33f3012f420d03896de1f6ba231117db7a7969c0129466b3afb484b72287d15e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Size

408KB
MD5

cbe429d5258f2cfdfda4609b421b8eeb
SHA1

7bcef0bb7c7491b82c5777320ea7604c1a9526d4
SHA256

33f3012f420d03896de1f6ba231117db7a7969c0129466b3afb484b72287d15e
SHA512

3ec5c909f156999b3fd29b2191df035b464cbf6de63e0b8bd29bd00e4099fa2a1d208a2938162f53fb39e3055fc92bf0ae817b40685b025ceb19f92b43971ebd
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGGldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF973B0F-1A6E-4949-8854-E458FC75CF27}\stubpath = "C:\\Windows\\{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe"	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}\stubpath = "C:\\Windows\\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe"	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E514386-77AB-418c-8CE1-8D079C236574}\stubpath = "C:\\Windows\\{3E514386-77AB-418c-8CE1-8D079C236574}.exe"	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C669C281-44A4-4753-91D9-227E36BC0F29}\stubpath = "C:\\Windows\\{C669C281-44A4-4753-91D9-227E36BC0F29}.exe"	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}\stubpath = "C:\\Windows\\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe"	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C14A19EF-8773-4872-B857-2573A32CFB8B}	{3E514386-77AB-418c-8CE1-8D079C236574}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{284AA591-BB39-4502-9796-AEA32928D6FB}	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C669C281-44A4-4753-91D9-227E36BC0F29}	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{780992B7-17A2-4c21-81FE-41204104607D}	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}\stubpath = "C:\\Windows\\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe"	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}\stubpath = "C:\\Windows\\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe"	{780992B7-17A2-4c21-81FE-41204104607D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF973B0F-1A6E-4949-8854-E458FC75CF27}	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E514386-77AB-418c-8CE1-8D079C236574}	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C14A19EF-8773-4872-B857-2573A32CFB8B}\stubpath = "C:\\Windows\\{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe"	{3E514386-77AB-418c-8CE1-8D079C236574}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{780992B7-17A2-4c21-81FE-41204104607D}\stubpath = "C:\\Windows\\{780992B7-17A2-4c21-81FE-41204104607D}.exe"	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}	{780992B7-17A2-4c21-81FE-41204104607D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}\stubpath = "C:\\Windows\\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe"	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6DB62E0-444B-4a50-847A-B7743440E449}	{C669C281-44A4-4753-91D9-227E36BC0F29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6DB62E0-444B-4a50-847A-B7743440E449}\stubpath = "C:\\Windows\\{E6DB62E0-444B-4a50-847A-B7743440E449}.exe"	{C669C281-44A4-4753-91D9-227E36BC0F29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{284AA591-BB39-4502-9796-AEA32928D6FB}\stubpath = "C:\\Windows\\{284AA591-BB39-4502-9796-AEA32928D6FB}.exe"	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe

Executes dropped EXE 12 IoCs

pid	Process
4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe
4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe
2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe
2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe
1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe
3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe
4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe
1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe
3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe
5060	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe
4652	{C669C281-44A4-4753-91D9-227E36BC0F29}.exe
2868	{E6DB62E0-444B-4a50-847A-B7743440E449}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe
File created	C:\Windows\{3E514386-77AB-418c-8CE1-8D079C236574}.exe	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe
File created	C:\Windows\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe
File created	C:\Windows\{E6DB62E0-444B-4a50-847A-B7743440E449}.exe	{C669C281-44A4-4753-91D9-227E36BC0F29}.exe
File created	C:\Windows\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe	{780992B7-17A2-4c21-81FE-41204104607D}.exe
File created	C:\Windows\{780992B7-17A2-4c21-81FE-41204104607D}.exe	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe
File created	C:\Windows\{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe
File created	C:\Windows\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe
File created	C:\Windows\{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe	{3E514386-77AB-418c-8CE1-8D079C236574}.exe
File created	C:\Windows\{284AA591-BB39-4502-9796-AEA32928D6FB}.exe	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe
File created	C:\Windows\{C669C281-44A4-4753-91D9-227E36BC0F29}.exe	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe
File created	C:\Windows\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4520	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe
Token: SeIncBasePriorityPrivilege	4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe
Token: SeIncBasePriorityPrivilege	2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe
Token: SeIncBasePriorityPrivilege	2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe
Token: SeIncBasePriorityPrivilege	1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe
Token: SeIncBasePriorityPrivilege	3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe
Token: SeIncBasePriorityPrivilege	4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe
Token: SeIncBasePriorityPrivilege	1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe
Token: SeIncBasePriorityPrivilege	3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe
Token: SeIncBasePriorityPrivilege	5060	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe
Token: SeIncBasePriorityPrivilege	4652	{C669C281-44A4-4753-91D9-227E36BC0F29}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4200	4520	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	90
PID 4520 wrote to memory of 4200	4520	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	90
PID 4520 wrote to memory of 4200	4520	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	90
PID 4520 wrote to memory of 4776	4520	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	91
PID 4520 wrote to memory of 4776	4520	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	91
PID 4520 wrote to memory of 4776	4520	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	91
PID 4200 wrote to memory of 4332	4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe	92
PID 4200 wrote to memory of 4332	4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe	92
PID 4200 wrote to memory of 4332	4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe	92
PID 4200 wrote to memory of 3568	4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe	93
PID 4200 wrote to memory of 3568	4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe	93
PID 4200 wrote to memory of 3568	4200	{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe	93
PID 4332 wrote to memory of 2416	4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe	96
PID 4332 wrote to memory of 2416	4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe	96
PID 4332 wrote to memory of 2416	4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe	96
PID 4332 wrote to memory of 3876	4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe	95
PID 4332 wrote to memory of 3876	4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe	95
PID 4332 wrote to memory of 3876	4332	{780992B7-17A2-4c21-81FE-41204104607D}.exe	95
PID 2416 wrote to memory of 2232	2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe	97
PID 2416 wrote to memory of 2232	2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe	97
PID 2416 wrote to memory of 2232	2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe	97
PID 2416 wrote to memory of 3932	2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe	98
PID 2416 wrote to memory of 3932	2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe	98
PID 2416 wrote to memory of 3932	2416	{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe	98
PID 2232 wrote to memory of 1668	2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe	99
PID 2232 wrote to memory of 1668	2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe	99
PID 2232 wrote to memory of 1668	2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe	99
PID 2232 wrote to memory of 2584	2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe	100
PID 2232 wrote to memory of 2584	2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe	100
PID 2232 wrote to memory of 2584	2232	{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe	100
PID 1668 wrote to memory of 3228	1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe	101
PID 1668 wrote to memory of 3228	1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe	101
PID 1668 wrote to memory of 3228	1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe	101
PID 1668 wrote to memory of 4428	1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe	102
PID 1668 wrote to memory of 4428	1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe	102
PID 1668 wrote to memory of 4428	1668	{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe	102
PID 3228 wrote to memory of 4908	3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe	103
PID 3228 wrote to memory of 4908	3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe	103
PID 3228 wrote to memory of 4908	3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe	103
PID 3228 wrote to memory of 2228	3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe	104
PID 3228 wrote to memory of 2228	3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe	104
PID 3228 wrote to memory of 2228	3228	{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe	104
PID 4908 wrote to memory of 1580	4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe	105
PID 4908 wrote to memory of 1580	4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe	105
PID 4908 wrote to memory of 1580	4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe	105
PID 4908 wrote to memory of 4284	4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe	106
PID 4908 wrote to memory of 4284	4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe	106
PID 4908 wrote to memory of 4284	4908	{3E514386-77AB-418c-8CE1-8D079C236574}.exe	106
PID 1580 wrote to memory of 3920	1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe	107
PID 1580 wrote to memory of 3920	1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe	107
PID 1580 wrote to memory of 3920	1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe	107
PID 1580 wrote to memory of 3860	1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe	108
PID 1580 wrote to memory of 3860	1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe	108
PID 1580 wrote to memory of 3860	1580	{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe	108
PID 3920 wrote to memory of 5060	3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe	109
PID 3920 wrote to memory of 5060	3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe	109
PID 3920 wrote to memory of 5060	3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe	109
PID 3920 wrote to memory of 4572	3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe	110
PID 3920 wrote to memory of 4572	3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe	110
PID 3920 wrote to memory of 4572	3920	{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe	110
PID 5060 wrote to memory of 4652	5060	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe	111
PID 5060 wrote to memory of 4652	5060	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe	111
PID 5060 wrote to memory of 4652	5060	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe	111
PID 5060 wrote to memory of 1472	5060	{284AA591-BB39-4502-9796-AEA32928D6FB}.exe	112

C:\Users\Admin\AppData\Local\Temp\cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe
  C:\Windows\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\{780992B7-17A2-4c21-81FE-41204104607D}.exe
    C:\Windows\{780992B7-17A2-4c21-81FE-41204104607D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{78099~1.EXE > nul
      4⤵
      PID:3876
  - - C:\Windows\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe
      C:\Windows\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe
        
        C:\Windows\{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe
        
        C:\Windows\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe
        
        C:\Windows\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{3E514386-77AB-418c-8CE1-8D079C236574}.exe
        
        C:\Windows\{3E514386-77AB-418c-8CE1-8D079C236574}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe
        
        C:\Windows\{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe
        
        C:\Windows\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\{284AA591-BB39-4502-9796-AEA32928D6FB}.exe
        
        C:\Windows\{284AA591-BB39-4502-9796-AEA32928D6FB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{C669C281-44A4-4753-91D9-227E36BC0F29}.exe
        
        C:\Windows\{C669C281-44A4-4753-91D9-227E36BC0F29}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\{E6DB62E0-444B-4a50-847A-B7743440E449}.exe
        
        C:\Windows\{E6DB62E0-444B-4a50-847A-B7743440E449}.exe
        13⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C669C~1.EXE > nul
        13⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{284AA~1.EXE > nul
        12⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E697A~1.EXE > nul
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C14A1~1.EXE > nul
        10⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E514~1.EXE > nul
        9⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5803~1.EXE > nul
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F24~1.EXE > nul
        7⤵
        
        PID:4428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF973~1.EXE > nul
        6⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51DEE~1.EXE > nul
        5⤵
        
        PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC218~1.EXE > nul
    3⤵
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CBE429~1.EXE > nul
  2⤵
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{284AA591-BB39-4502-9796-AEA32928D6FB}.exe

Filesize
408KB

MD5
fa8d729bf221b827c562f2163ba88b13

SHA1
0f3e7f31154cc12819ee58d68d7b4bd42897b4de

SHA256
4860f5289d3a86c4efb94db8dfcf876e118510b796d224578893123ff725961c

SHA512
7f0d4d6ae4ff9af95f609a7a3e45bef53ace8a8650432eedb2df1b2a4cbc559f758700719fa8dc56f080a34608bf4db53ed95601f31285581fbb39d179742602

Download Submit
C:\Windows\{284AA591-BB39-4502-9796-AEA32928D6FB}.exe

Filesize
408KB

MD5
fa8d729bf221b827c562f2163ba88b13

SHA1
0f3e7f31154cc12819ee58d68d7b4bd42897b4de

SHA256
4860f5289d3a86c4efb94db8dfcf876e118510b796d224578893123ff725961c

SHA512
7f0d4d6ae4ff9af95f609a7a3e45bef53ace8a8650432eedb2df1b2a4cbc559f758700719fa8dc56f080a34608bf4db53ed95601f31285581fbb39d179742602

Download Submit
C:\Windows\{3E514386-77AB-418c-8CE1-8D079C236574}.exe

Filesize
408KB

MD5
da3f602639df139850089e5ab48982f1

SHA1
5d4a6bcf197ce9a90c896dd579253bc13a2388cd

SHA256
006ab79050c95aa937b85da499533fbbafb5a7964fafc1a0349eb2cca4a8b123

SHA512
9f32b9b3bc6a2d28a72431829d963f6d6a6f8fbd02b60e305c98f563b5c40f560a60fb0f49fb65e6b2158803ef6905a5b029ac9bd3bf41902ba79a97355b55c6

Download Submit
C:\Windows\{3E514386-77AB-418c-8CE1-8D079C236574}.exe

Filesize
408KB

MD5
da3f602639df139850089e5ab48982f1

SHA1
5d4a6bcf197ce9a90c896dd579253bc13a2388cd

SHA256
006ab79050c95aa937b85da499533fbbafb5a7964fafc1a0349eb2cca4a8b123

SHA512
9f32b9b3bc6a2d28a72431829d963f6d6a6f8fbd02b60e305c98f563b5c40f560a60fb0f49fb65e6b2158803ef6905a5b029ac9bd3bf41902ba79a97355b55c6

Download Submit
C:\Windows\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe

Filesize
408KB

MD5
fbf68c48586bf78dda6cf8a192a39d0e

SHA1
ac2354bd6873a123cf7992270986a0294d3e8401

SHA256
38bea47072f1b896473c8b768a1397afb663aa314c7309dfb87a154adf4f7434

SHA512
9d6df4e694258bb364ea96f5147f404f160628a56cc29b9ab06b457ba0780ad8775b6d121a9c887c93485072c3c30f1da3e7f4956dc5198135927640d4215fc4

Download Submit
C:\Windows\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe

Filesize
408KB

MD5
fbf68c48586bf78dda6cf8a192a39d0e

SHA1
ac2354bd6873a123cf7992270986a0294d3e8401

SHA256
38bea47072f1b896473c8b768a1397afb663aa314c7309dfb87a154adf4f7434

SHA512
9d6df4e694258bb364ea96f5147f404f160628a56cc29b9ab06b457ba0780ad8775b6d121a9c887c93485072c3c30f1da3e7f4956dc5198135927640d4215fc4

Download Submit
C:\Windows\{51DEE142-C987-4c59-97B3-CE58BD5C4FDC}.exe

Filesize
408KB

MD5
fbf68c48586bf78dda6cf8a192a39d0e

SHA1
ac2354bd6873a123cf7992270986a0294d3e8401

SHA256
38bea47072f1b896473c8b768a1397afb663aa314c7309dfb87a154adf4f7434

SHA512
9d6df4e694258bb364ea96f5147f404f160628a56cc29b9ab06b457ba0780ad8775b6d121a9c887c93485072c3c30f1da3e7f4956dc5198135927640d4215fc4

Download Submit
C:\Windows\{780992B7-17A2-4c21-81FE-41204104607D}.exe

Filesize
408KB

MD5
42bdd5930eef6dca7ae28c749930ad10

SHA1
cda3d63f7d1f8846f0d01ff8a5affcde94cd1b84

SHA256
28442f030e0f611fa50d2cda58ed59a23400c53b8b3efdbc8de877d4c5592976

SHA512
335e8194c8b133245658684ddebca3416d8e71d160e09c7a571049ac73f6345acfd9dec2a65b49e56f3205774da43553e896aa90f0bc9fad5f1184b2683d6aa3

Download Submit
C:\Windows\{780992B7-17A2-4c21-81FE-41204104607D}.exe

Filesize
408KB

MD5
42bdd5930eef6dca7ae28c749930ad10

SHA1
cda3d63f7d1f8846f0d01ff8a5affcde94cd1b84

SHA256
28442f030e0f611fa50d2cda58ed59a23400c53b8b3efdbc8de877d4c5592976

SHA512
335e8194c8b133245658684ddebca3416d8e71d160e09c7a571049ac73f6345acfd9dec2a65b49e56f3205774da43553e896aa90f0bc9fad5f1184b2683d6aa3

Download Submit
C:\Windows\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe

Filesize
408KB

MD5
6cd5f01e29f13f7c0621d270545047a7

SHA1
e1bc9e585bac7d08a8483c0ab3076b79cd2e9d04

SHA256
53296e0e559e6c14cb062221a9e2a84d2e7e625a4f059563bcba647db5b5981d

SHA512
3fcd0aa499b90a21f38855b253857afcd438e9a00a14af0f5069582af364c57100902e1ddee656d43d548ddb5039eb6db8a076fd7ec4f81f3dbdaeebbaca0e38

Download Submit
C:\Windows\{A6F24463-0F2C-42d2-839C-69355AF2BAB3}.exe

Filesize
408KB

MD5
6cd5f01e29f13f7c0621d270545047a7

SHA1
e1bc9e585bac7d08a8483c0ab3076b79cd2e9d04

SHA256
53296e0e559e6c14cb062221a9e2a84d2e7e625a4f059563bcba647db5b5981d

SHA512
3fcd0aa499b90a21f38855b253857afcd438e9a00a14af0f5069582af364c57100902e1ddee656d43d548ddb5039eb6db8a076fd7ec4f81f3dbdaeebbaca0e38

Download Submit
C:\Windows\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe

Filesize
408KB

MD5
3545380bdbae258457bfa0d3eb5d09f9

SHA1
4a5a5b1c407f90d5b0a3d498bb02154e05177926

SHA256
1375ae0eba7d5c2f73c1c168d2eaa62ee3febd3722b76ef10da9e3b85a04e428

SHA512
9233189f8077238158354b2d1f5f6914a0631ad454c85783e7163d805063b9c200e115a340cf13a62a368972cb7610e2d6bd6725c5cf08396378bcaebaf39090

Download Submit
C:\Windows\{AC21837A-5632-486d-A8A4-5D3BEEB36C84}.exe

Filesize
408KB

MD5
3545380bdbae258457bfa0d3eb5d09f9

SHA1
4a5a5b1c407f90d5b0a3d498bb02154e05177926

SHA256
1375ae0eba7d5c2f73c1c168d2eaa62ee3febd3722b76ef10da9e3b85a04e428

SHA512
9233189f8077238158354b2d1f5f6914a0631ad454c85783e7163d805063b9c200e115a340cf13a62a368972cb7610e2d6bd6725c5cf08396378bcaebaf39090

Download Submit
C:\Windows\{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe

Filesize
408KB

MD5
4aa82e2c6dca2943d4f345fa2e847e53

SHA1
d318fa6c8fe0b3ee2dd82f0dcc87ebfbf86deb7f

SHA256
173c4cf173d16d23fb41659da81083dc48c6a14bb2fa6e2cf4a2af0e81e88ec7

SHA512
0bc6ecb0cf4dc04725b92e6ad0d6adc20ac0553c0385acf0900f5e85eb64c2a40434996f383755962699d24f282c8f1cdaea61a00d567903cde18df9a687d6d6

Download Submit
C:\Windows\{C14A19EF-8773-4872-B857-2573A32CFB8B}.exe

Filesize
408KB

MD5
4aa82e2c6dca2943d4f345fa2e847e53

SHA1
d318fa6c8fe0b3ee2dd82f0dcc87ebfbf86deb7f

SHA256
173c4cf173d16d23fb41659da81083dc48c6a14bb2fa6e2cf4a2af0e81e88ec7

SHA512
0bc6ecb0cf4dc04725b92e6ad0d6adc20ac0553c0385acf0900f5e85eb64c2a40434996f383755962699d24f282c8f1cdaea61a00d567903cde18df9a687d6d6

Download Submit
C:\Windows\{C669C281-44A4-4753-91D9-227E36BC0F29}.exe

Filesize
408KB

MD5
1da2cc361add392276fcdc6fe71c4b7e

SHA1
8ee308aac4b463e6f45ca6d25f57a15c554c2f1b

SHA256
b93ce4725b4de05aa22eaa394a7590a1d4cae13ac6172138a934fe999d2dbea6

SHA512
dd1a3874c5b838604d791b8e8ef7cc4f246cc056e28469e408f7cebfd6c3a240593410387a53b36f09c8d4342a1bae17db37751209d890d951ad0ea718425b44

Download Submit
C:\Windows\{C669C281-44A4-4753-91D9-227E36BC0F29}.exe

Filesize
408KB

MD5
1da2cc361add392276fcdc6fe71c4b7e

SHA1
8ee308aac4b463e6f45ca6d25f57a15c554c2f1b

SHA256
b93ce4725b4de05aa22eaa394a7590a1d4cae13ac6172138a934fe999d2dbea6

SHA512
dd1a3874c5b838604d791b8e8ef7cc4f246cc056e28469e408f7cebfd6c3a240593410387a53b36f09c8d4342a1bae17db37751209d890d951ad0ea718425b44

Download Submit
C:\Windows\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe

Filesize
408KB

MD5
28fec100ca6c8751d004a2a75a80c370

SHA1
e91f478759b71cf866bb30f87f1e7077c8c167d4

SHA256
8716a2c55b029aa8f9fc8491acf6e89ca850d14beab1639e54753f68482c2f50

SHA512
531e72fdaa6105b15f28d0fe08699a409c035b7121e2f29eeff007fbb31e82834e1f7125ec2a615a5bde1d4bcbabb5b1f6a64d38dc0df58fd2e7871834416e9a

Download Submit
C:\Windows\{D5803436-C8E7-4e9b-B9E7-BD2A94BCE0A5}.exe

Filesize
408KB

MD5
28fec100ca6c8751d004a2a75a80c370

SHA1
e91f478759b71cf866bb30f87f1e7077c8c167d4

SHA256
8716a2c55b029aa8f9fc8491acf6e89ca850d14beab1639e54753f68482c2f50

SHA512
531e72fdaa6105b15f28d0fe08699a409c035b7121e2f29eeff007fbb31e82834e1f7125ec2a615a5bde1d4bcbabb5b1f6a64d38dc0df58fd2e7871834416e9a

Download Submit
C:\Windows\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe

Filesize
408KB

MD5
c73da54afa68f49faa62e0e38381e62b

SHA1
4aafba9893c87d09ecb849d31f065ad9603dbb70

SHA256
85f245800a146a955dcfbe4244103641d83161f6e92d47606318a0e6ff8b2c8d

SHA512
e21c8485941e14f5a10691dbfe1db33d65b4a703364318dc1542c2e39c5534535fd86efd7f9b73354f0c7dd281472bef968bf0a6948ca2e9c2499fa9fb8d87a4

Download Submit
C:\Windows\{E697ACCC-26F8-496e-9AD4-CCFAC7B90AA9}.exe

Filesize
408KB

MD5
c73da54afa68f49faa62e0e38381e62b

SHA1
4aafba9893c87d09ecb849d31f065ad9603dbb70

SHA256
85f245800a146a955dcfbe4244103641d83161f6e92d47606318a0e6ff8b2c8d

SHA512
e21c8485941e14f5a10691dbfe1db33d65b4a703364318dc1542c2e39c5534535fd86efd7f9b73354f0c7dd281472bef968bf0a6948ca2e9c2499fa9fb8d87a4

Download Submit
C:\Windows\{E6DB62E0-444B-4a50-847A-B7743440E449}.exe

Filesize
408KB

MD5
bc122db682b699f8077c44b2ec812325

SHA1
547e3a3ba696938d17147ca54218128074a254c8

SHA256
2922bb43ee385c2230d9609a4163ede91cd2e9393b168ea520878793e6ff7905

SHA512
38221015ec9fb010b2f76b7c4a5c2a93808c99d2a3d3b5a6180ca90ff7506344112c0774e6380eeefad0b7979ef77822f7e90b141aed3cdaacf28e15ee9564e7

Download Submit
C:\Windows\{E6DB62E0-444B-4a50-847A-B7743440E449}.exe

Filesize
408KB

MD5
bc122db682b699f8077c44b2ec812325

SHA1
547e3a3ba696938d17147ca54218128074a254c8

SHA256
2922bb43ee385c2230d9609a4163ede91cd2e9393b168ea520878793e6ff7905

SHA512
38221015ec9fb010b2f76b7c4a5c2a93808c99d2a3d3b5a6180ca90ff7506344112c0774e6380eeefad0b7979ef77822f7e90b141aed3cdaacf28e15ee9564e7

Download Submit
C:\Windows\{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe

Filesize
408KB

MD5
f1512b9e875200e605a5144aa1faa02a

SHA1
b0958294ef31b0fd65b62e39bda47285b667ec6d

SHA256
9e4b1f3e882b97187e3d3363c396bf1c067b8e91926849412bc3d925bca9d41d

SHA512
2525e06b4cd4dccc46ac5ee6c748e9c0d45bfdf1f43585f04facf62586b0091dd549dfd687fa1aada7c8e1a7f4f36e410bf6c4084fd76b3a0b59e57323ecc991

Download Submit
C:\Windows\{EF973B0F-1A6E-4949-8854-E458FC75CF27}.exe

Filesize
408KB

MD5
f1512b9e875200e605a5144aa1faa02a

SHA1
b0958294ef31b0fd65b62e39bda47285b667ec6d

SHA256
9e4b1f3e882b97187e3d3363c396bf1c067b8e91926849412bc3d925bca9d41d

SHA512
2525e06b4cd4dccc46ac5ee6c748e9c0d45bfdf1f43585f04facf62586b0091dd549dfd687fa1aada7c8e1a7f4f36e410bf6c4084fd76b3a0b59e57323ecc991

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads