014080ec0aa8b9776f7e8b0f5e4caa9e984aa02b4c730e38954686458bbdde6b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Size

216KB
MD5

205d912b9f32d457b53dd36243cd1f40
SHA1

fbfff73d4a6de5a0b942f811e7b133ea7f2cd765
SHA256

014080ec0aa8b9776f7e8b0f5e4caa9e984aa02b4c730e38954686458bbdde6b
SHA512

6e28870cdc37e584bb7ef57242c90ed0cebb1df3f05ad18e50101436fcf658fab9786a47b7c22c3e05a538d2d99461ea63dc152560bcc22f0349084a3ee69abd
SSDEEP

3072:jEGh0ohl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGblEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98082E92-3E13-42f6-B5D3-348B27A5877A}\stubpath = "C:\\Windows\\{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe"	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68D0E617-F44F-4c70-9D93-C68FE7960C68}\stubpath = "C:\\Windows\\{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe"	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BF43C6-3250-4a4e-B716-4E3D3D047491}	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BF43C6-3250-4a4e-B716-4E3D3D047491}\stubpath = "C:\\Windows\\{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe"	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19221329-C368-4e81-877F-2E10FBB074AA}\stubpath = "C:\\Windows\\{19221329-C368-4e81-877F-2E10FBB074AA}.exe"	{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB5303AB-FDFF-4609-A398-14BE551794DE}	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10299A6-D786-485d-A508-4057AAF3C32E}	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF071199-391F-4e0c-A6A0-89DF25928F9D}\stubpath = "C:\\Windows\\{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe"	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19221329-C368-4e81-877F-2E10FBB074AA}	{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB5303AB-FDFF-4609-A398-14BE551794DE}\stubpath = "C:\\Windows\\{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe"	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98082E92-3E13-42f6-B5D3-348B27A5877A}	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}\stubpath = "C:\\Windows\\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe"	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF071199-391F-4e0c-A6A0-89DF25928F9D}	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68D0E617-F44F-4c70-9D93-C68FE7960C68}	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0812DA0-7F53-4d11-BD20-23E143587D39}\stubpath = "C:\\Windows\\{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe"	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}\stubpath = "C:\\Windows\\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe"	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}\stubpath = "C:\\Windows\\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe"	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0812DA0-7F53-4d11-BD20-23E143587D39}	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}\stubpath = "C:\\Windows\\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe"	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10299A6-D786-485d-A508-4057AAF3C32E}\stubpath = "C:\\Windows\\{E10299A6-D786-485d-A508-4057AAF3C32E}.exe"	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe
820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe
4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe
1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe
1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe
976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe
3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe
2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe
1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe
1416	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe
3340	{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe
4336	{19221329-C368-4e81-877F-2E10FBB074AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe
File created	C:\Windows\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe
File created	C:\Windows\{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
File created	C:\Windows\{E10299A6-D786-485d-A508-4057AAF3C32E}.exe	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe
File created	C:\Windows\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe
File created	C:\Windows\{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe
File created	C:\Windows\{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe
File created	C:\Windows\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe
File created	C:\Windows\{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe
File created	C:\Windows\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe
File created	C:\Windows\{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe
File created	C:\Windows\{19221329-C368-4e81-877F-2E10FBB074AA}.exe	{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3596	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe
Token: SeIncBasePriorityPrivilege	820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe
Token: SeIncBasePriorityPrivilege	4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe
Token: SeIncBasePriorityPrivilege	1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe
Token: SeIncBasePriorityPrivilege	1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe
Token: SeIncBasePriorityPrivilege	976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe
Token: SeIncBasePriorityPrivilege	3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe
Token: SeIncBasePriorityPrivilege	2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe
Token: SeIncBasePriorityPrivilege	1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe
Token: SeIncBasePriorityPrivilege	1416	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe
Token: SeIncBasePriorityPrivilege	3340	{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4052	3596	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	88
PID 3596 wrote to memory of 4052	3596	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	88
PID 3596 wrote to memory of 4052	3596	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	88
PID 3596 wrote to memory of 1956	3596	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	89
PID 3596 wrote to memory of 1956	3596	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	89
PID 3596 wrote to memory of 1956	3596	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	89
PID 4052 wrote to memory of 820	4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe	90
PID 4052 wrote to memory of 820	4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe	90
PID 4052 wrote to memory of 820	4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe	90
PID 4052 wrote to memory of 632	4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe	91
PID 4052 wrote to memory of 632	4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe	91
PID 4052 wrote to memory of 632	4052	{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe	91
PID 820 wrote to memory of 4048	820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe	93
PID 820 wrote to memory of 4048	820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe	93
PID 820 wrote to memory of 4048	820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe	93
PID 820 wrote to memory of 4608	820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe	94
PID 820 wrote to memory of 4608	820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe	94
PID 820 wrote to memory of 4608	820	{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe	94
PID 4048 wrote to memory of 1784	4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe	95
PID 4048 wrote to memory of 1784	4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe	95
PID 4048 wrote to memory of 1784	4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe	95
PID 4048 wrote to memory of 2584	4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe	96
PID 4048 wrote to memory of 2584	4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe	96
PID 4048 wrote to memory of 2584	4048	{E10299A6-D786-485d-A508-4057AAF3C32E}.exe	96
PID 1784 wrote to memory of 1400	1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe	97
PID 1784 wrote to memory of 1400	1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe	97
PID 1784 wrote to memory of 1400	1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe	97
PID 1784 wrote to memory of 5036	1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe	98
PID 1784 wrote to memory of 5036	1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe	98
PID 1784 wrote to memory of 5036	1784	{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe	98
PID 1400 wrote to memory of 976	1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe	99
PID 1400 wrote to memory of 976	1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe	99
PID 1400 wrote to memory of 976	1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe	99
PID 1400 wrote to memory of 1544	1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe	100
PID 1400 wrote to memory of 1544	1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe	100
PID 1400 wrote to memory of 1544	1400	{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe	100
PID 976 wrote to memory of 3436	976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe	101
PID 976 wrote to memory of 3436	976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe	101
PID 976 wrote to memory of 3436	976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe	101
PID 976 wrote to memory of 1136	976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe	102
PID 976 wrote to memory of 1136	976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe	102
PID 976 wrote to memory of 1136	976	{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe	102
PID 3436 wrote to memory of 2000	3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe	103
PID 3436 wrote to memory of 2000	3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe	103
PID 3436 wrote to memory of 2000	3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe	103
PID 3436 wrote to memory of 1780	3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe	104
PID 3436 wrote to memory of 1780	3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe	104
PID 3436 wrote to memory of 1780	3436	{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe	104
PID 2000 wrote to memory of 1432	2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe	105
PID 2000 wrote to memory of 1432	2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe	105
PID 2000 wrote to memory of 1432	2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe	105
PID 2000 wrote to memory of 3404	2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe	106
PID 2000 wrote to memory of 3404	2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe	106
PID 2000 wrote to memory of 3404	2000	{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe	106
PID 1432 wrote to memory of 1416	1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe	107
PID 1432 wrote to memory of 1416	1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe	107
PID 1432 wrote to memory of 1416	1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe	107
PID 1432 wrote to memory of 2276	1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe	108
PID 1432 wrote to memory of 2276	1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe	108
PID 1432 wrote to memory of 2276	1432	{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe	108
PID 1416 wrote to memory of 3340	1416	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe	109
PID 1416 wrote to memory of 3340	1416	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe	109
PID 1416 wrote to memory of 3340	1416	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe	109
PID 1416 wrote to memory of 2684	1416	{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe	110

C:\Users\Admin\AppData\Local\Temp\205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe
  C:\Windows\{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe
    C:\Windows\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\{E10299A6-D786-485d-A508-4057AAF3C32E}.exe
      C:\Windows\{E10299A6-D786-485d-A508-4057AAF3C32E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe
        
        C:\Windows\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe
        
        C:\Windows\{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe
        
        C:\Windows\{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe
        
        C:\Windows\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe
        
        C:\Windows\{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe
        
        C:\Windows\{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe
        
        C:\Windows\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe
        
        C:\Windows\{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Windows\{19221329-C368-4e81-877F-2E10FBB074AA}.exe
        
        C:\Windows\{19221329-C368-4e81-877F-2E10FBB074AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33BF4~1.EXE > nul
        13⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ED40~1.EXE > nul
        12⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0812~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68D0E~1.EXE > nul
        10⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83661~1.EXE > nul
        9⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF071~1.EXE > nul
        8⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98082~1.EXE > nul
        7⤵
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B003~1.EXE > nul
        6⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1029~1.EXE > nul
        5⤵
        
        PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06BF7~1.EXE > nul
      4⤵
      PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BB530~1.EXE > nul
    3⤵
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\205D91~1.EXE > nul
  2⤵
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe

Filesize
216KB

MD5
7b9cf1c976c1c3f94936d53a350e720c

SHA1
cbed6aab9bba30a221e5f77350e26a1a626b18eb

SHA256
f24a81b4af6c6a0d2cc0ad8ef332ba85de8432192fde45201efc2bfea886bb03

SHA512
1a4477ff0ab6c80ae9c0333bddb8d82016b07847e06e94c643dd7d2b67d2a03a4d984b5fb31b0c9c25748a18a5da1df88a6acf58580c50629e44c2048d989af9

Download Submit
C:\Windows\{06BF73D3-170F-4260-B11E-A3A6F5672CF5}.exe

Filesize
216KB

MD5
7b9cf1c976c1c3f94936d53a350e720c

SHA1
cbed6aab9bba30a221e5f77350e26a1a626b18eb

SHA256
f24a81b4af6c6a0d2cc0ad8ef332ba85de8432192fde45201efc2bfea886bb03

SHA512
1a4477ff0ab6c80ae9c0333bddb8d82016b07847e06e94c643dd7d2b67d2a03a4d984b5fb31b0c9c25748a18a5da1df88a6acf58580c50629e44c2048d989af9

Download Submit
C:\Windows\{19221329-C368-4e81-877F-2E10FBB074AA}.exe

Filesize
216KB

MD5
93372b541c186dd749e5f15849ad0c6b

SHA1
b2aa2717d2d7d29fb463bf7194d5a6838003bb6a

SHA256
47df2d249a8be61b7688f9c65252ed6c02b8b89d000e0940fe407eea1daf0b6d

SHA512
48bb35ac3da76af8904f59b9b9ba7dab934cf02149011883aad62f36ede1b6c436c9e23c9e6c7f82274003915d60937c17767d0e0360747cbdabbd261f1570e4

Download Submit
C:\Windows\{19221329-C368-4e81-877F-2E10FBB074AA}.exe

Filesize
216KB

MD5
93372b541c186dd749e5f15849ad0c6b

SHA1
b2aa2717d2d7d29fb463bf7194d5a6838003bb6a

SHA256
47df2d249a8be61b7688f9c65252ed6c02b8b89d000e0940fe407eea1daf0b6d

SHA512
48bb35ac3da76af8904f59b9b9ba7dab934cf02149011883aad62f36ede1b6c436c9e23c9e6c7f82274003915d60937c17767d0e0360747cbdabbd261f1570e4

Download Submit
C:\Windows\{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe

Filesize
216KB

MD5
e7890743a659134ce9f161a85117ebf7

SHA1
9a20f99c8923edc2ab00050b9a81ed999ab6c1fe

SHA256
12d9057e5a317c5ff3fc603738ebf85687125fabdf45ab722bf0bc100e40570e

SHA512
ebbcc8fddb6c7a75b75680e1b85df7541882615cd497a5ed7f94df7b16d483ea8d429df17adf6fe24636d24eea5c4afaecd0dc6f6cdd5db3f1eda9d196a25b88

Download Submit
C:\Windows\{33BF43C6-3250-4a4e-B716-4E3D3D047491}.exe

Filesize
216KB

MD5
e7890743a659134ce9f161a85117ebf7

SHA1
9a20f99c8923edc2ab00050b9a81ed999ab6c1fe

SHA256
12d9057e5a317c5ff3fc603738ebf85687125fabdf45ab722bf0bc100e40570e

SHA512
ebbcc8fddb6c7a75b75680e1b85df7541882615cd497a5ed7f94df7b16d483ea8d429df17adf6fe24636d24eea5c4afaecd0dc6f6cdd5db3f1eda9d196a25b88

Download Submit
C:\Windows\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe

Filesize
216KB

MD5
6a3f19a944aff08bb01abcea51b72d30

SHA1
f476a5793d5c95446eda30907736e5cda754c010

SHA256
2f76fb5a4e0a7d5fe9a40349be4794d3a8aba3b55dea134e3dc10219084d903b

SHA512
c8c3fe4131182e79abb86233499b5a37c95b1d2493b50e8c3cb738aa4b652eeaa33abd89355c67e17ad0a920326b09dd96dc7145714c5cef30a30be827334723

Download Submit
C:\Windows\{3ED40107-4EC2-42d5-A01E-F82049BF3BF3}.exe

Filesize
216KB

MD5
6a3f19a944aff08bb01abcea51b72d30

SHA1
f476a5793d5c95446eda30907736e5cda754c010

SHA256
2f76fb5a4e0a7d5fe9a40349be4794d3a8aba3b55dea134e3dc10219084d903b

SHA512
c8c3fe4131182e79abb86233499b5a37c95b1d2493b50e8c3cb738aa4b652eeaa33abd89355c67e17ad0a920326b09dd96dc7145714c5cef30a30be827334723

Download Submit
C:\Windows\{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe

Filesize
216KB

MD5
ee6bcd6d6e1d534f7a4fff456b180fe6

SHA1
bdd189d45b12793aa74fcc8eddb0a270da2740f4

SHA256
8567182d3b96037e5259631906d8508a20304ba094fcd1673629990e98a4d60c

SHA512
24dc053f8ffda0c5c275545f0319756a456384f2a261e673b86bb86c56907f47aeab8745bf6bb54490738861d699feaa3a186a486322fcc01e81d3933a0a0b7e

Download Submit
C:\Windows\{68D0E617-F44F-4c70-9D93-C68FE7960C68}.exe

Filesize
216KB

MD5
ee6bcd6d6e1d534f7a4fff456b180fe6

SHA1
bdd189d45b12793aa74fcc8eddb0a270da2740f4

SHA256
8567182d3b96037e5259631906d8508a20304ba094fcd1673629990e98a4d60c

SHA512
24dc053f8ffda0c5c275545f0319756a456384f2a261e673b86bb86c56907f47aeab8745bf6bb54490738861d699feaa3a186a486322fcc01e81d3933a0a0b7e

Download Submit
C:\Windows\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe

Filesize
216KB

MD5
430248793d029b6e00f0cccbf697473b

SHA1
48a0bc794065fe0efeb0dafb03fa4d0e50e939ee

SHA256
ca2ea105027fe9aaf49f9752cab353319988a004a1487a5ac2df405cc4ed0cc5

SHA512
e2b9946124039ae340059c3ae9caadcc7d91abeb0d5102294847b24e8593f556f380603d4545d121a07a95f965aff67338213d63037ed46f63e4490c1210a89a

Download Submit
C:\Windows\{7B003B5C-ADA3-4da5-ACDC-AC2CAFE55378}.exe

Filesize
216KB

MD5
430248793d029b6e00f0cccbf697473b

SHA1
48a0bc794065fe0efeb0dafb03fa4d0e50e939ee

SHA256
ca2ea105027fe9aaf49f9752cab353319988a004a1487a5ac2df405cc4ed0cc5

SHA512
e2b9946124039ae340059c3ae9caadcc7d91abeb0d5102294847b24e8593f556f380603d4545d121a07a95f965aff67338213d63037ed46f63e4490c1210a89a

Download Submit
C:\Windows\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe

Filesize
216KB

MD5
6b0a09f73bf637bacfca098dfd252d2a

SHA1
56cceafc83998be56938c53811590ef374a71760

SHA256
1f46b849c45e495b3c24cf26ab31e6984bb2570526cf9576d4da4cc2571ef5a8

SHA512
89467115e3ef04e224f5a62050581385c80a647926889971db3cca644db44b048dee21918f916cfb4364cbbe0471350333921e110e373af54b4144d7b1eb8124

Download Submit
C:\Windows\{8366123C-EC2C-406a-A0C0-0C11CC9B9201}.exe

Filesize
216KB

MD5
6b0a09f73bf637bacfca098dfd252d2a

SHA1
56cceafc83998be56938c53811590ef374a71760

SHA256
1f46b849c45e495b3c24cf26ab31e6984bb2570526cf9576d4da4cc2571ef5a8

SHA512
89467115e3ef04e224f5a62050581385c80a647926889971db3cca644db44b048dee21918f916cfb4364cbbe0471350333921e110e373af54b4144d7b1eb8124

Download Submit
C:\Windows\{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe

Filesize
216KB

MD5
3e86e5037ca867df4fbbff57dd1d836c

SHA1
ff9842ecbceae1772ece524953b51275af8b9dc7

SHA256
6199376da253b4f4849a1be19d617062ae4ac985318517017a8536d557afa07a

SHA512
c212c6fc5f274f4f7d5d1d64167acef761a77dcfaf89221bdfc02c3f930ae2c4601d4b7c9fe4dc7722ed3d714bb5cce4ed4eb887e692487cd33cafb53cbc2786

Download Submit
C:\Windows\{98082E92-3E13-42f6-B5D3-348B27A5877A}.exe

Filesize
216KB

MD5
3e86e5037ca867df4fbbff57dd1d836c

SHA1
ff9842ecbceae1772ece524953b51275af8b9dc7

SHA256
6199376da253b4f4849a1be19d617062ae4ac985318517017a8536d557afa07a

SHA512
c212c6fc5f274f4f7d5d1d64167acef761a77dcfaf89221bdfc02c3f930ae2c4601d4b7c9fe4dc7722ed3d714bb5cce4ed4eb887e692487cd33cafb53cbc2786

Download Submit
C:\Windows\{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe

Filesize
216KB

MD5
f3ad7a96e328f5efa2e61d7ce877df09

SHA1
c116b2c97d4b385a3601b6b5fc803158fb6f446d

SHA256
16b1f58292de7ba6b599d1be20cfa27e8ba678afbe0f7d1e0402eb6f0f89b122

SHA512
3890972de3f1904669b2129c81523d56c068cb7fdb31492d0d0b2ac642a730e3deb223aea10cd2acfac973ee40f7364d13fd2a7c21c5f7954ec5f5dc5ecc02d4

Download Submit
C:\Windows\{AF071199-391F-4e0c-A6A0-89DF25928F9D}.exe

Filesize
216KB

MD5
f3ad7a96e328f5efa2e61d7ce877df09

SHA1
c116b2c97d4b385a3601b6b5fc803158fb6f446d

SHA256
16b1f58292de7ba6b599d1be20cfa27e8ba678afbe0f7d1e0402eb6f0f89b122

SHA512
3890972de3f1904669b2129c81523d56c068cb7fdb31492d0d0b2ac642a730e3deb223aea10cd2acfac973ee40f7364d13fd2a7c21c5f7954ec5f5dc5ecc02d4

Download Submit
C:\Windows\{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe

Filesize
216KB

MD5
e4729ea8ece428567dde058436387d7e

SHA1
d16d38cf2d73233a4d0838b704bcdddc201e2efb

SHA256
04957fc7186b045aac707b3a8f08ebb49119302a1345c089b78c6592251189aa

SHA512
32f44af013a497e1713206136e98ea0c6d3ca3a709e986c27d53832c2c57116e37ff9af5f13e1623cc5c6e5dc4a9baf6a854caf27b7dd6e8644202334ac83805

Download Submit
C:\Windows\{BB5303AB-FDFF-4609-A398-14BE551794DE}.exe

Filesize
216KB

MD5
e4729ea8ece428567dde058436387d7e

SHA1
d16d38cf2d73233a4d0838b704bcdddc201e2efb

SHA256
04957fc7186b045aac707b3a8f08ebb49119302a1345c089b78c6592251189aa

SHA512
32f44af013a497e1713206136e98ea0c6d3ca3a709e986c27d53832c2c57116e37ff9af5f13e1623cc5c6e5dc4a9baf6a854caf27b7dd6e8644202334ac83805

Download Submit
C:\Windows\{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe

Filesize
216KB

MD5
3a1046ed8bb3c1a3e025874194565a19

SHA1
362dce7f7c611fff31c5a7e7cdb837503eaa5bb9

SHA256
2aefdceca51ad7e2e95801ed1056e38739af070b46a5cc26329692e829d73f27

SHA512
8a0a3b9d38aff2caf09785628aa9c3d104d60cc635fb080e2ca61cd33e6b891d197cba91eb44b4ebec7681d74fda1361bbdeec40dd2a8af42407c3433258022a

Download Submit
C:\Windows\{E0812DA0-7F53-4d11-BD20-23E143587D39}.exe

Filesize
216KB

MD5
3a1046ed8bb3c1a3e025874194565a19

SHA1
362dce7f7c611fff31c5a7e7cdb837503eaa5bb9

SHA256
2aefdceca51ad7e2e95801ed1056e38739af070b46a5cc26329692e829d73f27

SHA512
8a0a3b9d38aff2caf09785628aa9c3d104d60cc635fb080e2ca61cd33e6b891d197cba91eb44b4ebec7681d74fda1361bbdeec40dd2a8af42407c3433258022a

Download Submit
C:\Windows\{E10299A6-D786-485d-A508-4057AAF3C32E}.exe

Filesize
216KB

MD5
b4ceb868d750773a4703afd12ed760d2

SHA1
590a1d0fa5adb1e563433939ee8938646e61afcb

SHA256
32799d5a25986e0f297e2c5cb4988e4d46621a3d536d23e9a34d1ee1dc7f4b02

SHA512
9e7b449c60b4b061385c7deec54bdbae3ec411b3a21c58679ab2cbf10e5931becd674bd7c13323b7d2725ab687680a416da65e7740b0f506e0682807c722d80b

Download Submit
C:\Windows\{E10299A6-D786-485d-A508-4057AAF3C32E}.exe

Filesize
216KB

MD5
b4ceb868d750773a4703afd12ed760d2

SHA1
590a1d0fa5adb1e563433939ee8938646e61afcb

SHA256
32799d5a25986e0f297e2c5cb4988e4d46621a3d536d23e9a34d1ee1dc7f4b02

SHA512
9e7b449c60b4b061385c7deec54bdbae3ec411b3a21c58679ab2cbf10e5931becd674bd7c13323b7d2725ab687680a416da65e7740b0f506e0682807c722d80b

Download Submit
C:\Windows\{E10299A6-D786-485d-A508-4057AAF3C32E}.exe

Filesize
216KB

MD5
b4ceb868d750773a4703afd12ed760d2

SHA1
590a1d0fa5adb1e563433939ee8938646e61afcb

SHA256
32799d5a25986e0f297e2c5cb4988e4d46621a3d536d23e9a34d1ee1dc7f4b02

SHA512
9e7b449c60b4b061385c7deec54bdbae3ec411b3a21c58679ab2cbf10e5931becd674bd7c13323b7d2725ab687680a416da65e7740b0f506e0682807c722d80b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads