb3762ae67a7f02c678969e61022e2cec

Download Submit
C:\Windows\{5F6BB720-99C8-4107-9D66-2117FA598450}.exe

Filesize
408KB

MD5
6c58b6b6a9d12776362b36f9c1a5e457

SHA1
dd3499b8bb10139af33a886d6c9ab77cb4e6456c

SHA256
7e4e50ef6defc8ae29868495be76d47bf355e23ad15bd5c719a71d65c82e7370

SHA512
5e601302f46535cfec12d9f20d7e7a23316e83ed0fe42e29c249e3c502eda5e5e4d8828f479bece842d98248f39e89fdb3762ae67a7f02c678969e61022e2cec

Download Submit
C:\Windows\{60082796-F523-474d-843B-3C70F7112A01}.exe

Filesize
408KB

MD5
7d12c4f4ae16a9cc763123ee1ce33ea9

SHA1
edbc25862c7b54412de3f6827d593039bbedefe8

SHA256
4eedef5236d53e8331a7b3657385ffe283cb870a4ec7eedefc86381cd85dc574

SHA512
e38bc4ca8a9b1b98787429cc370936b079bc29975b3bbea5a50807390b232d4f8bf20e94847c9e369b9c928fbf9ee63f5e43f992e5490ad760c271d7c17569e3

Download Submit
C:\Windows\{60082796-F523-474d-843B-3C70F7112A01}.exe

Filesize
408KB

MD5
7d12c4f4ae16a9cc763123ee1ce33ea9

SHA1
edbc25862c7b54412de3f6827d593039bbedefe8

SHA256
4eedef5236d53e8331a7b3657385ffe283cb870a4ec7eedefc86381cd85dc574

SHA512
e38bc4ca8a9b1b98787429cc370936b079bc29975b3bbea5a50807390b232d4f8bf20e94847c9e369b9c928fbf9ee63f5e43f992e5490ad760c271d7c17569e3

Download Submit
C:\Windows\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe

Filesize
408KB

MD5
1de095eea6dfb44c6060013fc17216b1

SHA1
90586936598d64a069902c57e26608c16a1ccebc

SHA256
6d461487665924d8ac6e567178d0f1fb9dc39bba62edc04ea67f94d2d06ebac0

SHA512
4e5037f6d5069288430cb5eab8985da96b43b341a20c7542f62066862bd5c42bdaf3d98cb39b6b45575e792809eab7af42984b743cc81baf2da7a8ddff814871

Download Submit
C:\Windows\{739A3DA2-72E1-4bfc-BBC3-2AD36CE2C099}.exe

Filesize
408KB

MD5
1de095eea6dfb44c6060013fc17216b1

SHA1
90586936598d64a069902c57e26608c16a1ccebc

SHA256
6d461487665924d8ac6e567178d0f1fb9dc39bba62edc04ea67f94d2d06ebac0

SHA512
4e5037f6d5069288430cb5eab8985da96b43b341a20c7542f62066862bd5c42bdaf3d98cb39b6b45575e792809eab7af42984b743cc81baf2da7a8ddff814871

Download Submit
C:\Windows\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}.exe

Filesize
408KB

MD5
f8b93f9fadba9c387171f89a03328f55

SHA1
387c719cafc944d89b3d75aae73c6926fa70db73

SHA256
0bcdeeb556112ea1ccbef15ead70cb88c5f6d05aad3dc61b4924207a53bbcf4a

SHA512
d899abc39d9832b67ac7e5b99db375484f61e64ff38ba19f1cad8d490f4b5e7bb0d0c3a317a8bacbdad39a9b6cd232c904e4d328bcb5bbbd815a0098e6983d88

Download Submit
C:\Windows\{970727A2-6527-42b5-BAF6-8B2FDA2E5E61}.exe

Filesize
408KB

MD5
f8b93f9fadba9c387171f89a03328f55

SHA1
387c719cafc944d89b3d75aae73c6926fa70db73

SHA256
0bcdeeb556112ea1ccbef15ead70cb88c5f6d05aad3dc61b4924207a53bbcf4a

SHA512
d899abc39d9832b67ac7e5b99db375484f61e64ff38ba19f1cad8d490f4b5e7bb0d0c3a317a8bacbdad39a9b6cd232c904e4d328bcb5bbbd815a0098e6983d88

Download Submit
C:\Windows\{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe

Filesize
408KB

MD5
22ac60f65acbab4fc21508b26069c3bf

SHA1
e8ecaf1e5ab02ef8f2f8d884700886ca242c37f5

SHA256
6c6b0b71dae6633ec268b1e8ebfa46edd893ffe714abb05c9d5a7a1ca8034b75

SHA512
11d68f0a1cb5401b27e6e36e2a903cb86c373e4c5c2342ae1fe72a9ab51609d0c205e86f8d1ccb85986b645f743a9122c3edf534a87a11990ddd37ede6e059f4

Download Submit
C:\Windows\{A3B214FD-C630-458c-BB80-730E25E94EB7}.exe

Filesize
408KB

MD5
22ac60f65acbab4fc21508b26069c3bf

SHA1
e8ecaf1e5ab02ef8f2f8d884700886ca242c37f5

SHA256
6c6b0b71dae6633ec268b1e8ebfa46edd893ffe714abb05c9d5a7a1ca8034b75

SHA512
11d68f0a1cb5401b27e6e36e2a903cb86c373e4c5c2342ae1fe72a9ab51609d0c205e86f8d1ccb85986b645f743a9122c3edf534a87a11990ddd37ede6e059f4

Download Submit
C:\Windows\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe

Filesize
408KB

MD5
15953c61d110df1e38917acb03ee9347

SHA1
67e09dc8d8ffc83ca90a0ffe8dee3998aaf5ac53

SHA256
f2ec13aba9d8a025c1aab61780457d8d40e29dca5489f0b5231bd8c7af26879b

SHA512
1f19cf44e8d36214d211f64520d1ad939a4893b8f727b3e75ecfaa5c6ead02f3595504cda44a77fbd7eaae463f7635a89012133a99f7b0e60487fd5213353b68

Download Submit
C:\Windows\{B75C3008-B2D9-40a6-8392-D60EFCBFE89A}.exe

Filesize
408KB

MD5
15953c61d110df1e38917acb03ee9347

SHA1
67e09dc8d8ffc83ca90a0ffe8dee3998aaf5ac53

SHA256
f2ec13aba9d8a025c1aab61780457d8d40e29dca5489f0b5231bd8c7af26879b

SHA512
1f19cf44e8d36214d211f64520d1ad939a4893b8f727b3e75ecfaa5c6ead02f3595504cda44a77fbd7eaae463f7635a89012133a99f7b0e60487fd5213353b68

Download Submit
C:\Windows\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe

Filesize
408KB

MD5
f30a3503ad5d7556b6004f357c9149a8

SHA1
e11c16102f74cc337a0d71ed5755068d0acc5754

SHA256
050d21bc888ffdd46140f341b97fb98d284e3e510133f6473b83fc8eb222786b

SHA512
902199338f4791f41fd3d16259898214875e0648c455c6cc2edddab576dbb4b9fa6c946d6b3d85a16190b2d83b56fa2983edcbefd2bbecb3df4ab804002b117a

Download Submit
C:\Windows\{DF88F94A-1F0D-4fb9-861A-2EA4B85A01C0}.exe

Filesize
408KB

MD5
f30a3503ad5d7556b6004f357c9149a8

SHA1
e11c16102f74cc337a0d71ed5755068d0acc5754

SHA256
050d21bc888ffdd46140f341b97fb98d284e3e510133f6473b83fc8eb222786b

SHA512
902199338f4791f41fd3d16259898214875e0648c455c6cc2edddab576dbb4b9fa6c946d6b3d85a16190b2d83b56fa2983edcbefd2bbecb3df4ab804002b117a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads