ffa848792344d645f293fdfed1b4eeb5064bafd6192236cf12174a86349a4d4f

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe
Size

204KB
MD5

a8fb19587f9c7a2cd3269a48c9f1f91b
SHA1

3cdeec239ff81be729c4e14c2444af283033d791
SHA256

ffa848792344d645f293fdfed1b4eeb5064bafd6192236cf12174a86349a4d4f
SHA512

0fde58bb619d892d9865ee0da2c6e53ce450e7502d94251fb9a22625405ad5a50eeb7b65f9417eb9cfa9613f5de319c6dee064b11bc320adc6e04625540e5abf
SSDEEP

1536:1EGh0oql15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oql1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E681A72-0EAE-417b-AD9D-BDA142C74BFD}	{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E681A72-0EAE-417b-AD9D-BDA142C74BFD}\stubpath = "C:\\Windows\\{5E681A72-0EAE-417b-AD9D-BDA142C74BFD}.exe"	{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38758B75-EB3A-489e-A5D3-D66A4D742921}\stubpath = "C:\\Windows\\{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe"	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35EA0856-790B-4440-A9FD-F80657E93F7F}\stubpath = "C:\\Windows\\{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe"	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}\stubpath = "C:\\Windows\\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe"	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}\stubpath = "C:\\Windows\\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe"	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}	{24870537-05C0-481e-BDD2-0C7B46695754}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}\stubpath = "C:\\Windows\\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe"	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68EF6248-ED99-43c5-AE2B-28FFCE465346}\stubpath = "C:\\Windows\\{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe"	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}\stubpath = "C:\\Windows\\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe"	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}\stubpath = "C:\\Windows\\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe"	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24870537-05C0-481e-BDD2-0C7B46695754}	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24870537-05C0-481e-BDD2-0C7B46695754}\stubpath = "C:\\Windows\\{24870537-05C0-481e-BDD2-0C7B46695754}.exe"	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}\stubpath = "C:\\Windows\\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe"	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38758B75-EB3A-489e-A5D3-D66A4D742921}	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}\stubpath = "C:\\Windows\\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe"	{24870537-05C0-481e-BDD2-0C7B46695754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68EF6248-ED99-43c5-AE2B-28FFCE465346}	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35EA0856-790B-4440-A9FD-F80657E93F7F}	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe

Executes dropped EXE 11 IoCs

pid	Process
1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe
4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe
4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe
1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe
3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe
3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe
232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe
3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe
4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe
2432	{24870537-05C0-481e-BDD2-0C7B46695754}.exe
3936	{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe	{24870537-05C0-481e-BDD2-0C7B46695754}.exe
File created	C:\Windows\{5E681A72-0EAE-417b-AD9D-BDA142C74BFD}.exe	{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe
File created	C:\Windows\{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe
File created	C:\Windows\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe
File created	C:\Windows\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe
File created	C:\Windows\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe
File created	C:\Windows\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe
File created	C:\Windows\{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe
File created	C:\Windows\{24870537-05C0-481e-BDD2-0C7B46695754}.exe	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe
File created	C:\Windows\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe
File created	C:\Windows\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe
File created	C:\Windows\{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	716	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe
Token: SeIncBasePriorityPrivilege	4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe
Token: SeIncBasePriorityPrivilege	4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe
Token: SeIncBasePriorityPrivilege	1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe
Token: SeIncBasePriorityPrivilege	3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe
Token: SeIncBasePriorityPrivilege	3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe
Token: SeIncBasePriorityPrivilege	232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe
Token: SeIncBasePriorityPrivilege	3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe
Token: SeIncBasePriorityPrivilege	4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe
Token: SeIncBasePriorityPrivilege	2432	{24870537-05C0-481e-BDD2-0C7B46695754}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 1636	716	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe	89
PID 716 wrote to memory of 1636	716	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe	89
PID 716 wrote to memory of 1636	716	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe	89
PID 716 wrote to memory of 3188	716	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe	90
PID 716 wrote to memory of 3188	716	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe	90
PID 716 wrote to memory of 3188	716	a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe	90
PID 1636 wrote to memory of 4924	1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe	91
PID 1636 wrote to memory of 4924	1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe	91
PID 1636 wrote to memory of 4924	1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe	91
PID 1636 wrote to memory of 2032	1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe	92
PID 1636 wrote to memory of 2032	1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe	92
PID 1636 wrote to memory of 2032	1636	{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe	92
PID 4924 wrote to memory of 4760	4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe	95
PID 4924 wrote to memory of 4760	4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe	95
PID 4924 wrote to memory of 4760	4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe	95
PID 4924 wrote to memory of 2236	4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe	94
PID 4924 wrote to memory of 2236	4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe	94
PID 4924 wrote to memory of 2236	4924	{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe	94
PID 4760 wrote to memory of 1796	4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe	96
PID 4760 wrote to memory of 1796	4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe	96
PID 4760 wrote to memory of 1796	4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe	96
PID 4760 wrote to memory of 468	4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe	97
PID 4760 wrote to memory of 468	4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe	97
PID 4760 wrote to memory of 468	4760	{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe	97
PID 1796 wrote to memory of 3136	1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe	99
PID 1796 wrote to memory of 3136	1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe	99
PID 1796 wrote to memory of 3136	1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe	99
PID 1796 wrote to memory of 3972	1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe	98
PID 1796 wrote to memory of 3972	1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe	98
PID 1796 wrote to memory of 3972	1796	{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe	98
PID 3136 wrote to memory of 3164	3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe	100
PID 3136 wrote to memory of 3164	3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe	100
PID 3136 wrote to memory of 3164	3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe	100
PID 3136 wrote to memory of 3292	3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe	101
PID 3136 wrote to memory of 3292	3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe	101
PID 3136 wrote to memory of 3292	3136	{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe	101
PID 3164 wrote to memory of 232	3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe	102
PID 3164 wrote to memory of 232	3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe	102
PID 3164 wrote to memory of 232	3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe	102
PID 3164 wrote to memory of 1728	3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe	103
PID 3164 wrote to memory of 1728	3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe	103
PID 3164 wrote to memory of 1728	3164	{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe	103
PID 232 wrote to memory of 3908	232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe	104
PID 232 wrote to memory of 3908	232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe	104
PID 232 wrote to memory of 3908	232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe	104
PID 232 wrote to memory of 2196	232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe	105
PID 232 wrote to memory of 2196	232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe	105
PID 232 wrote to memory of 2196	232	{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe	105
PID 3908 wrote to memory of 4828	3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe	106
PID 3908 wrote to memory of 4828	3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe	106
PID 3908 wrote to memory of 4828	3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe	106
PID 3908 wrote to memory of 636	3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe	107
PID 3908 wrote to memory of 636	3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe	107
PID 3908 wrote to memory of 636	3908	{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe	107
PID 4828 wrote to memory of 2432	4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe	108
PID 4828 wrote to memory of 2432	4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe	108
PID 4828 wrote to memory of 2432	4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe	108
PID 4828 wrote to memory of 4724	4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe	109
PID 4828 wrote to memory of 4724	4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe	109
PID 4828 wrote to memory of 4724	4828	{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe	109
PID 2432 wrote to memory of 3936	2432	{24870537-05C0-481e-BDD2-0C7B46695754}.exe	110
PID 2432 wrote to memory of 3936	2432	{24870537-05C0-481e-BDD2-0C7B46695754}.exe	110
PID 2432 wrote to memory of 3936	2432	{24870537-05C0-481e-BDD2-0C7B46695754}.exe	110
PID 2432 wrote to memory of 3520	2432	{24870537-05C0-481e-BDD2-0C7B46695754}.exe	111

C:\Users\Admin\AppData\Local\Temp\a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a8fb19587f9c7a2cd3269a48c9f1f91b_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe
  C:\Windows\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe
    C:\Windows\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1E22~1.EXE > nul
      4⤵
      PID:2236
  - - C:\Windows\{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe
      C:\Windows\{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe
        
        C:\Windows\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD887~1.EXE > nul
        6⤵
        
        PID:3972
      - C:\Windows\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe
        
        C:\Windows\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe
        
        C:\Windows\{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe
        
        C:\Windows\{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe
        
        C:\Windows\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe
        
        C:\Windows\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\{24870537-05C0-481e-BDD2-0C7B46695754}.exe
        
        C:\Windows\{24870537-05C0-481e-BDD2-0C7B46695754}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe
        
        C:\Windows\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24870~1.EXE > nul
        12⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18A5B~1.EXE > nul
        11⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F5EA~1.EXE > nul
        10⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35EA0~1.EXE > nul
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38758~1.EXE > nul
        8⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A83B~1.EXE > nul
        7⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68EF6~1.EXE > nul
        5⤵
        
        PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EF8~1.EXE > nul
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A8FB19~1.EXE > nul
  2⤵
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe

Filesize
204KB

MD5
50a7177aa384795ab4d5ab6a8e9fd453

SHA1
1b6572673c90a75bdd9ce7c35c5f26d42e720d21

SHA256
6abe753a5cb946c6bef1a3e8693d252c92911f25d84f0d128091b06b0069fbbf

SHA512
54dff93851abfe2c4493c7635a8a3072d8b7d3733ac7fb91cbe1ce3f77b9ce0f71c4576805d9d900c875f269b610dfbd4b0ef2b71d4abd0c3b51477584a4d380

Download Submit
C:\Windows\{18A5BF41-1ACE-4747-B5FA-FD6B53D37B5E}.exe

Filesize
204KB

MD5
50a7177aa384795ab4d5ab6a8e9fd453

SHA1
1b6572673c90a75bdd9ce7c35c5f26d42e720d21

SHA256
6abe753a5cb946c6bef1a3e8693d252c92911f25d84f0d128091b06b0069fbbf

SHA512
54dff93851abfe2c4493c7635a8a3072d8b7d3733ac7fb91cbe1ce3f77b9ce0f71c4576805d9d900c875f269b610dfbd4b0ef2b71d4abd0c3b51477584a4d380

Download Submit
C:\Windows\{24870537-05C0-481e-BDD2-0C7B46695754}.exe

Filesize
204KB

MD5
cc736a13268ec600cffb55bd03a1a009

SHA1
7d1a9dc467def75d2a4e211c01f489b81296d8c7

SHA256
701ee664646624c37e9d95381a17406dd83748ab0dd88b9dacbbe21439ca505c

SHA512
e950eb594450cfcc826d6b75b2159a95d0f7eaa2ab4ee5c1190101e50293fc7ad969c35470f4a018e9111bf14bab97fe3a0bf88122caa2ceed29c614ab98e289

Download Submit
C:\Windows\{24870537-05C0-481e-BDD2-0C7B46695754}.exe

Filesize
204KB

MD5
cc736a13268ec600cffb55bd03a1a009

SHA1
7d1a9dc467def75d2a4e211c01f489b81296d8c7

SHA256
701ee664646624c37e9d95381a17406dd83748ab0dd88b9dacbbe21439ca505c

SHA512
e950eb594450cfcc826d6b75b2159a95d0f7eaa2ab4ee5c1190101e50293fc7ad969c35470f4a018e9111bf14bab97fe3a0bf88122caa2ceed29c614ab98e289

Download Submit
C:\Windows\{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe

Filesize
204KB

MD5
291e9b5db58f99a395689e8a1180fb33

SHA1
9bb6a4fac6e24bf97428266a322633e3fe0abe87

SHA256
ff635d78d0ecff5528802272816bb5a1ddf8339866c6d8257384c102be3fbfab

SHA512
0ad2416b799e0a91e1ce53f85056dac8c7050fc049c5c23faa7e23af2d5862202de6c73fba92cfc1e14d1c6aa55fa040ab8495aed99958c6e9bc1319bf1ef418

Download Submit
C:\Windows\{35EA0856-790B-4440-A9FD-F80657E93F7F}.exe

Filesize
204KB

MD5
291e9b5db58f99a395689e8a1180fb33

SHA1
9bb6a4fac6e24bf97428266a322633e3fe0abe87

SHA256
ff635d78d0ecff5528802272816bb5a1ddf8339866c6d8257384c102be3fbfab

SHA512
0ad2416b799e0a91e1ce53f85056dac8c7050fc049c5c23faa7e23af2d5862202de6c73fba92cfc1e14d1c6aa55fa040ab8495aed99958c6e9bc1319bf1ef418

Download Submit
C:\Windows\{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe

Filesize
204KB

MD5
21e9c42e6b5965d935a861b4c82727e3

SHA1
fe9ff199f6111458cdecd258b13746bf43ef7a74

SHA256
7493d9b68ba632c1f7af83a1a51e2e02e084fc8aab3605dcf8d0993175f52bb5

SHA512
77a2022322d92194fce67e4f5358ca6db11ace5d9de51890b930c33232826e9957af199287888c2c37998cff9266087f6dc8abf2ff21d478649b1d72497bc1a5

Download Submit
C:\Windows\{38758B75-EB3A-489e-A5D3-D66A4D742921}.exe

Filesize
204KB

MD5
21e9c42e6b5965d935a861b4c82727e3

SHA1
fe9ff199f6111458cdecd258b13746bf43ef7a74

SHA256
7493d9b68ba632c1f7af83a1a51e2e02e084fc8aab3605dcf8d0993175f52bb5

SHA512
77a2022322d92194fce67e4f5358ca6db11ace5d9de51890b930c33232826e9957af199287888c2c37998cff9266087f6dc8abf2ff21d478649b1d72497bc1a5

Download Submit
C:\Windows\{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe

Filesize
204KB

MD5
eaf549529cf293bebe95a94e55fdaa2a

SHA1
7719f92605641c9cf5e1a8d0455fe88f34877b33

SHA256
cf55aa30202fce9df10d8c1e713fcdda1116d76c0e2618e4e4d584e93410db2a

SHA512
2d5d45dbe5ef899837974fd3e998e7013231fd1edcfae3c39764c91326d72e3d246ee028fded915983b9087ac292f8c281727a19a6fc4311c3b36871b9725c02

Download Submit
C:\Windows\{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe

Filesize
204KB

MD5
eaf549529cf293bebe95a94e55fdaa2a

SHA1
7719f92605641c9cf5e1a8d0455fe88f34877b33

SHA256
cf55aa30202fce9df10d8c1e713fcdda1116d76c0e2618e4e4d584e93410db2a

SHA512
2d5d45dbe5ef899837974fd3e998e7013231fd1edcfae3c39764c91326d72e3d246ee028fded915983b9087ac292f8c281727a19a6fc4311c3b36871b9725c02

Download Submit
C:\Windows\{68EF6248-ED99-43c5-AE2B-28FFCE465346}.exe

Filesize
204KB

MD5
eaf549529cf293bebe95a94e55fdaa2a

SHA1
7719f92605641c9cf5e1a8d0455fe88f34877b33

SHA256
cf55aa30202fce9df10d8c1e713fcdda1116d76c0e2618e4e4d584e93410db2a

SHA512
2d5d45dbe5ef899837974fd3e998e7013231fd1edcfae3c39764c91326d72e3d246ee028fded915983b9087ac292f8c281727a19a6fc4311c3b36871b9725c02

Download Submit
C:\Windows\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe

Filesize
204KB

MD5
a3abe7de86f0e166063d1a0e506e28cb

SHA1
74186f075c10522c89660088611ba5875d7964e5

SHA256
f37a83ffb2f8fb9bbbf28a8fccc4c0740704cc36680761d3f8da88fcb254481f

SHA512
8e8ffb408ef1c63dc453ee771b5f005c8d1eb17bbff03cb2afd676770a89318513ab09419e996cb23819396c3911a48fe67c88eac1b664949f9a38fcb2476078

Download Submit
C:\Windows\{6A83B46B-5293-41f2-91FF-F2C7A06487B2}.exe

Filesize
204KB

MD5
a3abe7de86f0e166063d1a0e506e28cb

SHA1
74186f075c10522c89660088611ba5875d7964e5

SHA256
f37a83ffb2f8fb9bbbf28a8fccc4c0740704cc36680761d3f8da88fcb254481f

SHA512
8e8ffb408ef1c63dc453ee771b5f005c8d1eb17bbff03cb2afd676770a89318513ab09419e996cb23819396c3911a48fe67c88eac1b664949f9a38fcb2476078

Download Submit
C:\Windows\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe

Filesize
204KB

MD5
38eae841a92bb7c460a0dfd158515d32

SHA1
d39e0dd8f0f445ec2016d1a06efd73454ec2c255

SHA256
0c6d561dc2fb77424ab4380c83c17f103fc01c9b07abb4dc467a3808a463ccc7

SHA512
67ef35b63481bd1839c1e5ee49b24e4f5f3ee0262dbdbbd944c99675a81ef2728929e8a4d717e9f0c2ce7aaee4f65bc7ce5e1c0ff9c5e2657c83438a2c4ebdf0

Download Submit
C:\Windows\{6F5EA3EB-8B2F-4e1c-810A-532A80443477}.exe

Filesize
204KB

MD5
38eae841a92bb7c460a0dfd158515d32

SHA1
d39e0dd8f0f445ec2016d1a06efd73454ec2c255

SHA256
0c6d561dc2fb77424ab4380c83c17f103fc01c9b07abb4dc467a3808a463ccc7

SHA512
67ef35b63481bd1839c1e5ee49b24e4f5f3ee0262dbdbbd944c99675a81ef2728929e8a4d717e9f0c2ce7aaee4f65bc7ce5e1c0ff9c5e2657c83438a2c4ebdf0

Download Submit
C:\Windows\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe

Filesize
204KB

MD5
56829ca437312ff3c3b76d7cf4c2444c

SHA1
6512cfeb35a71451401eae23ca41fa5a7347f0e1

SHA256
5fe30efaa99139870afb62e67d16d2884025d10569f5cfc3f79a4cac499534ed

SHA512
3c063114e88022daa6871122663ecca3a45655c9f60dbfd9fa9438fb6aa810cc24bd9f1ed673d2fd54397b4ba1420e7688ade7e2f957cac4e0ee3e4dc087d970

Download Submit
C:\Windows\{BD887F46-9D55-4dbd-AEB0-4B7340BB9B81}.exe

Filesize
204KB

MD5
56829ca437312ff3c3b76d7cf4c2444c

SHA1
6512cfeb35a71451401eae23ca41fa5a7347f0e1

SHA256
5fe30efaa99139870afb62e67d16d2884025d10569f5cfc3f79a4cac499534ed

SHA512
3c063114e88022daa6871122663ecca3a45655c9f60dbfd9fa9438fb6aa810cc24bd9f1ed673d2fd54397b4ba1420e7688ade7e2f957cac4e0ee3e4dc087d970

Download Submit
C:\Windows\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe

Filesize
204KB

MD5
1b0b18fe2907843b0532e49ab66d03da

SHA1
a8ac6efe33f308a2e95a7ee65200eddc69eccf23

SHA256
8ae3221fbdd22999ba34580c0922f7a726a20d48ac1dea698045545676c4a81b

SHA512
b2ca6c73e2c6614fb6255da3b0e7e50a883aaf2bc8c30d849f7ba35f26a059316a836c479a623ef761cf78a5fa28fef135fa5c167ab66c100fddbda06e18092d

Download Submit
C:\Windows\{C1E22FD4-2FA7-491e-A12A-25179AD069BA}.exe

Filesize
204KB

MD5
1b0b18fe2907843b0532e49ab66d03da

SHA1
a8ac6efe33f308a2e95a7ee65200eddc69eccf23

SHA256
8ae3221fbdd22999ba34580c0922f7a726a20d48ac1dea698045545676c4a81b

SHA512
b2ca6c73e2c6614fb6255da3b0e7e50a883aaf2bc8c30d849f7ba35f26a059316a836c479a623ef761cf78a5fa28fef135fa5c167ab66c100fddbda06e18092d

Download Submit
C:\Windows\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe

Filesize
204KB

MD5
55524649a96682b36d6e93650afc0866

SHA1
634c16d5321d86edc897c6ea1cc1c257d729cecb

SHA256
883c21458ae75400622b93f8068fe3e1886c228e22583b67f103f91d6ccb8b2e

SHA512
8ffc0456e5b3eab1ea59674e21e7470a7a59648cbfc93fba659cec216c76bfb47564d6f216102ed2ad7d60383426f83330e3104ba214c7e59753776a94ff1022

Download Submit
C:\Windows\{D4934834-FC62-4fbd-99A9-F8545C8D27FE}.exe

Filesize
204KB

MD5
55524649a96682b36d6e93650afc0866

SHA1
634c16d5321d86edc897c6ea1cc1c257d729cecb

SHA256
883c21458ae75400622b93f8068fe3e1886c228e22583b67f103f91d6ccb8b2e

SHA512
8ffc0456e5b3eab1ea59674e21e7470a7a59648cbfc93fba659cec216c76bfb47564d6f216102ed2ad7d60383426f83330e3104ba214c7e59753776a94ff1022

Download Submit
C:\Windows\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe

Filesize
204KB

MD5
bbc3d4342f86b6f643e49afc63195418

SHA1
4656bfcbcd9d15fb9bb0e801753cd21a14a840c6

SHA256
32c3681ffc94bddabebe068209e33cb13d2cb3afbaf58640176d5f64c67ff868

SHA512
ac05ff60fe9065cec367e9894f04cc5427f31fc206500208de4dd8f5522758c97a7a41a86820d186c97b4b5e39bb35ba93803548eea0847d9562c2c2f4fa1de7

Download Submit
C:\Windows\{D9EF8FFE-38CF-4d2a-815B-5004804821D6}.exe

Filesize
204KB

MD5
bbc3d4342f86b6f643e49afc63195418

SHA1
4656bfcbcd9d15fb9bb0e801753cd21a14a840c6

SHA256
32c3681ffc94bddabebe068209e33cb13d2cb3afbaf58640176d5f64c67ff868

SHA512
ac05ff60fe9065cec367e9894f04cc5427f31fc206500208de4dd8f5522758c97a7a41a86820d186c97b4b5e39bb35ba93803548eea0847d9562c2c2f4fa1de7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads