2edc6b0ec326b6292d06a3417b3973012c8d6a5e4ec68d0c69b6ed535feb9577

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Size

372KB
MD5

d8ab6304238628efee257e128b5ac649
SHA1

d7561440334f36def6469616a6556ed6db99625c
SHA256

2edc6b0ec326b6292d06a3417b3973012c8d6a5e4ec68d0c69b6ed535feb9577
SHA512

6d27ebbf130fb07aa37bca353b979f32f687e50de2002c073d86b4646b770133f03eb3a7f34cc868041cef24dc88d994bb6030fd9bf90720f13d3d24f20e1dda
SSDEEP

3072:CEGh0oylMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGQlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}\stubpath = "C:\\Windows\\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe"	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}\stubpath = "C:\\Windows\\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe"	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D62694A6-3697-4658-A3EB-53D8AB6157C2}	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B178CA71-D48F-4423-9B64-20ACF2BD9086}	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B178CA71-D48F-4423-9B64-20ACF2BD9086}\stubpath = "C:\\Windows\\{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe"	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D62694A6-3697-4658-A3EB-53D8AB6157C2}\stubpath = "C:\\Windows\\{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe"	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5FE6031-DD06-4db3-A3B8-49876FC36767}\stubpath = "C:\\Windows\\{C5FE6031-DD06-4db3-A3B8-49876FC36767}.exe"	{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}\stubpath = "C:\\Windows\\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe"	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CF5D61-97DF-4509-B410-8683F2EBB46B}\stubpath = "C:\\Windows\\{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe"	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3B618C-54C4-4b25-B6CF-53052474B267}	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3B618C-54C4-4b25-B6CF-53052474B267}\stubpath = "C:\\Windows\\{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe"	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}\stubpath = "C:\\Windows\\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe"	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CF5D61-97DF-4509-B410-8683F2EBB46B}	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}\stubpath = "C:\\Windows\\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe"	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}\stubpath = "C:\\Windows\\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe"	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5FE6031-DD06-4db3-A3B8-49876FC36767}	{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}\stubpath = "C:\\Windows\\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe"	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe

Executes dropped EXE 11 IoCs

pid	Process
4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe
4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe
5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe
3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe
3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe
4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe
4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe
4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe
812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe
3392	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe
2448	{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe
File created	C:\Windows\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe
File created	C:\Windows\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
File created	C:\Windows\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe
File created	C:\Windows\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe
File created	C:\Windows\{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe
File created	C:\Windows\{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe
File created	C:\Windows\{C5FE6031-DD06-4db3-A3B8-49876FC36767}.exe	{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe
File created	C:\Windows\{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe
File created	C:\Windows\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe
File created	C:\Windows\{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe
File created	C:\Windows\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4588	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe
Token: SeIncBasePriorityPrivilege	4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe
Token: SeIncBasePriorityPrivilege	5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe
Token: SeIncBasePriorityPrivilege	3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe
Token: SeIncBasePriorityPrivilege	3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe
Token: SeIncBasePriorityPrivilege	4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe
Token: SeIncBasePriorityPrivilege	4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe
Token: SeIncBasePriorityPrivilege	4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe
Token: SeIncBasePriorityPrivilege	812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe
Token: SeIncBasePriorityPrivilege	3392	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4176	4588	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	99
PID 4588 wrote to memory of 4176	4588	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	99
PID 4588 wrote to memory of 4176	4588	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	99
PID 4588 wrote to memory of 1624	4588	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	98
PID 4588 wrote to memory of 1624	4588	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	98
PID 4588 wrote to memory of 1624	4588	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	98
PID 4176 wrote to memory of 4936	4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe	100
PID 4176 wrote to memory of 4936	4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe	100
PID 4176 wrote to memory of 4936	4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe	100
PID 4176 wrote to memory of 4584	4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe	101
PID 4176 wrote to memory of 4584	4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe	101
PID 4176 wrote to memory of 4584	4176	{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe	101
PID 4936 wrote to memory of 5104	4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe	107
PID 4936 wrote to memory of 5104	4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe	107
PID 4936 wrote to memory of 5104	4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe	107
PID 4936 wrote to memory of 3516	4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe	106
PID 4936 wrote to memory of 3516	4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe	106
PID 4936 wrote to memory of 3516	4936	{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe	106
PID 5104 wrote to memory of 3348	5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe	112
PID 5104 wrote to memory of 3348	5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe	112
PID 5104 wrote to memory of 3348	5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe	112
PID 5104 wrote to memory of 4148	5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe	113
PID 5104 wrote to memory of 4148	5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe	113
PID 5104 wrote to memory of 4148	5104	{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe	113
PID 3348 wrote to memory of 3140	3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe	114
PID 3348 wrote to memory of 3140	3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe	114
PID 3348 wrote to memory of 3140	3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe	114
PID 3348 wrote to memory of 4304	3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe	115
PID 3348 wrote to memory of 4304	3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe	115
PID 3348 wrote to memory of 4304	3348	{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe	115
PID 3140 wrote to memory of 4508	3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe	116
PID 3140 wrote to memory of 4508	3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe	116
PID 3140 wrote to memory of 4508	3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe	116
PID 3140 wrote to memory of 5052	3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe	117
PID 3140 wrote to memory of 5052	3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe	117
PID 3140 wrote to memory of 5052	3140	{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe	117
PID 4508 wrote to memory of 4376	4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe	119
PID 4508 wrote to memory of 4376	4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe	119
PID 4508 wrote to memory of 4376	4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe	119
PID 4508 wrote to memory of 4688	4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe	120
PID 4508 wrote to memory of 4688	4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe	120
PID 4508 wrote to memory of 4688	4508	{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe	120
PID 4376 wrote to memory of 4604	4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe	121
PID 4376 wrote to memory of 4604	4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe	121
PID 4376 wrote to memory of 4604	4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe	121
PID 4376 wrote to memory of 4816	4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe	122
PID 4376 wrote to memory of 4816	4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe	122
PID 4376 wrote to memory of 4816	4376	{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe	122
PID 4604 wrote to memory of 812	4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe	123
PID 4604 wrote to memory of 812	4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe	123
PID 4604 wrote to memory of 812	4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe	123
PID 4604 wrote to memory of 4540	4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe	124
PID 4604 wrote to memory of 4540	4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe	124
PID 4604 wrote to memory of 4540	4604	{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe	124
PID 812 wrote to memory of 3392	812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe	125
PID 812 wrote to memory of 3392	812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe	125
PID 812 wrote to memory of 3392	812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe	125
PID 812 wrote to memory of 4512	812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe	126
PID 812 wrote to memory of 4512	812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe	126
PID 812 wrote to memory of 4512	812	{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe	126
PID 3392 wrote to memory of 2448	3392	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe	127
PID 3392 wrote to memory of 2448	3392	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe	127
PID 3392 wrote to memory of 2448	3392	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe	127
PID 3392 wrote to memory of 3908	3392	{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe	128

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1624
- C:\Windows\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe
  C:\Windows\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe
    C:\Windows\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC75E~1.EXE > nul
      4⤵
      PID:3516
  - - C:\Windows\{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe
      C:\Windows\{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe
        
        C:\Windows\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Windows\{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe
        
        C:\Windows\{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe
        
        C:\Windows\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe
        
        C:\Windows\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe
        
        C:\Windows\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe
        
        C:\Windows\{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe
        
        C:\Windows\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe
        
        C:\Windows\{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3341B~1.EXE > nul
        12⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6269~1.EXE > nul
        11⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B8E~1.EXE > nul
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65411~1.EXE > nul
        9⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA373~1.EXE > nul
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38CF5~1.EXE > nul
        7⤵
        
        PID:5052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0410E~1.EXE > nul
        6⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B178C~1.EXE > nul
        5⤵
        
        PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E75E7~1.EXE > nul
    3⤵
    PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe

Filesize
372KB

MD5
64755c2f8840371195fcd109ba9dcc16

SHA1
5634c6ed0dc6e62ec4ec6135752d650988803593

SHA256
08b1c438189a55985dee939f96ef8fef7d7efb328367e5c68dc7c8cf46d87a25

SHA512
9296dc5862231fa9e150cf46b456bce2af26f041bd411828a0d0345fb5abc8ce15e5a2f950389292cb22508489081e4600c51f0651b81c39932fcf08ddf11de0

Download Submit
C:\Windows\{0410E3B4-C541-45c1-9CA4-87C501F56AE9}.exe

Filesize
372KB

MD5
64755c2f8840371195fcd109ba9dcc16

SHA1
5634c6ed0dc6e62ec4ec6135752d650988803593

SHA256
08b1c438189a55985dee939f96ef8fef7d7efb328367e5c68dc7c8cf46d87a25

SHA512
9296dc5862231fa9e150cf46b456bce2af26f041bd411828a0d0345fb5abc8ce15e5a2f950389292cb22508489081e4600c51f0651b81c39932fcf08ddf11de0

Download Submit
C:\Windows\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe

Filesize
372KB

MD5
d036fc110296db952145bc40dabae5b3

SHA1
bcfcc2e81b218101bd7794e1bb4c357d417db838

SHA256
6d37838bae9e99dbdc6d5e6aa8348f661b65fe196772f09feff90e3f358c8ff1

SHA512
07dfda22dbed25923f9f10afda4090f62a4ebb860c6cfff81f03f21812bd0a1b9eea08d8c7cf5eb9dcb07f3cec78a79054c9859e3ed0672a4542ba410d67e589

Download Submit
C:\Windows\{3341BD83-F784-4c2e-B5ED-8B9DF5A0F537}.exe

Filesize
372KB

MD5
d036fc110296db952145bc40dabae5b3

SHA1
bcfcc2e81b218101bd7794e1bb4c357d417db838

SHA256
6d37838bae9e99dbdc6d5e6aa8348f661b65fe196772f09feff90e3f358c8ff1

SHA512
07dfda22dbed25923f9f10afda4090f62a4ebb860c6cfff81f03f21812bd0a1b9eea08d8c7cf5eb9dcb07f3cec78a79054c9859e3ed0672a4542ba410d67e589

Download Submit
C:\Windows\{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe

Filesize
372KB

MD5
cc307f0c2de089c23287bea945a19941

SHA1
649010135e480beee346f81a76e781df780956c2

SHA256
223b256b6d0f241bd56ba0cf5403190d108088d99f462aabab424b0aa3bc41b4

SHA512
35d962ee02dc86bb9555fd7a5b1db7d090199d54af72d1bf197cb1dd3ec789d717b9d82039951be821f4ffc5b4de62234ed1796a38316bcbe5eaad3f806d9814

Download Submit
C:\Windows\{38CF5D61-97DF-4509-B410-8683F2EBB46B}.exe

Filesize
372KB

MD5
cc307f0c2de089c23287bea945a19941

SHA1
649010135e480beee346f81a76e781df780956c2

SHA256
223b256b6d0f241bd56ba0cf5403190d108088d99f462aabab424b0aa3bc41b4

SHA512
35d962ee02dc86bb9555fd7a5b1db7d090199d54af72d1bf197cb1dd3ec789d717b9d82039951be821f4ffc5b4de62234ed1796a38316bcbe5eaad3f806d9814

Download Submit
C:\Windows\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe

Filesize
372KB

MD5
4d4acd788be719f8bcbed6d4ec0f6d6e

SHA1
80a736928f916e290f66c591b7091ffedaa71a77

SHA256
a7bff83fe3d82e6b954940eaf9b2999905ce793a19fa2d5cfce433f76c0e21d6

SHA512
e1a1c5beb3a4d52ecda9c128bd5b3b38dc1162624bb4d6ef06dc183786935f3b47c8b06cd7e548cae1c15b218f4f1120c13fe372bd7d8130f6a5cc0c4ef6edaf

Download Submit
C:\Windows\{65411AEA-E893-4182-A6FC-24FE8A5BE39E}.exe

Filesize
372KB

MD5
4d4acd788be719f8bcbed6d4ec0f6d6e

SHA1
80a736928f916e290f66c591b7091ffedaa71a77

SHA256
a7bff83fe3d82e6b954940eaf9b2999905ce793a19fa2d5cfce433f76c0e21d6

SHA512
e1a1c5beb3a4d52ecda9c128bd5b3b38dc1162624bb4d6ef06dc183786935f3b47c8b06cd7e548cae1c15b218f4f1120c13fe372bd7d8130f6a5cc0c4ef6edaf

Download Submit
C:\Windows\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe

Filesize
372KB

MD5
cb97b589eb5793da06ac6632d9dc99cf

SHA1
77ccb3e9e30c3fce3249bd17e4d842e92847e345

SHA256
1daa2cf7950dbbc5f0b6ddb5e76ba8008a06b1453d63563e00b3eaabf7df0ce8

SHA512
6d3ea8090b0e4936b59c5feb1b200e41ad654ba26e1a7f4cd112b7fb66e42a922176355eeafbffdd5d2f9c5ff95bf067d5713422552d559850c0a22b9b0f2868

Download Submit
C:\Windows\{76B8EA96-B0D8-400d-8235-60DCFA81BEE1}.exe

Filesize
372KB

MD5
cb97b589eb5793da06ac6632d9dc99cf

SHA1
77ccb3e9e30c3fce3249bd17e4d842e92847e345

SHA256
1daa2cf7950dbbc5f0b6ddb5e76ba8008a06b1453d63563e00b3eaabf7df0ce8

SHA512
6d3ea8090b0e4936b59c5feb1b200e41ad654ba26e1a7f4cd112b7fb66e42a922176355eeafbffdd5d2f9c5ff95bf067d5713422552d559850c0a22b9b0f2868

Download Submit
C:\Windows\{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe

Filesize
372KB

MD5
bdc75ccfa4619005e61bd05d0f91fe79

SHA1
3a058c8373efca0d76d196840b38ddc6c5b32781

SHA256
f329679431ee5a53726c51c91a528b5631a823991795254749ddc7d38d7e6207

SHA512
4d0a9a217d4f686b430c363f7dd5ae34a9afa8a77db350c3fb818e2d6a6f1310d221ee54bfa5a4f4d06860d9d5be39967d3300992748c4708fbd750679d90d26

Download Submit
C:\Windows\{8B3B618C-54C4-4b25-B6CF-53052474B267}.exe

Filesize
372KB

MD5
bdc75ccfa4619005e61bd05d0f91fe79

SHA1
3a058c8373efca0d76d196840b38ddc6c5b32781

SHA256
f329679431ee5a53726c51c91a528b5631a823991795254749ddc7d38d7e6207

SHA512
4d0a9a217d4f686b430c363f7dd5ae34a9afa8a77db350c3fb818e2d6a6f1310d221ee54bfa5a4f4d06860d9d5be39967d3300992748c4708fbd750679d90d26

Download Submit
C:\Windows\{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe

Filesize
372KB

MD5
51b3d8aa76076abcbb0781245352995e

SHA1
8ad8e6d6cb05e52ba2ae342aa9da81aaa0063ec4

SHA256
347409e0c8f671b75f06688b0b5acd0601f2b4bdb19db953fd80c530e95f7e96

SHA512
86a92f782a43f5c01e6a275de55dd2621ade62614ba75bbe1c27f7377aa47cb65b3d11f7b183d2c9760ccd42ad114c68eea4036992a5e61fb30c40e3e215c4f5

Download Submit
C:\Windows\{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe

Filesize
372KB

MD5
51b3d8aa76076abcbb0781245352995e

SHA1
8ad8e6d6cb05e52ba2ae342aa9da81aaa0063ec4

SHA256
347409e0c8f671b75f06688b0b5acd0601f2b4bdb19db953fd80c530e95f7e96

SHA512
86a92f782a43f5c01e6a275de55dd2621ade62614ba75bbe1c27f7377aa47cb65b3d11f7b183d2c9760ccd42ad114c68eea4036992a5e61fb30c40e3e215c4f5

Download Submit
C:\Windows\{B178CA71-D48F-4423-9B64-20ACF2BD9086}.exe

Filesize
372KB

MD5
51b3d8aa76076abcbb0781245352995e

SHA1
8ad8e6d6cb05e52ba2ae342aa9da81aaa0063ec4

SHA256
347409e0c8f671b75f06688b0b5acd0601f2b4bdb19db953fd80c530e95f7e96

SHA512
86a92f782a43f5c01e6a275de55dd2621ade62614ba75bbe1c27f7377aa47cb65b3d11f7b183d2c9760ccd42ad114c68eea4036992a5e61fb30c40e3e215c4f5

Download Submit
C:\Windows\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe

Filesize
372KB

MD5
0ec0222b57c55e407034d289d12a2c47

SHA1
64e923bca2fd2f7fca12170238f09c8bdbb01d43

SHA256
5d3073e8ce3ca840336509e96b6867c8ecb2b253b2d0a7165334ef179b305dd9

SHA512
8cf45d7758ebbdbadeb8852ab06750dd9369fc22c6970f13822bbb5a28b0df9e215f6bea802464cf349724da891823c2f1d908c0be0e5ff730dff921c84b4f61

Download Submit
C:\Windows\{CA373BCC-E13A-4bc6-9796-72377DCAA86F}.exe

Filesize
372KB

MD5
0ec0222b57c55e407034d289d12a2c47

SHA1
64e923bca2fd2f7fca12170238f09c8bdbb01d43

SHA256
5d3073e8ce3ca840336509e96b6867c8ecb2b253b2d0a7165334ef179b305dd9

SHA512
8cf45d7758ebbdbadeb8852ab06750dd9369fc22c6970f13822bbb5a28b0df9e215f6bea802464cf349724da891823c2f1d908c0be0e5ff730dff921c84b4f61

Download Submit
C:\Windows\{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe

Filesize
372KB

MD5
ccaedabb79bcf416830972737e49eac3

SHA1
2aa4331826c7185fba1d72ee64fedf39f1ced845

SHA256
52e1bb4e902d49d77e60632d3dae294fd68db4929fa8a5130d74fdf819fd9c5e

SHA512
e5069fef623cdf8bdeee4e3320bb9409b5d386da9a323b5b9ed07956f7593c66136fe3a254bde5e817b2aaca148d1123fe5df96acb79d34d1ccdef5a75dba956

Download Submit
C:\Windows\{D62694A6-3697-4658-A3EB-53D8AB6157C2}.exe

Filesize
372KB

MD5
ccaedabb79bcf416830972737e49eac3

SHA1
2aa4331826c7185fba1d72ee64fedf39f1ced845

SHA256
52e1bb4e902d49d77e60632d3dae294fd68db4929fa8a5130d74fdf819fd9c5e

SHA512
e5069fef623cdf8bdeee4e3320bb9409b5d386da9a323b5b9ed07956f7593c66136fe3a254bde5e817b2aaca148d1123fe5df96acb79d34d1ccdef5a75dba956

Download Submit
C:\Windows\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe

Filesize
372KB

MD5
69b40fcc38062ef0315fe42500c23eb3

SHA1
4173073dcaffcbc6b9ba5d6eee0288bdcffe0564

SHA256
89b572df56983d3b9dede9295f6830cf688a450c33d6f2d169031673bc7d347f

SHA512
e4e52e384f62546c35e8a341051b583b22af493157a653f2647cddb980f02f93e18bfb8518a9fb5c3163158108acf14c4659710d8bb33190b02a866028822d8c

Download Submit
C:\Windows\{E75E7ABE-D6BD-44c0-A028-2073DAA9032D}.exe

Filesize
372KB

MD5
69b40fcc38062ef0315fe42500c23eb3

SHA1
4173073dcaffcbc6b9ba5d6eee0288bdcffe0564

SHA256
89b572df56983d3b9dede9295f6830cf688a450c33d6f2d169031673bc7d347f

SHA512
e4e52e384f62546c35e8a341051b583b22af493157a653f2647cddb980f02f93e18bfb8518a9fb5c3163158108acf14c4659710d8bb33190b02a866028822d8c

Download Submit
C:\Windows\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe

Filesize
372KB

MD5
d685cd1b762b4bd9adaf7f56c7f85285

SHA1
4c4b02de1e65340e13ae9725bd7e7258087fe2c5

SHA256
c6c308aa147bacdb103b6d33856900500f06639d426aecba2884ab8ccd61de39

SHA512
a52999d35da0624eacfeba8e76b428a94fee3e99b0f9ddfee262dde70cb73a28537be6c73145d971220c9c96a4333639fc7fc4e66c1c9e68cf18ac53ebb2c1dc

Download Submit
C:\Windows\{FC75E39C-5A6A-4111-A1E2-2DC1FEE43271}.exe

Filesize
372KB

MD5
d685cd1b762b4bd9adaf7f56c7f85285

SHA1
4c4b02de1e65340e13ae9725bd7e7258087fe2c5

SHA256
c6c308aa147bacdb103b6d33856900500f06639d426aecba2884ab8ccd61de39

SHA512
a52999d35da0624eacfeba8e76b428a94fee3e99b0f9ddfee262dde70cb73a28537be6c73145d971220c9c96a4333639fc7fc4e66c1c9e68cf18ac53ebb2c1dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads