22ce64fb4569c4387986a0ad19121cfb237c981333b2c9abed43ad17b90455a9

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe
Size

380KB
MD5

11424a89c196fe481e8953d1ece5ea87
SHA1

7c5cdd56b49c57c2801aae6aa17710cdb6b39f82
SHA256

22ce64fb4569c4387986a0ad19121cfb237c981333b2c9abed43ad17b90455a9
SHA512

16761e52e3a263eb40e3b383c751ae106875e85d7722f35fe9b86f44be10f347f787564676e9781c474827ccbd2af9a8998bf1cb786b25d47803b64748228751
SSDEEP

3072:mEGh0oslPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGGl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}\stubpath = "C:\\Windows\\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}.exe"	{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93649723-6913-4cc5-9894-ED48646C3A33}\stubpath = "C:\\Windows\\{93649723-6913-4cc5-9894-ED48646C3A33}.exe"	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}\stubpath = "C:\\Windows\\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe"	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA548908-6D71-44c1-857F-D806A212F645}\stubpath = "C:\\Windows\\{BA548908-6D71-44c1-857F-D806A212F645}.exe"	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}	{BA548908-6D71-44c1-857F-D806A212F645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535F34D7-5288-48e5-A5FE-EE3997EDA559}	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93649723-6913-4cc5-9894-ED48646C3A33}	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}	{93649723-6913-4cc5-9894-ED48646C3A33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}\stubpath = "C:\\Windows\\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe"	{93649723-6913-4cc5-9894-ED48646C3A33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}\stubpath = "C:\\Windows\\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe"	{BA548908-6D71-44c1-857F-D806A212F645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B30F5DD7-574F-40fc-8785-F85DC3D64071}\stubpath = "C:\\Windows\\{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe"	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}	{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}\stubpath = "C:\\Windows\\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe"	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F63AF11-92B8-4798-86AC-249B943E0831}	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA548908-6D71-44c1-857F-D806A212F645}	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535F34D7-5288-48e5-A5FE-EE3997EDA559}\stubpath = "C:\\Windows\\{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe"	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F63AF11-92B8-4798-86AC-249B943E0831}\stubpath = "C:\\Windows\\{3F63AF11-92B8-4798-86AC-249B943E0831}.exe"	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B30F5DD7-574F-40fc-8785-F85DC3D64071}	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}\stubpath = "C:\\Windows\\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe"	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}\stubpath = "C:\\Windows\\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe"	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe

Executes dropped EXE 12 IoCs

pid	Process
4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe
3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe
2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe
1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe
4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe
616	{BA548908-6D71-44c1-857F-D806A212F645}.exe
2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe
2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe
3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe
1248	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe
3380	{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe
4268	{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe
File created	C:\Windows\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe
File created	C:\Windows\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe
File created	C:\Windows\{93649723-6913-4cc5-9894-ED48646C3A33}.exe	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe
File created	C:\Windows\{3F63AF11-92B8-4798-86AC-249B943E0831}.exe	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe
File created	C:\Windows\{BA548908-6D71-44c1-857F-D806A212F645}.exe	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe
File created	C:\Windows\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe
File created	C:\Windows\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe	{93649723-6913-4cc5-9894-ED48646C3A33}.exe
File created	C:\Windows\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe
File created	C:\Windows\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe	{BA548908-6D71-44c1-857F-D806A212F645}.exe
File created	C:\Windows\{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe
File created	C:\Windows\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}.exe	{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4532	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe
Token: SeIncBasePriorityPrivilege	3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe
Token: SeIncBasePriorityPrivilege	2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe
Token: SeIncBasePriorityPrivilege	1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe
Token: SeIncBasePriorityPrivilege	4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe
Token: SeIncBasePriorityPrivilege	616	{BA548908-6D71-44c1-857F-D806A212F645}.exe
Token: SeIncBasePriorityPrivilege	2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe
Token: SeIncBasePriorityPrivilege	2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe
Token: SeIncBasePriorityPrivilege	3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe
Token: SeIncBasePriorityPrivilege	1248	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe
Token: SeIncBasePriorityPrivilege	3380	{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4800	4532	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe	90
PID 4532 wrote to memory of 4800	4532	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe	90
PID 4532 wrote to memory of 4800	4532	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe	90
PID 4532 wrote to memory of 3876	4532	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe	91
PID 4532 wrote to memory of 3876	4532	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe	91
PID 4532 wrote to memory of 3876	4532	11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe	91
PID 4800 wrote to memory of 3656	4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe	92
PID 4800 wrote to memory of 3656	4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe	92
PID 4800 wrote to memory of 3656	4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe	92
PID 4800 wrote to memory of 1984	4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe	93
PID 4800 wrote to memory of 1984	4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe	93
PID 4800 wrote to memory of 1984	4800	{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe	93
PID 3656 wrote to memory of 2416	3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe	95
PID 3656 wrote to memory of 2416	3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe	95
PID 3656 wrote to memory of 2416	3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe	95
PID 3656 wrote to memory of 3832	3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe	96
PID 3656 wrote to memory of 3832	3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe	96
PID 3656 wrote to memory of 3832	3656	{93649723-6913-4cc5-9894-ED48646C3A33}.exe	96
PID 2416 wrote to memory of 1252	2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe	97
PID 2416 wrote to memory of 1252	2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe	97
PID 2416 wrote to memory of 1252	2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe	97
PID 2416 wrote to memory of 2852	2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe	98
PID 2416 wrote to memory of 2852	2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe	98
PID 2416 wrote to memory of 2852	2416	{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe	98
PID 1252 wrote to memory of 4312	1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe	99
PID 1252 wrote to memory of 4312	1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe	99
PID 1252 wrote to memory of 4312	1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe	99
PID 1252 wrote to memory of 4624	1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe	100
PID 1252 wrote to memory of 4624	1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe	100
PID 1252 wrote to memory of 4624	1252	{3F63AF11-92B8-4798-86AC-249B943E0831}.exe	100
PID 4312 wrote to memory of 616	4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe	101
PID 4312 wrote to memory of 616	4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe	101
PID 4312 wrote to memory of 616	4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe	101
PID 4312 wrote to memory of 2764	4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe	102
PID 4312 wrote to memory of 2764	4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe	102
PID 4312 wrote to memory of 2764	4312	{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe	102
PID 616 wrote to memory of 2272	616	{BA548908-6D71-44c1-857F-D806A212F645}.exe	103
PID 616 wrote to memory of 2272	616	{BA548908-6D71-44c1-857F-D806A212F645}.exe	103
PID 616 wrote to memory of 2272	616	{BA548908-6D71-44c1-857F-D806A212F645}.exe	103
PID 616 wrote to memory of 4292	616	{BA548908-6D71-44c1-857F-D806A212F645}.exe	104
PID 616 wrote to memory of 4292	616	{BA548908-6D71-44c1-857F-D806A212F645}.exe	104
PID 616 wrote to memory of 4292	616	{BA548908-6D71-44c1-857F-D806A212F645}.exe	104
PID 2272 wrote to memory of 2932	2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe	105
PID 2272 wrote to memory of 2932	2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe	105
PID 2272 wrote to memory of 2932	2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe	105
PID 2272 wrote to memory of 4196	2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe	106
PID 2272 wrote to memory of 4196	2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe	106
PID 2272 wrote to memory of 4196	2272	{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe	106
PID 2932 wrote to memory of 3584	2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe	107
PID 2932 wrote to memory of 3584	2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe	107
PID 2932 wrote to memory of 3584	2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe	107
PID 2932 wrote to memory of 4836	2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe	108
PID 2932 wrote to memory of 4836	2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe	108
PID 2932 wrote to memory of 4836	2932	{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe	108
PID 3584 wrote to memory of 1248	3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe	109
PID 3584 wrote to memory of 1248	3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe	109
PID 3584 wrote to memory of 1248	3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe	109
PID 3584 wrote to memory of 2948	3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe	110
PID 3584 wrote to memory of 2948	3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe	110
PID 3584 wrote to memory of 2948	3584	{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe	110
PID 1248 wrote to memory of 3380	1248	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe	111
PID 1248 wrote to memory of 3380	1248	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe	111
PID 1248 wrote to memory of 3380	1248	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe	111
PID 1248 wrote to memory of 1968	1248	{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe	112

C:\Users\Admin\AppData\Local\Temp\11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\11424a89c196fe481e8953d1ece5ea87_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe
  C:\Windows\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\{93649723-6913-4cc5-9894-ED48646C3A33}.exe
    C:\Windows\{93649723-6913-4cc5-9894-ED48646C3A33}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe
      C:\Windows\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{3F63AF11-92B8-4798-86AC-249B943E0831}.exe
        
        C:\Windows\{3F63AF11-92B8-4798-86AC-249B943E0831}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe
        
        C:\Windows\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{BA548908-6D71-44c1-857F-D806A212F645}.exe
        
        C:\Windows\{BA548908-6D71-44c1-857F-D806A212F645}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe
        
        C:\Windows\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe
        
        C:\Windows\{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe
        
        C:\Windows\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe
        
        C:\Windows\{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe
        
        C:\Windows\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Windows\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}.exe
        
        C:\Windows\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F858~1.EXE > nul
        13⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{535F3~1.EXE > nul
        12⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CFF1~1.EXE > nul
        11⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B30F5~1.EXE > nul
        10⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{526BC~1.EXE > nul
        9⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA548~1.EXE > nul
        8⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCDD~1.EXE > nul
        7⤵
        
        PID:2764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F63A~1.EXE > nul
        6⤵
        
        PID:4624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79DB3~1.EXE > nul
        5⤵
        
        PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{93649~1.EXE > nul
      4⤵
      PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{78883~1.EXE > nul
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11424A~1.EXE > nul
  2⤵
  PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe

Filesize
380KB

MD5
d380a2b998508fc35ed0f11dfad1a2b8

SHA1
5beafb81113772c47a58165badbec844a3da4235

SHA256
9c4c775173f2c3d6baf23758ac64b86b436f365ad5f121c977c0636cc437b309

SHA512
986be9a143a78c1041b9f02fbed9139343727f48d042cb0a8e210bc6ca59519d306e4dcddfccae225c54ffd1fa630fe85c66afc5880f27f61a78e962f5a7504e

Download Submit
C:\Windows\{0F858DE4-F848-402f-AEF9-59E34D1AB7D2}.exe

Filesize
380KB

MD5
d380a2b998508fc35ed0f11dfad1a2b8

SHA1
5beafb81113772c47a58165badbec844a3da4235

SHA256
9c4c775173f2c3d6baf23758ac64b86b436f365ad5f121c977c0636cc437b309

SHA512
986be9a143a78c1041b9f02fbed9139343727f48d042cb0a8e210bc6ca59519d306e4dcddfccae225c54ffd1fa630fe85c66afc5880f27f61a78e962f5a7504e

Download Submit
C:\Windows\{3F63AF11-92B8-4798-86AC-249B943E0831}.exe

Filesize
380KB

MD5
59b7028b5b4248215c6c9b0c90c235b8

SHA1
1c2b9e6e5e71291327e50395e9e6d3aaf957fdf6

SHA256
cc9b0ce2f46a5ca3b3980414403557736d7f666a57aa244c9f045b4d1215d569

SHA512
66d5cbd44cef93995841fddccec01c3d4a3587c9fa923e9cbd97b99c17a3d568f7372c9c9d1d2892b7eb316bd2981364ab49c8ffac0ea6d8065a09bdf9be7ff9

Download Submit
C:\Windows\{3F63AF11-92B8-4798-86AC-249B943E0831}.exe

Filesize
380KB

MD5
59b7028b5b4248215c6c9b0c90c235b8

SHA1
1c2b9e6e5e71291327e50395e9e6d3aaf957fdf6

SHA256
cc9b0ce2f46a5ca3b3980414403557736d7f666a57aa244c9f045b4d1215d569

SHA512
66d5cbd44cef93995841fddccec01c3d4a3587c9fa923e9cbd97b99c17a3d568f7372c9c9d1d2892b7eb316bd2981364ab49c8ffac0ea6d8065a09bdf9be7ff9

Download Submit
C:\Windows\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe

Filesize
380KB

MD5
cfe4d3d7dc4b0a933f180f400a931011

SHA1
3d8b7021500e1d2b616bfdb39065372b24f98ffb

SHA256
3cc7a1858882da0cd422437725d419d535fad1eba2e5aaf013be0a650216e945

SHA512
dcc8a21b071e6f091e96245bf866edcb2e6b23b5bcf73449d6ab5df38b2573d6a545e2ff6a025deebf74ee814819f1a9ed13182a1f23cd6efd494cf3979035e2

Download Submit
C:\Windows\{526BC4A0-27F1-4c91-A9A0-F01C0C2BF275}.exe

Filesize
380KB

MD5
cfe4d3d7dc4b0a933f180f400a931011

SHA1
3d8b7021500e1d2b616bfdb39065372b24f98ffb

SHA256
3cc7a1858882da0cd422437725d419d535fad1eba2e5aaf013be0a650216e945

SHA512
dcc8a21b071e6f091e96245bf866edcb2e6b23b5bcf73449d6ab5df38b2573d6a545e2ff6a025deebf74ee814819f1a9ed13182a1f23cd6efd494cf3979035e2

Download Submit
C:\Windows\{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe

Filesize
380KB

MD5
3742226ec2474f57d089c980ef638d0d

SHA1
88390f232e829f9064d8b78bc7994aff688ea8e1

SHA256
20460b7ea23fd4d8a55c8a4f649b7dbfc86c304e9dcabd202a3a488faf148d77

SHA512
693e0cd034ee3fba79abdcbdf8c9387c4657947be744ccd278c7c1338eeac0b2869496b82b94d11aa854e908248bd0a36c7197191544b8f2cee1d9a2c91b4005

Download Submit
C:\Windows\{535F34D7-5288-48e5-A5FE-EE3997EDA559}.exe

Filesize
380KB

MD5
3742226ec2474f57d089c980ef638d0d

SHA1
88390f232e829f9064d8b78bc7994aff688ea8e1

SHA256
20460b7ea23fd4d8a55c8a4f649b7dbfc86c304e9dcabd202a3a488faf148d77

SHA512
693e0cd034ee3fba79abdcbdf8c9387c4657947be744ccd278c7c1338eeac0b2869496b82b94d11aa854e908248bd0a36c7197191544b8f2cee1d9a2c91b4005

Download Submit
C:\Windows\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}.exe

Filesize
380KB

MD5
c10c3aad2df4b7e3852e94ea1290ff1a

SHA1
799a7f03a2d30e866b262e74518ab74c9c451c53

SHA256
7b39ab477636c8dfb3a4a21bcdc6685e7906d6b545be36e63b37533aff42046e

SHA512
8f3721ca8b78e73a3a97beddc14cf0a26b15420ef5cd68dd1c7c4a412c6d4a97d44c665da49d837acc1eba616ac2663a62d0cb487d3c5fc01e60cd6de7202e30

Download Submit
C:\Windows\{7389B067-804B-4eb7-8DDA-754A3E5F4B7A}.exe

Filesize
380KB

MD5
c10c3aad2df4b7e3852e94ea1290ff1a

SHA1
799a7f03a2d30e866b262e74518ab74c9c451c53

SHA256
7b39ab477636c8dfb3a4a21bcdc6685e7906d6b545be36e63b37533aff42046e

SHA512
8f3721ca8b78e73a3a97beddc14cf0a26b15420ef5cd68dd1c7c4a412c6d4a97d44c665da49d837acc1eba616ac2663a62d0cb487d3c5fc01e60cd6de7202e30

Download Submit
C:\Windows\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe

Filesize
380KB

MD5
64a2a4adca8bb9b7a885eedd781bda7b

SHA1
465d8e91a03f5bb486a90d8ac4eb0fd791db7757

SHA256
9858c85d22d149c853d3d65e554cffbc501d50a29f21880968ae77cbcc87e22b

SHA512
623b24c56d6c0dd0d707c60c8068cd711d60b05bec7dbdd8c346fa29bf7ceaf6dd738ee07eec6a200b6cfc8e9914a24217364bc8085bfa380c1ae2808528c4ad

Download Submit
C:\Windows\{78883925-C59A-4bd4-BB2E-AC1EAD9642C9}.exe

Filesize
380KB

MD5
64a2a4adca8bb9b7a885eedd781bda7b

SHA1
465d8e91a03f5bb486a90d8ac4eb0fd791db7757

SHA256
9858c85d22d149c853d3d65e554cffbc501d50a29f21880968ae77cbcc87e22b

SHA512
623b24c56d6c0dd0d707c60c8068cd711d60b05bec7dbdd8c346fa29bf7ceaf6dd738ee07eec6a200b6cfc8e9914a24217364bc8085bfa380c1ae2808528c4ad

Download Submit
C:\Windows\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe

Filesize
380KB

MD5
26bd4dcdf86ef89ebd170597e606ce65

SHA1
0a8c7be9c17e3be9a7789701dc388bbad90b3968

SHA256
164917ac9e0076efb1bf1f0958f5d89775b47b778693ff97e0afa352b731123e

SHA512
9d020ba84dc678d90fd6bb52de9be580fad6598db2e08a75f6859ba9cac7e52ef15cd20aecb7d908a9d476733452e837fb2dc728283477f6de2649f08343bced

Download Submit
C:\Windows\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe

Filesize
380KB

MD5
26bd4dcdf86ef89ebd170597e606ce65

SHA1
0a8c7be9c17e3be9a7789701dc388bbad90b3968

SHA256
164917ac9e0076efb1bf1f0958f5d89775b47b778693ff97e0afa352b731123e

SHA512
9d020ba84dc678d90fd6bb52de9be580fad6598db2e08a75f6859ba9cac7e52ef15cd20aecb7d908a9d476733452e837fb2dc728283477f6de2649f08343bced

Download Submit
C:\Windows\{79DB3DD1-2F65-431a-BBE2-BF2B40EAFAE7}.exe

Filesize
380KB

MD5
26bd4dcdf86ef89ebd170597e606ce65

SHA1
0a8c7be9c17e3be9a7789701dc388bbad90b3968

SHA256
164917ac9e0076efb1bf1f0958f5d89775b47b778693ff97e0afa352b731123e

SHA512
9d020ba84dc678d90fd6bb52de9be580fad6598db2e08a75f6859ba9cac7e52ef15cd20aecb7d908a9d476733452e837fb2dc728283477f6de2649f08343bced

Download Submit
C:\Windows\{93649723-6913-4cc5-9894-ED48646C3A33}.exe

Filesize
380KB

MD5
613a0162371724230e1b55468ed9bb0d

SHA1
fa004b6e0bfca8060c4266307a4353a8f152792d

SHA256
0786274fd55dd22ffb10089ff4ce087bb74ffc449fe839c87bbefde1f65c73aa

SHA512
ebc4764a447e63fd1f68545ee5172ff3fed6d2f82af27a6548e0e787afefa2c2683384779653dbb0641e8391d6dadd4a985fe8786daaa69b841db01115c1c956

Download Submit
C:\Windows\{93649723-6913-4cc5-9894-ED48646C3A33}.exe

Filesize
380KB

MD5
613a0162371724230e1b55468ed9bb0d

SHA1
fa004b6e0bfca8060c4266307a4353a8f152792d

SHA256
0786274fd55dd22ffb10089ff4ce087bb74ffc449fe839c87bbefde1f65c73aa

SHA512
ebc4764a447e63fd1f68545ee5172ff3fed6d2f82af27a6548e0e787afefa2c2683384779653dbb0641e8391d6dadd4a985fe8786daaa69b841db01115c1c956

Download Submit
C:\Windows\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe

Filesize
380KB

MD5
433ed9b3f085e239fcfca16deb39e300

SHA1
6cffd743b22696157a9a866d81922c9a22e740f9

SHA256
538cbebbd1841b83bd2e37322f5b05dac21c26d8dbbb80d8571198e202805916

SHA512
d48d9e326e480459c59f95f900db5d721a4aee99a358ec287a7dc53421bdd663029c713b8986f3f72eec50f4b681f167317dd819fd1f08052289279ef987cdc5

Download Submit
C:\Windows\{9CFF12E1-C4C5-4bbb-AB1D-02264B126F20}.exe

Filesize
380KB

MD5
433ed9b3f085e239fcfca16deb39e300

SHA1
6cffd743b22696157a9a866d81922c9a22e740f9

SHA256
538cbebbd1841b83bd2e37322f5b05dac21c26d8dbbb80d8571198e202805916

SHA512
d48d9e326e480459c59f95f900db5d721a4aee99a358ec287a7dc53421bdd663029c713b8986f3f72eec50f4b681f167317dd819fd1f08052289279ef987cdc5

Download Submit
C:\Windows\{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe

Filesize
380KB

MD5
1a57f2e73e487c873b500540086425a1

SHA1
564c5ce2033e4d2891bb3652a1e9fdaf1a57a204

SHA256
c495770b50b2e08614d57bd027c17458f8388007c29f9cbdc58a990a33c28c84

SHA512
316e341a2ef2600dffb1376c9d1a0178596259544e9d2fceab97e69ea110c0d759ce17370b4f2056ef970000a82d3d49a1b463eb6cc4b06dbd876cecb0078e3d

Download Submit
C:\Windows\{B30F5DD7-574F-40fc-8785-F85DC3D64071}.exe

Filesize
380KB

MD5
1a57f2e73e487c873b500540086425a1

SHA1
564c5ce2033e4d2891bb3652a1e9fdaf1a57a204

SHA256
c495770b50b2e08614d57bd027c17458f8388007c29f9cbdc58a990a33c28c84

SHA512
316e341a2ef2600dffb1376c9d1a0178596259544e9d2fceab97e69ea110c0d759ce17370b4f2056ef970000a82d3d49a1b463eb6cc4b06dbd876cecb0078e3d

Download Submit
C:\Windows\{BA548908-6D71-44c1-857F-D806A212F645}.exe

Filesize
380KB

MD5
7e58de0f0966431d57030aee938d0763

SHA1
3e568382d777395513ea93aae5d392ca7206d30f

SHA256
c1f9aa68d3839ff32c8a8312c781852960d9742b481cc92317ad56ccf1cbc1ea

SHA512
722110bd02042cc2ccaa272cc9f58b2327186e73043d5595cf20c40fcc7508a90ccb20ff449675d6319c6e2b76bc622cac419400cbef9e78dac7601338c8b7c2

Download Submit
C:\Windows\{BA548908-6D71-44c1-857F-D806A212F645}.exe

Filesize
380KB

MD5
7e58de0f0966431d57030aee938d0763

SHA1
3e568382d777395513ea93aae5d392ca7206d30f

SHA256
c1f9aa68d3839ff32c8a8312c781852960d9742b481cc92317ad56ccf1cbc1ea

SHA512
722110bd02042cc2ccaa272cc9f58b2327186e73043d5595cf20c40fcc7508a90ccb20ff449675d6319c6e2b76bc622cac419400cbef9e78dac7601338c8b7c2

Download Submit
C:\Windows\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe

Filesize
380KB

MD5
0af689a447a8f38fa7a865af7ef12cd0

SHA1
00a6b14decd9cd160675800ca57daf8b0e478bd2

SHA256
729dbb566081b945fcaffadba2af605abdedcb232ede9d403b6f5a70ca4da1c3

SHA512
6d570d660c09b8f5241280f5f8d91b9eae9a31cbf8e9e4fe6ad376c47caedf87ae1c8b6cb31ca3b5aabe7430b1386dc14a95f829c02467ea123cffb3747491c2

Download Submit
C:\Windows\{BFCDDCEE-23A9-4313-AB5D-49FCE3CF0E30}.exe

Filesize
380KB

MD5
0af689a447a8f38fa7a865af7ef12cd0

SHA1
00a6b14decd9cd160675800ca57daf8b0e478bd2

SHA256
729dbb566081b945fcaffadba2af605abdedcb232ede9d403b6f5a70ca4da1c3

SHA512
6d570d660c09b8f5241280f5f8d91b9eae9a31cbf8e9e4fe6ad376c47caedf87ae1c8b6cb31ca3b5aabe7430b1386dc14a95f829c02467ea123cffb3747491c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads