8bc6e030911ca337b47212cc52e152bf17c434ee1f8af967986735d045114fa1

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2023, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe
Size

168KB
MD5

4f7ad766ec4ddcce3921e20260cd4737
SHA1

2648a895ca071ba55181ca3e95008b3f041acbfc
SHA256

8bc6e030911ca337b47212cc52e152bf17c434ee1f8af967986735d045114fa1
SHA512

7816dcd70b62ca55d97d4a024ba7fd77fad1cda3010f71107646795c9dc3b941a19ae0fb5eba016ae249670de180738e4d906c2857a3bbb3df79042691c66225
SSDEEP

1536:1EGh0oBlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oBlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54DC932-2650-42f8-AE24-2908C9CA3284}	{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60EB3652-B0ED-42ef-B604-76DB836820C3}	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}\stubpath = "C:\\Windows\\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe"	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96609D4F-D956-448c-BB47-A41C82D549E2}	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60EB3652-B0ED-42ef-B604-76DB836820C3}\stubpath = "C:\\Windows\\{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe"	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}\stubpath = "C:\\Windows\\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe"	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}\stubpath = "C:\\Windows\\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe"	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F4FBCB-4591-4a4f-9536-A81905A56687}\stubpath = "C:\\Windows\\{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe"	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}\stubpath = "C:\\Windows\\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe"	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}\stubpath = "C:\\Windows\\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe"	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}\stubpath = "C:\\Windows\\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe"	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96609D4F-D956-448c-BB47-A41C82D549E2}\stubpath = "C:\\Windows\\{96609D4F-D956-448c-BB47-A41C82D549E2}.exe"	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54DC932-2650-42f8-AE24-2908C9CA3284}\stubpath = "C:\\Windows\\{E54DC932-2650-42f8-AE24-2908C9CA3284}.exe"	{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}\stubpath = "C:\\Windows\\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe"	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F4FBCB-4591-4a4f-9536-A81905A56687}	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}\stubpath = "C:\\Windows\\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe"	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe
2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe
4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe
3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe
5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe
1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe
344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe
2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe
1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe
2372	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe
4088	{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe
4656	{E54DC932-2650-42f8-AE24-2908C9CA3284}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe
File created	C:\Windows\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe
File created	C:\Windows\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe
File created	C:\Windows\{96609D4F-D956-448c-BB47-A41C82D549E2}.exe	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe
File created	C:\Windows\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe
File created	C:\Windows\{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe
File created	C:\Windows\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe
File created	C:\Windows\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe
File created	C:\Windows\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe
File created	C:\Windows\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe
File created	C:\Windows\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe
File created	C:\Windows\{E54DC932-2650-42f8-AE24-2908C9CA3284}.exe	{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe
Token: SeIncBasePriorityPrivilege	2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe
Token: SeIncBasePriorityPrivilege	4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe
Token: SeIncBasePriorityPrivilege	3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe
Token: SeIncBasePriorityPrivilege	5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe
Token: SeIncBasePriorityPrivilege	1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe
Token: SeIncBasePriorityPrivilege	344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe
Token: SeIncBasePriorityPrivilege	2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe
Token: SeIncBasePriorityPrivilege	1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe
Token: SeIncBasePriorityPrivilege	2372	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe
Token: SeIncBasePriorityPrivilege	4088	{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2740	3024	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe	87
PID 3024 wrote to memory of 2740	3024	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe	87
PID 3024 wrote to memory of 2740	3024	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe	87
PID 3024 wrote to memory of 1112	3024	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe	88
PID 3024 wrote to memory of 1112	3024	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe	88
PID 3024 wrote to memory of 1112	3024	4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe	88
PID 2740 wrote to memory of 2396	2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe	91
PID 2740 wrote to memory of 2396	2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe	91
PID 2740 wrote to memory of 2396	2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe	91
PID 2740 wrote to memory of 396	2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe	92
PID 2740 wrote to memory of 396	2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe	92
PID 2740 wrote to memory of 396	2740	{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe	92
PID 2396 wrote to memory of 4924	2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe	94
PID 2396 wrote to memory of 4924	2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe	94
PID 2396 wrote to memory of 4924	2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe	94
PID 2396 wrote to memory of 408	2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe	95
PID 2396 wrote to memory of 408	2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe	95
PID 2396 wrote to memory of 408	2396	{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe	95
PID 4924 wrote to memory of 3728	4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe	96
PID 4924 wrote to memory of 3728	4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe	96
PID 4924 wrote to memory of 3728	4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe	96
PID 4924 wrote to memory of 832	4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe	97
PID 4924 wrote to memory of 832	4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe	97
PID 4924 wrote to memory of 832	4924	{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe	97
PID 3728 wrote to memory of 5092	3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe	98
PID 3728 wrote to memory of 5092	3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe	98
PID 3728 wrote to memory of 5092	3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe	98
PID 3728 wrote to memory of 2436	3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe	99
PID 3728 wrote to memory of 2436	3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe	99
PID 3728 wrote to memory of 2436	3728	{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe	99
PID 5092 wrote to memory of 1608	5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe	100
PID 5092 wrote to memory of 1608	5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe	100
PID 5092 wrote to memory of 1608	5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe	100
PID 5092 wrote to memory of 2924	5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe	101
PID 5092 wrote to memory of 2924	5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe	101
PID 5092 wrote to memory of 2924	5092	{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe	101
PID 1608 wrote to memory of 344	1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe	103
PID 1608 wrote to memory of 344	1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe	103
PID 1608 wrote to memory of 344	1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe	103
PID 1608 wrote to memory of 4484	1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe	102
PID 1608 wrote to memory of 4484	1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe	102
PID 1608 wrote to memory of 4484	1608	{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe	102
PID 344 wrote to memory of 2484	344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe	104
PID 344 wrote to memory of 2484	344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe	104
PID 344 wrote to memory of 2484	344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe	104
PID 344 wrote to memory of 1792	344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe	105
PID 344 wrote to memory of 1792	344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe	105
PID 344 wrote to memory of 1792	344	{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe	105
PID 2484 wrote to memory of 1156	2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe	106
PID 2484 wrote to memory of 1156	2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe	106
PID 2484 wrote to memory of 1156	2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe	106
PID 2484 wrote to memory of 2588	2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe	107
PID 2484 wrote to memory of 2588	2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe	107
PID 2484 wrote to memory of 2588	2484	{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe	107
PID 1156 wrote to memory of 2372	1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe	108
PID 1156 wrote to memory of 2372	1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe	108
PID 1156 wrote to memory of 2372	1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe	108
PID 1156 wrote to memory of 4628	1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe	109
PID 1156 wrote to memory of 4628	1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe	109
PID 1156 wrote to memory of 4628	1156	{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe	109
PID 2372 wrote to memory of 4088	2372	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe	110
PID 2372 wrote to memory of 4088	2372	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe	110
PID 2372 wrote to memory of 4088	2372	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe	110
PID 2372 wrote to memory of 2156	2372	{96609D4F-D956-448c-BB47-A41C82D549E2}.exe	111

C:\Users\Admin\AppData\Local\Temp\4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4f7ad766ec4ddcce3921e20260cd4737_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe
  C:\Windows\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe
    C:\Windows\{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe
      C:\Windows\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe
        
        C:\Windows\{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe
        
        C:\Windows\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe
        
        C:\Windows\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BFE3~1.EXE > nul
        8⤵
        
        PID:4484
        
        C:\Windows\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe
        
        C:\Windows\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe
        
        C:\Windows\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe
        
        C:\Windows\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{96609D4F-D956-448c-BB47-A41C82D549E2}.exe
        
        C:\Windows\{96609D4F-D956-448c-BB47-A41C82D549E2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe
        
        C:\Windows\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\Windows\{E54DC932-2650-42f8-AE24-2908C9CA3284}.exe
        
        C:\Windows\{E54DC932-2650-42f8-AE24-2908C9CA3284}.exe
        13⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC324~1.EXE > nul
        13⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96609~1.EXE > nul
        12⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0400~1.EXE > nul
        11⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA84E~1.EXE > nul
        10⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38CD2~1.EXE > nul
        9⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A87C~1.EXE > nul
        7⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49F4F~1.EXE > nul
        6⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{202D9~1.EXE > nul
        5⤵
        
        PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{60EB3~1.EXE > nul
      4⤵
      PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2E2AE~1.EXE > nul
    3⤵
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4F7AD7~1.EXE > nul
  2⤵
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe

Filesize
168KB

MD5
c494750f49724cb0c9b8e7d216d0192e

SHA1
d672cca04f87520f16b14a672de8342fe8a8dc2d

SHA256
376101be56f1572ba2788bc35c3ae757a0e52390eb177d298d110f2c1d71b99e

SHA512
a2ff32dd2f02b0144747b93536987a03e862eeae6c066f9fad11d5c04c9c8a49350f7cc556d05d223d00c2b4574d281994111d6cdef0c2c670ecabc2e0dca37a

Download Submit
C:\Windows\{0BFE3794-793E-43d7-91ED-1CBA8F732B1D}.exe

Filesize
168KB

MD5
c494750f49724cb0c9b8e7d216d0192e

SHA1
d672cca04f87520f16b14a672de8342fe8a8dc2d

SHA256
376101be56f1572ba2788bc35c3ae757a0e52390eb177d298d110f2c1d71b99e

SHA512
a2ff32dd2f02b0144747b93536987a03e862eeae6c066f9fad11d5c04c9c8a49350f7cc556d05d223d00c2b4574d281994111d6cdef0c2c670ecabc2e0dca37a

Download Submit
C:\Windows\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe

Filesize
168KB

MD5
25325f0eccc7bdd4908468198e883eb0

SHA1
3a9ec281f0b1b9f46e757a78c435373ef330a294

SHA256
42064da5a1fc65d920724dffd396bfd9d7e8910b7d682047f3fe07eccac43982

SHA512
2f282b15f78ce1241a463c604182c17b1c80cc598ad85cb389a9abb24564ed7b0fa7dd48591210beaa6c0c313ac76a5f4e8ab9db8e621009d524dd34ce9eee96

Download Submit
C:\Windows\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe

Filesize
168KB

MD5
25325f0eccc7bdd4908468198e883eb0

SHA1
3a9ec281f0b1b9f46e757a78c435373ef330a294

SHA256
42064da5a1fc65d920724dffd396bfd9d7e8910b7d682047f3fe07eccac43982

SHA512
2f282b15f78ce1241a463c604182c17b1c80cc598ad85cb389a9abb24564ed7b0fa7dd48591210beaa6c0c313ac76a5f4e8ab9db8e621009d524dd34ce9eee96

Download Submit
C:\Windows\{202D9DD6-5EA1-461f-A816-3DA70E18B3DD}.exe

Filesize
168KB

MD5
25325f0eccc7bdd4908468198e883eb0

SHA1
3a9ec281f0b1b9f46e757a78c435373ef330a294

SHA256
42064da5a1fc65d920724dffd396bfd9d7e8910b7d682047f3fe07eccac43982

SHA512
2f282b15f78ce1241a463c604182c17b1c80cc598ad85cb389a9abb24564ed7b0fa7dd48591210beaa6c0c313ac76a5f4e8ab9db8e621009d524dd34ce9eee96

Download Submit
C:\Windows\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe

Filesize
168KB

MD5
0c8d8b901f6ba840d5a55f4de7b6bcd6

SHA1
237048e68b80d280128f985376a0ff5585ecbc91

SHA256
8088f301c034c952c3cf6dc41be2c38e8d0140a318c73d7a293d88b54d999836

SHA512
6b0fc51a0690801015837e0f3e37eb94884baf9b898e8ab4d33dc0db787f6afca6158d5de7e8f1dc5ff08af595d001ef323e26e9a7abd179dda329955358e8ce

Download Submit
C:\Windows\{2E2AEC88-2801-4b57-B812-73C0EFD8F436}.exe

Filesize
168KB

MD5
0c8d8b901f6ba840d5a55f4de7b6bcd6

SHA1
237048e68b80d280128f985376a0ff5585ecbc91

SHA256
8088f301c034c952c3cf6dc41be2c38e8d0140a318c73d7a293d88b54d999836

SHA512
6b0fc51a0690801015837e0f3e37eb94884baf9b898e8ab4d33dc0db787f6afca6158d5de7e8f1dc5ff08af595d001ef323e26e9a7abd179dda329955358e8ce

Download Submit
C:\Windows\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe

Filesize
168KB

MD5
81a37d67e240ecf295831e05e2bd70ec

SHA1
de358365b6dd4b879b3996d2dbc12768e2ae0286

SHA256
b01df8d7c153aa852e51fc73feff4827e5598d329db9dcf7c36fba0cd5564f57

SHA512
0afbd13702a07e63fa70707ef48cae8068ab01b6e7ea341e86eb76ef7d404937d55d43ed3a092ed7796b114be5971038c300a018094d9270c0cddb14e23eee12

Download Submit
C:\Windows\{38CD2606-8F5D-4e42-8377-0F40CF2364B0}.exe

Filesize
168KB

MD5
81a37d67e240ecf295831e05e2bd70ec

SHA1
de358365b6dd4b879b3996d2dbc12768e2ae0286

SHA256
b01df8d7c153aa852e51fc73feff4827e5598d329db9dcf7c36fba0cd5564f57

SHA512
0afbd13702a07e63fa70707ef48cae8068ab01b6e7ea341e86eb76ef7d404937d55d43ed3a092ed7796b114be5971038c300a018094d9270c0cddb14e23eee12

Download Submit
C:\Windows\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe

Filesize
168KB

MD5
c0c81f30cdd1275a66dc60c93a47a687

SHA1
50d3845401dda93ee5a0275893a196c6021d23f1

SHA256
263b3d2060b5ff7769cd53ade4a5a7737fa50f89937656009cc19a63a7b6d482

SHA512
d23ffbd44418df9eb4b56b0fb0a24d025b60e30d9ea517b9ea72c5496e18d60fe651fcc80ec7eb5c96ac9fedb1c8e470d57e485302a7ffe01c6b95a3d99d580a

Download Submit
C:\Windows\{3A87C6A5-050E-4be5-B58C-CCD569B934D1}.exe

Filesize
168KB

MD5
c0c81f30cdd1275a66dc60c93a47a687

SHA1
50d3845401dda93ee5a0275893a196c6021d23f1

SHA256
263b3d2060b5ff7769cd53ade4a5a7737fa50f89937656009cc19a63a7b6d482

SHA512
d23ffbd44418df9eb4b56b0fb0a24d025b60e30d9ea517b9ea72c5496e18d60fe651fcc80ec7eb5c96ac9fedb1c8e470d57e485302a7ffe01c6b95a3d99d580a

Download Submit
C:\Windows\{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe

Filesize
168KB

MD5
7c797693d75a35bc31ad0780ba4547dc

SHA1
9bd94c88e17b8f7f30773b1cd92385f250e7e6a8

SHA256
7bab8953ada79a0387ed67a1904b66acd2ba37b28922e623d06fc739061d3d91

SHA512
b082e80536cf066b9adfdb3129898945700760821145647d01eb62ec71a17834b4ae7926105e976c12eca5cc8cb28237851657d31dd349cf4e9cf076ba8447b1

Download Submit
C:\Windows\{49F4FBCB-4591-4a4f-9536-A81905A56687}.exe

Filesize
168KB

MD5
7c797693d75a35bc31ad0780ba4547dc

SHA1
9bd94c88e17b8f7f30773b1cd92385f250e7e6a8

SHA256
7bab8953ada79a0387ed67a1904b66acd2ba37b28922e623d06fc739061d3d91

SHA512
b082e80536cf066b9adfdb3129898945700760821145647d01eb62ec71a17834b4ae7926105e976c12eca5cc8cb28237851657d31dd349cf4e9cf076ba8447b1

Download Submit
C:\Windows\{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe

Filesize
168KB

MD5
75fc605ce2bccc18a39b8c37461d2a81

SHA1
c411fd3c3ab0a4ad42ca95b5e557a9b7888101d9

SHA256
83d60378a2b505decc7d2357e598a7ad6e07e1af86c7c8b5cf1dc71a4eb12975

SHA512
699104dab5e3703cbc6cf47844f25935d808657d242304f6eef94fe75be4e5a55fd9b21cb7caf8f27b48ae547c049b835b09c0caca85ea607121e81a36a5062b

Download Submit
C:\Windows\{60EB3652-B0ED-42ef-B604-76DB836820C3}.exe

Filesize
168KB

MD5
75fc605ce2bccc18a39b8c37461d2a81

SHA1
c411fd3c3ab0a4ad42ca95b5e557a9b7888101d9

SHA256
83d60378a2b505decc7d2357e598a7ad6e07e1af86c7c8b5cf1dc71a4eb12975

SHA512
699104dab5e3703cbc6cf47844f25935d808657d242304f6eef94fe75be4e5a55fd9b21cb7caf8f27b48ae547c049b835b09c0caca85ea607121e81a36a5062b

Download Submit
C:\Windows\{96609D4F-D956-448c-BB47-A41C82D549E2}.exe

Filesize
168KB

MD5
5210d880e64d9f9599d9c51e405deb74

SHA1
1914d9ef44bd83d9d3ff8345b70d8ffcc589b6c3

SHA256
44b1e543705b7349e15f889c5b04ff94453b3fc98d8a7701084c6634b468c89b

SHA512
7eb34540db78a1e62227ba93ca4fd4d101fc8b85a733896173ec90c97459a15a0563e55eb05852aa97007ab33bafe81d50b3fbb97130aa0daed20642a1ce7999

Download Submit
C:\Windows\{96609D4F-D956-448c-BB47-A41C82D549E2}.exe

Filesize
168KB

MD5
5210d880e64d9f9599d9c51e405deb74

SHA1
1914d9ef44bd83d9d3ff8345b70d8ffcc589b6c3

SHA256
44b1e543705b7349e15f889c5b04ff94453b3fc98d8a7701084c6634b468c89b

SHA512
7eb34540db78a1e62227ba93ca4fd4d101fc8b85a733896173ec90c97459a15a0563e55eb05852aa97007ab33bafe81d50b3fbb97130aa0daed20642a1ce7999

Download Submit
C:\Windows\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe

Filesize
168KB

MD5
b95a9afe0ad72b317745818b34e04db5

SHA1
4b37081d08d5e18c5cbfef524325c8709b44c00f

SHA256
b6d5a6c9c471984490fb9fa9b9ed1dd58dcef57b57e75df89c5846e9cfe63cc6

SHA512
acb784406432b0f11857a9deaa7a2ca2e0f597ce75578dd49f941f932e4f0427d49f0b2ac1758de556fcaec38cedb87bbe9d6e66dade72ccc76fc9cb3b84ca0d

Download Submit
C:\Windows\{AA84EE8A-B77D-4bd1-97DE-D0F3BE1DC7BB}.exe

Filesize
168KB

MD5
b95a9afe0ad72b317745818b34e04db5

SHA1
4b37081d08d5e18c5cbfef524325c8709b44c00f

SHA256
b6d5a6c9c471984490fb9fa9b9ed1dd58dcef57b57e75df89c5846e9cfe63cc6

SHA512
acb784406432b0f11857a9deaa7a2ca2e0f597ce75578dd49f941f932e4f0427d49f0b2ac1758de556fcaec38cedb87bbe9d6e66dade72ccc76fc9cb3b84ca0d

Download Submit
C:\Windows\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe

Filesize
168KB

MD5
d6824f3f1e625d7b4b68950c0cdba99c

SHA1
c16a6d18ad3b89466782afbd8ab17609f7ab3a2e

SHA256
6bd4f21a17964f6a3ba3fa688cc8e2c55de33a81114526dcd8d4e9acf91b91f7

SHA512
dd2efa6b68de7fe00572ec09d1b513a6d348b25477b88114b89f2a924999f85e71a76b7ede04e456195637895b21016a18c50349e8dceed30683e765b4970375

Download Submit
C:\Windows\{AC324C87-AB0A-4a2c-93B0-6C9E930CD672}.exe

Filesize
168KB

MD5
d6824f3f1e625d7b4b68950c0cdba99c

SHA1
c16a6d18ad3b89466782afbd8ab17609f7ab3a2e

SHA256
6bd4f21a17964f6a3ba3fa688cc8e2c55de33a81114526dcd8d4e9acf91b91f7

SHA512
dd2efa6b68de7fe00572ec09d1b513a6d348b25477b88114b89f2a924999f85e71a76b7ede04e456195637895b21016a18c50349e8dceed30683e765b4970375

Download Submit
C:\Windows\{E54DC932-2650-42f8-AE24-2908C9CA3284}.exe

Filesize
168KB

MD5
1f4cde713f99eb03502eee219e9f7337

SHA1
e62da969c6fc9389d53e7a6d31505cccd8de0ecf

SHA256
7ebec080037b161265449a4caae47017f223ca3a059883e4224c65c6ca7ff0d5

SHA512
1d18690a6a04ce70f4c0deb5edfac1e200b0cd45f78cbbe8badb65b94749774cb8ca90ab0d6d83744245f282713a5e4d1100ed051576874ada753e948c840bad

Download Submit
C:\Windows\{E54DC932-2650-42f8-AE24-2908C9CA3284}.exe

Filesize
168KB

MD5
1f4cde713f99eb03502eee219e9f7337

SHA1
e62da969c6fc9389d53e7a6d31505cccd8de0ecf

SHA256
7ebec080037b161265449a4caae47017f223ca3a059883e4224c65c6ca7ff0d5

SHA512
1d18690a6a04ce70f4c0deb5edfac1e200b0cd45f78cbbe8badb65b94749774cb8ca90ab0d6d83744245f282713a5e4d1100ed051576874ada753e948c840bad

Download Submit
C:\Windows\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe

Filesize
168KB

MD5
0a4d3258c2ea118a671894f615233a6a

SHA1
e513f4cb13d512774aef57015863f99016e87fb9

SHA256
fe0ec7164309b73f23defedaeae102b77acb8aff89b7829afc56f87300a3733d

SHA512
d2b0d737cc8b8b6801b558fc313d395e058c76e3493eaa9e970e914937d128d64a01889cca9b52df58441740324fbf48cd0b62cda043d40837bef505f9e86319

Download Submit
C:\Windows\{F04003D4-5E80-4bc4-B44A-A4299EE3C425}.exe

Filesize
168KB

MD5
0a4d3258c2ea118a671894f615233a6a

SHA1
e513f4cb13d512774aef57015863f99016e87fb9

SHA256
fe0ec7164309b73f23defedaeae102b77acb8aff89b7829afc56f87300a3733d

SHA512
d2b0d737cc8b8b6801b558fc313d395e058c76e3493eaa9e970e914937d128d64a01889cca9b52df58441740324fbf48cd0b62cda043d40837bef505f9e86319

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads