885c5c6c97816ea652c0aa76ca4b2ccdc7eded6e4d126e610e114c1b5dcacf77

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 05:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe
Size

216KB
MD5

64af9364d16efe66322814e5f0f5c107
SHA1

5e8d24396ed2c26a0f61630038ff2aa9d4aad44a
SHA256

885c5c6c97816ea652c0aa76ca4b2ccdc7eded6e4d126e610e114c1b5dcacf77
SHA512

4ee481e21ee753fdc7950ab91c70f21fe764c3bd7ad329cb21b2551e3b27c47ef6f7b15da21b340bfa35a530c7448c5a9c80d86701dd2e5c82958c66626cff43
SSDEEP

3072:jEGh0ofl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGNlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}\stubpath = "C:\\Windows\\{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe"	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B645C9E8-BA20-4915-96BB-062C7193113E}	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B461606E-666F-4ad5-ADFF-BDBE8930389E}	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}	{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}\stubpath = "C:\\Windows\\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe"	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}\stubpath = "C:\\Windows\\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe"	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{189C1C6F-9631-4c4f-BE72-3395D9554E05}	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}\stubpath = "C:\\Windows\\{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe"	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}\stubpath = "C:\\Windows\\{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe"	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}\stubpath = "C:\\Windows\\{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe"	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B461606E-666F-4ad5-ADFF-BDBE8930389E}\stubpath = "C:\\Windows\\{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe"	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2202B763-E47D-440f-9B87-30E81C22E57A}	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2202B763-E47D-440f-9B87-30E81C22E57A}\stubpath = "C:\\Windows\\{2202B763-E47D-440f-9B87-30E81C22E57A}.exe"	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{639CE35A-11FE-4503-81FF-89DBCD0C8F10}	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{189C1C6F-9631-4c4f-BE72-3395D9554E05}\stubpath = "C:\\Windows\\{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe"	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}\stubpath = "C:\\Windows\\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}.exe"	{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{639CE35A-11FE-4503-81FF-89DBCD0C8F10}\stubpath = "C:\\Windows\\{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe"	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B645C9E8-BA20-4915-96BB-062C7193113E}\stubpath = "C:\\Windows\\{B645C9E8-BA20-4915-96BB-062C7193113E}.exe"	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe

Executes dropped EXE 12 IoCs

pid	Process
3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe
2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe
1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe
3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe
3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe
60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe
4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe
4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe
3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe
1512	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe
1876	{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe
936	{F71C0E72-6470-4ec3-80E8-67BD82180E2F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe
File created	C:\Windows\{B645C9E8-BA20-4915-96BB-062C7193113E}.exe	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe
File created	C:\Windows\{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe
File created	C:\Windows\{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe
File created	C:\Windows\{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe
File created	C:\Windows\{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe
File created	C:\Windows\{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe
File created	C:\Windows\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}.exe	{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe
File created	C:\Windows\{2202B763-E47D-440f-9B87-30E81C22E57A}.exe	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe
File created	C:\Windows\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe
File created	C:\Windows\{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe
File created	C:\Windows\{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1656	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe
Token: SeIncBasePriorityPrivilege	2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe
Token: SeIncBasePriorityPrivilege	1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe
Token: SeIncBasePriorityPrivilege	3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe
Token: SeIncBasePriorityPrivilege	3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe
Token: SeIncBasePriorityPrivilege	60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe
Token: SeIncBasePriorityPrivilege	4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe
Token: SeIncBasePriorityPrivilege	4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe
Token: SeIncBasePriorityPrivilege	3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe
Token: SeIncBasePriorityPrivilege	1512	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe
Token: SeIncBasePriorityPrivilege	1876	{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3040	1656	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe	98
PID 1656 wrote to memory of 3040	1656	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe	98
PID 1656 wrote to memory of 3040	1656	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe	98
PID 1656 wrote to memory of 2064	1656	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe	97
PID 1656 wrote to memory of 2064	1656	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe	97
PID 1656 wrote to memory of 2064	1656	2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe	97
PID 3040 wrote to memory of 2368	3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe	102
PID 3040 wrote to memory of 2368	3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe	102
PID 3040 wrote to memory of 2368	3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe	102
PID 3040 wrote to memory of 1944	3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe	101
PID 3040 wrote to memory of 1944	3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe	101
PID 3040 wrote to memory of 1944	3040	{2202B763-E47D-440f-9B87-30E81C22E57A}.exe	101
PID 2368 wrote to memory of 1844	2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe	106
PID 2368 wrote to memory of 1844	2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe	106
PID 2368 wrote to memory of 1844	2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe	106
PID 2368 wrote to memory of 4784	2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe	105
PID 2368 wrote to memory of 4784	2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe	105
PID 2368 wrote to memory of 4784	2368	{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe	105
PID 1844 wrote to memory of 3964	1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe	107
PID 1844 wrote to memory of 3964	1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe	107
PID 1844 wrote to memory of 3964	1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe	107
PID 1844 wrote to memory of 1956	1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe	108
PID 1844 wrote to memory of 1956	1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe	108
PID 1844 wrote to memory of 1956	1844	{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe	108
PID 3964 wrote to memory of 3008	3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe	110
PID 3964 wrote to memory of 3008	3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe	110
PID 3964 wrote to memory of 3008	3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe	110
PID 3964 wrote to memory of 2312	3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe	109
PID 3964 wrote to memory of 2312	3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe	109
PID 3964 wrote to memory of 2312	3964	{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe	109
PID 3008 wrote to memory of 60	3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe	114
PID 3008 wrote to memory of 60	3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe	114
PID 3008 wrote to memory of 60	3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe	114
PID 3008 wrote to memory of 1952	3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe	113
PID 3008 wrote to memory of 1952	3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe	113
PID 3008 wrote to memory of 1952	3008	{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe	113
PID 60 wrote to memory of 4988	60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe	116
PID 60 wrote to memory of 4988	60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe	116
PID 60 wrote to memory of 4988	60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe	116
PID 60 wrote to memory of 2688	60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe	115
PID 60 wrote to memory of 2688	60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe	115
PID 60 wrote to memory of 2688	60	{B645C9E8-BA20-4915-96BB-062C7193113E}.exe	115
PID 4988 wrote to memory of 4668	4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe	120
PID 4988 wrote to memory of 4668	4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe	120
PID 4988 wrote to memory of 4668	4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe	120
PID 4988 wrote to memory of 552	4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe	119
PID 4988 wrote to memory of 552	4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe	119
PID 4988 wrote to memory of 552	4988	{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe	119
PID 4668 wrote to memory of 3868	4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe	124
PID 4668 wrote to memory of 3868	4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe	124
PID 4668 wrote to memory of 3868	4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe	124
PID 4668 wrote to memory of 216	4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe	123
PID 4668 wrote to memory of 216	4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe	123
PID 4668 wrote to memory of 216	4668	{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe	123
PID 3868 wrote to memory of 1512	3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe	129
PID 3868 wrote to memory of 1512	3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe	129
PID 3868 wrote to memory of 1512	3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe	129
PID 3868 wrote to memory of 3552	3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe	128
PID 3868 wrote to memory of 3552	3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe	128
PID 3868 wrote to memory of 3552	3868	{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe	128
PID 1512 wrote to memory of 1876	1512	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe	130
PID 1512 wrote to memory of 1876	1512	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe	130
PID 1512 wrote to memory of 1876	1512	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe	130
PID 1512 wrote to memory of 4068	1512	{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_64af9364d16efe66322814e5f0f5c107_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2064
- C:\Windows\{2202B763-E47D-440f-9B87-30E81C22E57A}.exe
  C:\Windows\{2202B763-E47D-440f-9B87-30E81C22E57A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2202B~1.EXE > nul
    3⤵
    PID:1944
- - C:\Windows\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe
    C:\Windows\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0281E~1.EXE > nul
      4⤵
      PID:4784
  - - C:\Windows\{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe
      C:\Windows\{639CE35A-11FE-4503-81FF-89DBCD0C8F10}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe
        
        C:\Windows\{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4080~1.EXE > nul
        6⤵
        
        PID:2312
      - C:\Windows\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe
        
        C:\Windows\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D573~1.EXE > nul
        7⤵
        
        PID:1952
        
        C:\Windows\{B645C9E8-BA20-4915-96BB-062C7193113E}.exe
        
        C:\Windows\{B645C9E8-BA20-4915-96BB-062C7193113E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B645C~1.EXE > nul
        8⤵
        
        PID:2688
        
        C:\Windows\{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe
        
        C:\Windows\{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{189C1~1.EXE > nul
        9⤵
        
        PID:552
        
        C:\Windows\{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe
        
        C:\Windows\{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA9C3~1.EXE > nul
        10⤵
        
        PID:216
        
        C:\Windows\{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe
        
        C:\Windows\{7B8B4E2E-94DA-44cb-8E0A-FE8F0F721575}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B8B4~1.EXE > nul
        11⤵
        
        PID:3552
        
        C:\Windows\{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe
        
        C:\Windows\{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe
        
        C:\Windows\{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}.exe
        
        C:\Windows\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}.exe
        13⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4616~1.EXE > nul
        13⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1B31~1.EXE > nul
        12⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{639CE~1.EXE > nul
        5⤵
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe

Filesize
216KB

MD5
0cd268a2204754a5893226c98b6a7a9c

SHA1
4c5fbde215e870c1388a3a7aa10e156b000d0e19

SHA256
693e9e54537305e3e1f50270573046afe7099ad3735c71a80829b84d9b54fb91

SHA512
dd00209f9699184bd89411883247853fdfb4d49c4866fa771b8fe8199fab05262df88dd0daeb9d592fb4642ae30a49a97cdf307f0bb246bcbc575fbe3b5d360f

Download Submit
C:\Windows\{0281E0E5-1FB2-447c-BD81-9F9CA912FE1A}.exe

Filesize
92KB

MD5
a8a19d2446523cf5c66c1a40e82a6b3c

SHA1
898c5057ade61c07c29284791ed1cee89f602868

SHA256
fe644eb5a6af4b1c9789df0338a7f6fa9fc9b949c5a9b753b02c39f430a1dbf7

SHA512
76f0ff3e080e9108f66f5b38179ceaadd9b3878ce713ccaffb3119a82591ce8623f56e90448069adf26e39a77b8cbfb7a695aa8db51c793828d17d6a6360299c

Download Submit
C:\Windows\{189C1C6F-9631-4c4f-BE72-3395D9554E05}.exe

Filesize
216KB

MD5
2111e20dacd6f74cae70bb76c783ce5c

SHA1
931bc4ac93d9ce90be4c9c1d62ea0d1d8389f1d1

SHA256
cd5f3672f309f74912afdbc3d732d2d6bfd6a2b6ca2eef2c1b2b2519f7f86ef9

SHA512
08dd4565e28844157c11cbabfe6407e26b8847d681d2305da591c3398f43ef57255811ffead63550118246ba4a4d5c94c5e03be4aad357e7160bee60d051477f

Download Submit
C:\Windows\{2202B763-E47D-440f-9B87-30E81C22E57A}.exe

Filesize
92KB

MD5
0e817bb052dea83eb6cf1837fcd4cad2

SHA1
ef200ccf5adbb063de8310333d08d7ac85762db9

SHA256
70841ee490a383391094f74cf8e4772dd631196a26f5349262bf48d807242b33

SHA512
5c51465e0e27e85a42adcd4a5bc3973d1c57ac5a366876f1a183abf12eb50939187915160216d0a72efca16b2bd1f2dd5d2a271c5b76d51eb8e3d5486a5579de

Download Submit
C:\Windows\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe

Filesize
65KB

MD5
1329d3d373625a19a936bccf3daecc04

SHA1
12910d5ca3396c2b3f3b49057a018c24fd48f19a

SHA256
3b1f4110c731b10ab04f01f1144002e6147d131729a818aa3eba4f465642c42b

SHA512
d687010e21e02794bd240352ae25bbdf35de3416c68ff9e39ade20aa6d2f0a50138558748293b913a8410835221841a8fd023318b5a897c76b8ca33fbc15240f

Download Submit
C:\Windows\{9D5737C9-AE1A-4e22-A27C-485E516DD3FC}.exe

Filesize
149KB

MD5
a26f85c4f359b428e411efade037f2bc

SHA1
7c96656e7a79000da2d8c10b037e2f41de05a69c

SHA256
02ce5b726b872882f1cf82bbd59108ad8358b9e7ab65305504ccebfcdfbc187f

SHA512
8dd0b0f35ce181e101c60ee3f4bb5800e345e80f9693f1690e058e83f33d44aebfc197fbf9cb2a4487a4a19118e14f91756b7c57e90921ea035330fd5b7908bc

Download Submit
C:\Windows\{A1B31FD3-6EEB-4e86-926F-8FDC874AC98F}.exe

Filesize
216KB

MD5
a87b645ee6a1820e494d0d140db21142

SHA1
a7f642a84ebff171f2f920106366d24179395497

SHA256
85d63aacc0bdc6559d1ce60810315fd4ffbe0f55d235b6610a76a5c5226a9158

SHA512
0749f27ddc683f6d72316378563d2ea13ae10ef65302a90c0d1bf9fdae3c755c03c477382852273dd21db9fdeeed480eac3c950ea9d80433dc50a72d983cfbb0

Download Submit
C:\Windows\{B461606E-666F-4ad5-ADFF-BDBE8930389E}.exe

Filesize
216KB

MD5
40e974307b5de3bb0536ca88d018d4ed

SHA1
43728fe4da4ea43d708e37467e15e3cf793771ba

SHA256
0de2f18a72b20be7f2ab043c6356cca39287b9db86aae1f8e4d4018fbecc2c7c

SHA512
f39096451af60d8d5702288fa8262487e256828701eb4e43a81edbbb1356d2c157b49442e4ad41e7eae490e44584028d465d1dec98369a36473351c15e440e3c

Download Submit
C:\Windows\{B645C9E8-BA20-4915-96BB-062C7193113E}.exe

Filesize
216KB

MD5
c4776fd6ce768915db89f6c220c74b76

SHA1
ffb3408f331d3ac563cccdd375e3207671933310

SHA256
dd2b90b85d83cdacac45567250b4ca743fd572d8cd6bd4f9c064162ce90c766d

SHA512
26dd3b5eea03ec238ed49441fa5337cd4186bb1c3bf5c00ea260d6d636d3e10504f3dab118481fc829060d00df15ef6334b90fc5258d5a54381a2f8e0fd48372

Download Submit
C:\Windows\{D4080C67-B219-4bd0-AFF1-C06E0381F0FB}.exe

Filesize
216KB

MD5
2680b48b94b5d9171908f27f203489cc

SHA1
c8c45a8f215c72c34b812c49319daa437ca28dfc

SHA256
1a35f1a6a215abbcb1b8523ba8926961fcba0e7d59d4d4b12de7617c20e29401

SHA512
b0845a22bddecc54cb842c3d337b08aaac77e937ed3f9298c7ba2b000b9e182c2f5f63726825c72c5d3df7c77610b8e906a8cbc1cbc9880c1534ea452da4bbb1

Download Submit
C:\Windows\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}.exe

Filesize
216KB

MD5
a448a765517b39b8ad0aba105d63aa95

SHA1
791e32bf612b52b6e7936ba803ba575723380826

SHA256
1664abdf7bf458cf91bf866e8ac8ec9112897b556dc3298cf12ba4f62ac114ff

SHA512
f6e63f325324e36b746dde875552332893182a0fb01599b5c03e89832232dc4bdbedc94b08627bfa1c3063e14e2ee9bf100091a8685922d0173041a2e44ac753

Download Submit
C:\Windows\{F71C0E72-6470-4ec3-80E8-67BD82180E2F}.exe

Filesize
128KB

MD5
ff44ea62a4f1e6ef8b3316bb1acf5657

SHA1
687a8f90dbb164d69d279a132747251331c408f2

SHA256
a221f9984b1ee0e396b9ca2d62bdacf69e68cb218223e6e344118acbd3c05f4c

SHA512
3c25bfaba692b8b43b59166e6b8db50b783604130aa9e4d77fe91a80ebbe8c331314ecb42a613d6ed2b7b0b771bef07cdaf1fbc53ee37244c29c85e945570919

Download Submit
C:\Windows\{FA9C32D7-1529-4e6a-9A85-FFC9BEE0AC15}.exe

Filesize
216KB

MD5
91cdbc5bb2d6b45fdd1ef274531e32e5

SHA1
1f454b3f90343d43311c3c42970588f796df1393

SHA256
b525eb2f3a340fbd3dab919199cc676e15ee1b445f3959c97964a81ea0ac645b

SHA512
eba70da8cb3c0812a3389515f8a1f382084458edfdcbecf00fb83ec12689fcf98a11a5eba106b1aff72fc0cc8e32b6a329c096dcd73a76184a639cc40485f3e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads