7d650fce93d407869d59006dbbf8ecab106827f14944e3817c2df8ddd379a0ce

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe
Size

380KB
MD5

19c12c7a23add8bcdf387c56825d7461
SHA1

bde9e4561a2c079a82423a2e5ad0037e81fb34d5
SHA256

7d650fce93d407869d59006dbbf8ecab106827f14944e3817c2df8ddd379a0ce
SHA512

fb9114b2b1eb5ef4392cb15408f9a5d822be9c986a01a74f94bbc04539c52bb89b8bffd24706570a513fd46dfa73c1f317d87c837a8b2beeb69282f3334d44f6
SSDEEP

3072:mEGh0otlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGDl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3013476D-641A-4959-AB55-C51D7D6B6043}\stubpath = "C:\\Windows\\{3013476D-641A-4959-AB55-C51D7D6B6043}.exe"	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DC4621-6776-4ac4-8310-47F9324C5DF8}\stubpath = "C:\\Windows\\{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe"	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E112EA44-3E0A-432d-8E24-B9134977178C}\stubpath = "C:\\Windows\\{E112EA44-3E0A-432d-8E24-B9134977178C}.exe"	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}\stubpath = "C:\\Windows\\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe"	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B289EFF-830C-4800-993A-A383D721A4BB}\stubpath = "C:\\Windows\\{0B289EFF-830C-4800-993A-A383D721A4BB}.exe"	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1D61925-962D-4f06-8AFC-7D49A1E73025}	{0B289EFF-830C-4800-993A-A383D721A4BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}\stubpath = "C:\\Windows\\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe"	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}\stubpath = "C:\\Windows\\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe"	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D11BB8-1631-40a8-964D-8D84158B3E61}\stubpath = "C:\\Windows\\{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe"	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}\stubpath = "C:\\Windows\\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe"	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DC4621-6776-4ac4-8310-47F9324C5DF8}	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}\stubpath = "C:\\Windows\\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe"	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D11BB8-1631-40a8-964D-8D84158B3E61}	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3013476D-641A-4959-AB55-C51D7D6B6043}	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E112EA44-3E0A-432d-8E24-B9134977178C}	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}\stubpath = "C:\\Windows\\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe"	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B289EFF-830C-4800-993A-A383D721A4BB}	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1D61925-962D-4f06-8AFC-7D49A1E73025}\stubpath = "C:\\Windows\\{F1D61925-962D-4f06-8AFC-7D49A1E73025}.exe"	{0B289EFF-830C-4800-993A-A383D721A4BB}.exe

Executes dropped EXE 12 IoCs

pid	Process
3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe
4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe
2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe
2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe
4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe
4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe
4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe
2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe
3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe
2888	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe
972	{0B289EFF-830C-4800-993A-A383D721A4BB}.exe
220	{F1D61925-962D-4f06-8AFC-7D49A1E73025}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0B289EFF-830C-4800-993A-A383D721A4BB}.exe	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe
File created	C:\Windows\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe
File created	C:\Windows\{3013476D-641A-4959-AB55-C51D7D6B6043}.exe	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe
File created	C:\Windows\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe
File created	C:\Windows\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe
File created	C:\Windows\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe
File created	C:\Windows\{F1D61925-962D-4f06-8AFC-7D49A1E73025}.exe	{0B289EFF-830C-4800-993A-A383D721A4BB}.exe
File created	C:\Windows\{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe
File created	C:\Windows\{E112EA44-3E0A-432d-8E24-B9134977178C}.exe	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe
File created	C:\Windows\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe
File created	C:\Windows\{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe
File created	C:\Windows\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1292	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe
Token: SeIncBasePriorityPrivilege	4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe
Token: SeIncBasePriorityPrivilege	2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe
Token: SeIncBasePriorityPrivilege	2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe
Token: SeIncBasePriorityPrivilege	4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe
Token: SeIncBasePriorityPrivilege	4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe
Token: SeIncBasePriorityPrivilege	4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe
Token: SeIncBasePriorityPrivilege	2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe
Token: SeIncBasePriorityPrivilege	3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe
Token: SeIncBasePriorityPrivilege	2888	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe
Token: SeIncBasePriorityPrivilege	972	{0B289EFF-830C-4800-993A-A383D721A4BB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3588	1292	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe	89
PID 1292 wrote to memory of 3588	1292	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe	89
PID 1292 wrote to memory of 3588	1292	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe	89
PID 1292 wrote to memory of 1448	1292	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe	90
PID 1292 wrote to memory of 1448	1292	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe	90
PID 1292 wrote to memory of 1448	1292	19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe	90
PID 3588 wrote to memory of 4464	3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe	91
PID 3588 wrote to memory of 4464	3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe	91
PID 3588 wrote to memory of 4464	3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe	91
PID 3588 wrote to memory of 1696	3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe	92
PID 3588 wrote to memory of 1696	3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe	92
PID 3588 wrote to memory of 1696	3588	{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe	92
PID 4464 wrote to memory of 2832	4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe	94
PID 4464 wrote to memory of 2832	4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe	94
PID 4464 wrote to memory of 2832	4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe	94
PID 4464 wrote to memory of 4976	4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe	95
PID 4464 wrote to memory of 4976	4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe	95
PID 4464 wrote to memory of 4976	4464	{E112EA44-3E0A-432d-8E24-B9134977178C}.exe	95
PID 2832 wrote to memory of 2736	2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe	96
PID 2832 wrote to memory of 2736	2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe	96
PID 2832 wrote to memory of 2736	2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe	96
PID 2832 wrote to memory of 3900	2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe	97
PID 2832 wrote to memory of 3900	2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe	97
PID 2832 wrote to memory of 3900	2832	{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe	97
PID 2736 wrote to memory of 4800	2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe	98
PID 2736 wrote to memory of 4800	2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe	98
PID 2736 wrote to memory of 4800	2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe	98
PID 2736 wrote to memory of 2444	2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe	99
PID 2736 wrote to memory of 2444	2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe	99
PID 2736 wrote to memory of 2444	2736	{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe	99
PID 4800 wrote to memory of 4692	4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe	100
PID 4800 wrote to memory of 4692	4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe	100
PID 4800 wrote to memory of 4692	4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe	100
PID 4800 wrote to memory of 3880	4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe	101
PID 4800 wrote to memory of 3880	4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe	101
PID 4800 wrote to memory of 3880	4800	{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe	101
PID 4692 wrote to memory of 4028	4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe	102
PID 4692 wrote to memory of 4028	4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe	102
PID 4692 wrote to memory of 4028	4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe	102
PID 4692 wrote to memory of 4512	4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe	103
PID 4692 wrote to memory of 4512	4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe	103
PID 4692 wrote to memory of 4512	4692	{3013476D-641A-4959-AB55-C51D7D6B6043}.exe	103
PID 4028 wrote to memory of 2792	4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe	104
PID 4028 wrote to memory of 2792	4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe	104
PID 4028 wrote to memory of 2792	4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe	104
PID 4028 wrote to memory of 1460	4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe	105
PID 4028 wrote to memory of 1460	4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe	105
PID 4028 wrote to memory of 1460	4028	{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe	105
PID 2792 wrote to memory of 3424	2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe	106
PID 2792 wrote to memory of 3424	2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe	106
PID 2792 wrote to memory of 3424	2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe	106
PID 2792 wrote to memory of 4400	2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe	107
PID 2792 wrote to memory of 4400	2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe	107
PID 2792 wrote to memory of 4400	2792	{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe	107
PID 3424 wrote to memory of 2888	3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe	108
PID 3424 wrote to memory of 2888	3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe	108
PID 3424 wrote to memory of 2888	3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe	108
PID 3424 wrote to memory of 2192	3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe	109
PID 3424 wrote to memory of 2192	3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe	109
PID 3424 wrote to memory of 2192	3424	{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe	109
PID 2888 wrote to memory of 972	2888	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe	110
PID 2888 wrote to memory of 972	2888	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe	110
PID 2888 wrote to memory of 972	2888	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe	110
PID 2888 wrote to memory of 1572	2888	{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe	111

C:\Users\Admin\AppData\Local\Temp\19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\19c12c7a23add8bcdf387c56825d7461_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe
  C:\Windows\{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\{E112EA44-3E0A-432d-8E24-B9134977178C}.exe
    C:\Windows\{E112EA44-3E0A-432d-8E24-B9134977178C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe
      C:\Windows\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe
        
        C:\Windows\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe
        
        C:\Windows\{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{3013476D-641A-4959-AB55-C51D7D6B6043}.exe
        
        C:\Windows\{3013476D-641A-4959-AB55-C51D7D6B6043}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe
        
        C:\Windows\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe
        
        C:\Windows\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe
        
        C:\Windows\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe
        
        C:\Windows\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{0B289EFF-830C-4800-993A-A383D721A4BB}.exe
        
        C:\Windows\{0B289EFF-830C-4800-993A-A383D721A4BB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\{F1D61925-962D-4f06-8AFC-7D49A1E73025}.exe
        
        C:\Windows\{F1D61925-962D-4f06-8AFC-7D49A1E73025}.exe
        13⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B289~1.EXE > nul
        13⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48A9B~1.EXE > nul
        12⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{451AB~1.EXE > nul
        11⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A782E~1.EXE > nul
        10⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84F3A~1.EXE > nul
        9⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30134~1.EXE > nul
        8⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22D11~1.EXE > nul
        7⤵
        
        PID:3880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA20~1.EXE > nul
        6⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F21~1.EXE > nul
        5⤵
        
        PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E112E~1.EXE > nul
      4⤵
      PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{98DC4~1.EXE > nul
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\19C12C~1.EXE > nul
  2⤵
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B289EFF-830C-4800-993A-A383D721A4BB}.exe

Filesize
380KB

MD5
de75b04785170b9e3ae09cc3775d35c6

SHA1
49610f898694776e18f2a317efd945f22355a90c

SHA256
a8204188e208c6a26eb7f6bf5eb1d8e45302dbc9a93c8133ee5e3c558e7eecde

SHA512
3c5e79780cc01c39eabe514d00bc6c2748ae322fc7dfa2452f40fc445f6a3319dee35fd0463d082992792724023b4c1bc2d64d84713738dc5cbc3b952e9c2931

Download Submit
C:\Windows\{0B289EFF-830C-4800-993A-A383D721A4BB}.exe

Filesize
380KB

MD5
de75b04785170b9e3ae09cc3775d35c6

SHA1
49610f898694776e18f2a317efd945f22355a90c

SHA256
a8204188e208c6a26eb7f6bf5eb1d8e45302dbc9a93c8133ee5e3c558e7eecde

SHA512
3c5e79780cc01c39eabe514d00bc6c2748ae322fc7dfa2452f40fc445f6a3319dee35fd0463d082992792724023b4c1bc2d64d84713738dc5cbc3b952e9c2931

Download Submit
C:\Windows\{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe

Filesize
380KB

MD5
5b1ff2956d4a2f8149052c591cf12a6d

SHA1
50fa9409d3874c7bf5d3c3632b60d9c2f157b540

SHA256
d1ed6445fba6b82bf706bf1a6cb506f01b02c72e18d799afde63aae8e0a961e9

SHA512
8ef93bad1a841c3069849440c2bb5e3f9d41f0422f30f7a1d8ea59442e50d238a756671d2c3aef35644a741ab6afe3b481e5b35e4df9a66078c02087b1621e6f

Download Submit
C:\Windows\{22D11BB8-1631-40a8-964D-8D84158B3E61}.exe

Filesize
380KB

MD5
5b1ff2956d4a2f8149052c591cf12a6d

SHA1
50fa9409d3874c7bf5d3c3632b60d9c2f157b540

SHA256
d1ed6445fba6b82bf706bf1a6cb506f01b02c72e18d799afde63aae8e0a961e9

SHA512
8ef93bad1a841c3069849440c2bb5e3f9d41f0422f30f7a1d8ea59442e50d238a756671d2c3aef35644a741ab6afe3b481e5b35e4df9a66078c02087b1621e6f

Download Submit
C:\Windows\{3013476D-641A-4959-AB55-C51D7D6B6043}.exe

Filesize
380KB

MD5
dd174df257404905f57817810e6ebdc8

SHA1
fcd611043e67213ec7b8922e2d9f872d26e5f241

SHA256
6a5c0176d309e49278250269fa2ba21fa7f6668f944308f18b2347d8c3f20f29

SHA512
19ea0a74f9bcba6077baf246e0002ba28466aad986c5c04b03638d459c371e76715012cac46643145bbb163618c95ad0de9c69aab78cb64c27069222adc9af97

Download Submit
C:\Windows\{3013476D-641A-4959-AB55-C51D7D6B6043}.exe

Filesize
380KB

MD5
dd174df257404905f57817810e6ebdc8

SHA1
fcd611043e67213ec7b8922e2d9f872d26e5f241

SHA256
6a5c0176d309e49278250269fa2ba21fa7f6668f944308f18b2347d8c3f20f29

SHA512
19ea0a74f9bcba6077baf246e0002ba28466aad986c5c04b03638d459c371e76715012cac46643145bbb163618c95ad0de9c69aab78cb64c27069222adc9af97

Download Submit
C:\Windows\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe

Filesize
380KB

MD5
2ac06a61611ea33256dd44880a3e3ffe

SHA1
40bb68187764efe9aa7805077b4049d0205586e6

SHA256
ef2be8f4b8ced80df3a8a0fd534e19d826eef1bc377583b20206b8def9fcb54c

SHA512
6bea4e6ff875d54c2e502ce577141c6a0b478af2eb18a66586f281e9e7b8a52153636a623a453da979c2665503ef009b8f8e0aafe2a16910610adda800687122

Download Submit
C:\Windows\{451ABD52-0EC5-4dfe-A949-04AB6477B6F9}.exe

Filesize
380KB

MD5
2ac06a61611ea33256dd44880a3e3ffe

SHA1
40bb68187764efe9aa7805077b4049d0205586e6

SHA256
ef2be8f4b8ced80df3a8a0fd534e19d826eef1bc377583b20206b8def9fcb54c

SHA512
6bea4e6ff875d54c2e502ce577141c6a0b478af2eb18a66586f281e9e7b8a52153636a623a453da979c2665503ef009b8f8e0aafe2a16910610adda800687122

Download Submit
C:\Windows\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe

Filesize
380KB

MD5
89cc8a14b95706cf59c4acf95f55b8db

SHA1
d14dcb324d515ff0579956a7ebf82327f69d78c8

SHA256
a933d7992bff2ac3082d93e329d61c6572444d8f29b1379006f682a665d194af

SHA512
00b702889abda4b6e7b1e33a76e945c080c7cf25584acf712747ff883b425716751d8bc3d03ac1bbf1362f5ce115924bed9afaa897f4ef5ba8a29eb5ce2be3e9

Download Submit
C:\Windows\{48A9B18D-961B-4963-BFEC-9DBC2FD60989}.exe

Filesize
380KB

MD5
89cc8a14b95706cf59c4acf95f55b8db

SHA1
d14dcb324d515ff0579956a7ebf82327f69d78c8

SHA256
a933d7992bff2ac3082d93e329d61c6572444d8f29b1379006f682a665d194af

SHA512
00b702889abda4b6e7b1e33a76e945c080c7cf25584acf712747ff883b425716751d8bc3d03ac1bbf1362f5ce115924bed9afaa897f4ef5ba8a29eb5ce2be3e9

Download Submit
C:\Windows\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe

Filesize
380KB

MD5
6a24d53890ef35545f1bcde2e59709e8

SHA1
e0595cb63ac129fd426682fe6e5b343402fc2e42

SHA256
1363a799db8e9d8cee095e75899e248014b0f527a90e6a1ff8b3e6007104bcbc

SHA512
307f0d7a2704289e11c2e463359e7d3b66f69f3d2cb8cba489e1bccdaf73d234beaccdd48505e7bf5cd0193d6048c315d15c41da9bd8a42b4c50a197d7e64634

Download Submit
C:\Windows\{84F3A5B8-33C8-4c95-8D99-C4CDD9CC59F7}.exe

Filesize
380KB

MD5
6a24d53890ef35545f1bcde2e59709e8

SHA1
e0595cb63ac129fd426682fe6e5b343402fc2e42

SHA256
1363a799db8e9d8cee095e75899e248014b0f527a90e6a1ff8b3e6007104bcbc

SHA512
307f0d7a2704289e11c2e463359e7d3b66f69f3d2cb8cba489e1bccdaf73d234beaccdd48505e7bf5cd0193d6048c315d15c41da9bd8a42b4c50a197d7e64634

Download Submit
C:\Windows\{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe

Filesize
380KB

MD5
37c0c221028431dcf4b7d7baddfd834a

SHA1
1b1c56020088d33886226e069eb89b67b2c46fbb

SHA256
f3cea7e13bd251402ef8f4e62886eb78281dd763a7580f06370fdcd7c825a7fd

SHA512
edcf6077df6faff4cbb46559fbaf1b2a2591091aaf2a22fb3bfd83ed1623e6e460aecaf032003d7c37836aa1da2cda77e65c6e703214128b3d8e3bccc6f4b71b

Download Submit
C:\Windows\{98DC4621-6776-4ac4-8310-47F9324C5DF8}.exe

Filesize
380KB

MD5
37c0c221028431dcf4b7d7baddfd834a

SHA1
1b1c56020088d33886226e069eb89b67b2c46fbb

SHA256
f3cea7e13bd251402ef8f4e62886eb78281dd763a7580f06370fdcd7c825a7fd

SHA512
edcf6077df6faff4cbb46559fbaf1b2a2591091aaf2a22fb3bfd83ed1623e6e460aecaf032003d7c37836aa1da2cda77e65c6e703214128b3d8e3bccc6f4b71b

Download Submit
C:\Windows\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe

Filesize
380KB

MD5
40ab8343f37cf5e1d7b5f502182bd171

SHA1
fcdad970cba330e10750d621e21ea51c1cd72f30

SHA256
7500ce83838255caa82ac9e8b4633a1e49a7a019f6c3b2980547e40accd8ce4e

SHA512
5997b3e3fdd3d0131fe5eacd9e7f8adc465a45c16c9e1d6b258e57b7b0e59e67d78ae6eba6e43f747297cef578d66e7f31ddeddd92e3b4062829359aeb7071f3

Download Submit
C:\Windows\{A782EFC7-4EDE-42ea-8352-3A27BC063C9E}.exe

Filesize
380KB

MD5
40ab8343f37cf5e1d7b5f502182bd171

SHA1
fcdad970cba330e10750d621e21ea51c1cd72f30

SHA256
7500ce83838255caa82ac9e8b4633a1e49a7a019f6c3b2980547e40accd8ce4e

SHA512
5997b3e3fdd3d0131fe5eacd9e7f8adc465a45c16c9e1d6b258e57b7b0e59e67d78ae6eba6e43f747297cef578d66e7f31ddeddd92e3b4062829359aeb7071f3

Download Submit
C:\Windows\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe

Filesize
380KB

MD5
4f718407c79b1e8e846b380b17a932c9

SHA1
9ee7114e38fc220b9bd8a4094b07416bcbcf252f

SHA256
57abecdf8417e1d8846006a9f2776da4092c98439fa1a5b0910f2688eed19c22

SHA512
6fe543d15947be273fbc6b3036d5bcac7dcb348a285f4471c32fd446934973d604680baff3ed7852084a9486fbe10f830b0b57da95637b5d43e073bd96626b78

Download Submit
C:\Windows\{AFA20B60-BFB4-4887-9444-A3AEF3FBADFC}.exe

Filesize
380KB

MD5
4f718407c79b1e8e846b380b17a932c9

SHA1
9ee7114e38fc220b9bd8a4094b07416bcbcf252f

SHA256
57abecdf8417e1d8846006a9f2776da4092c98439fa1a5b0910f2688eed19c22

SHA512
6fe543d15947be273fbc6b3036d5bcac7dcb348a285f4471c32fd446934973d604680baff3ed7852084a9486fbe10f830b0b57da95637b5d43e073bd96626b78

Download Submit
C:\Windows\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe

Filesize
380KB

MD5
13cfab1f5f3bc60ac5b9dd94f7a89c6b

SHA1
e8dbb383cd15d3d81b498561905cf9ce2556f7ac

SHA256
3801b1f46f30e58eb723f997d6b7d3b781fee518a57d84d3598447d9e787f09e

SHA512
52d673e3fa94adfc819e8d3594975db95459277265aa2f4c86476404add2d8838c46196bc107943f1a276d45afa7e22871b3cf6fcb9908d7624da7c0a2bc25bd

Download Submit
C:\Windows\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe

Filesize
380KB

MD5
13cfab1f5f3bc60ac5b9dd94f7a89c6b

SHA1
e8dbb383cd15d3d81b498561905cf9ce2556f7ac

SHA256
3801b1f46f30e58eb723f997d6b7d3b781fee518a57d84d3598447d9e787f09e

SHA512
52d673e3fa94adfc819e8d3594975db95459277265aa2f4c86476404add2d8838c46196bc107943f1a276d45afa7e22871b3cf6fcb9908d7624da7c0a2bc25bd

Download Submit
C:\Windows\{B1F21DA6-366B-46d0-BCC6-999CAE2E65DC}.exe

Filesize
380KB

MD5
13cfab1f5f3bc60ac5b9dd94f7a89c6b

SHA1
e8dbb383cd15d3d81b498561905cf9ce2556f7ac

SHA256
3801b1f46f30e58eb723f997d6b7d3b781fee518a57d84d3598447d9e787f09e

SHA512
52d673e3fa94adfc819e8d3594975db95459277265aa2f4c86476404add2d8838c46196bc107943f1a276d45afa7e22871b3cf6fcb9908d7624da7c0a2bc25bd

Download Submit
C:\Windows\{E112EA44-3E0A-432d-8E24-B9134977178C}.exe

Filesize
380KB

MD5
b0d37a9cd97118e7497a6239dd8dbd9e

SHA1
d30d49b6df5ef033e956c5035d3fd852d136614c

SHA256
b7f39884928c15f876e5b6ae2e5701d42032f366a15fc618e14dd86ae4e63ba8

SHA512
3f2531347b2c970887f8c35e1f7ea7d0fe013f140d41df4fcd8902c82e11c28ac490077e4dfef3f266fb4796a3bb9aeb763398706de050c6c09307d821e2ea60

Download Submit
C:\Windows\{E112EA44-3E0A-432d-8E24-B9134977178C}.exe

Filesize
380KB

MD5
b0d37a9cd97118e7497a6239dd8dbd9e

SHA1
d30d49b6df5ef033e956c5035d3fd852d136614c

SHA256
b7f39884928c15f876e5b6ae2e5701d42032f366a15fc618e14dd86ae4e63ba8

SHA512
3f2531347b2c970887f8c35e1f7ea7d0fe013f140d41df4fcd8902c82e11c28ac490077e4dfef3f266fb4796a3bb9aeb763398706de050c6c09307d821e2ea60

Download Submit
C:\Windows\{F1D61925-962D-4f06-8AFC-7D49A1E73025}.exe

Filesize
380KB

MD5
5ed84d7a5b22f9ebb352016bf6f40c00

SHA1
4ae0fee9217ca875a3fdb0bca136ad3740d60c0f

SHA256
38e2b35d0fbec5b072ab971c9534dd841da188596a12ce510af79cfad982322e

SHA512
64f21c699441591b298579ba6153c3bb9c3a2e219b7a98c52232c6d89ad28352d9e58e13e26bcc1fe331dd794fe42625f8aeb69764a014c3d8eb00adc8001d02

Download Submit
C:\Windows\{F1D61925-962D-4f06-8AFC-7D49A1E73025}.exe

Filesize
380KB

MD5
5ed84d7a5b22f9ebb352016bf6f40c00

SHA1
4ae0fee9217ca875a3fdb0bca136ad3740d60c0f

SHA256
38e2b35d0fbec5b072ab971c9534dd841da188596a12ce510af79cfad982322e

SHA512
64f21c699441591b298579ba6153c3bb9c3a2e219b7a98c52232c6d89ad28352d9e58e13e26bcc1fe331dd794fe42625f8aeb69764a014c3d8eb00adc8001d02

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads