aa8c271ab83b722a364e077825bfdecb8c315bfa40c86cc86c3d782ead6fbcce

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2023, 12:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe
Size

372KB
MD5

56a450acf27eac20015f8b8bcef4bea2
SHA1

87327e9b975e7f2a580ac658859cfa79ef6e9367
SHA256

aa8c271ab83b722a364e077825bfdecb8c315bfa40c86cc86c3d782ead6fbcce
SHA512

8ac1e1d3999763fb3961de4604abb8cc49c85138eb8403697e53464333a40a3ba210297110c1c5b2221e34fbac12adafc2ece7d706f9d8b5138f0ecd629108fb
SSDEEP

3072:CEGh0oCmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGNl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}\stubpath = "C:\\Windows\\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe"	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}\stubpath = "C:\\Windows\\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe"	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}\stubpath = "C:\\Windows\\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe"	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}\stubpath = "C:\\Windows\\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe"	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}	{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}\stubpath = "C:\\Windows\\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}.exe"	{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}\stubpath = "C:\\Windows\\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe"	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}\stubpath = "C:\\Windows\\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe"	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}\stubpath = "C:\\Windows\\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe"	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}\stubpath = "C:\\Windows\\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe"	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}\stubpath = "C:\\Windows\\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe"	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}\stubpath = "C:\\Windows\\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe"	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779B3A65-5594-4c29-A187-37C540FD5A3A}	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779B3A65-5594-4c29-A187-37C540FD5A3A}\stubpath = "C:\\Windows\\{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe"	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe
2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe
1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe
4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe
4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe
4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe
5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe
1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe
2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe
2084	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe
4672	{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe
4808	{34ECF621-10D6-45c8-9B0E-9704FA619C7F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe
File created	C:\Windows\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe
File created	C:\Windows\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe
File created	C:\Windows\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe
File created	C:\Windows\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe
File created	C:\Windows\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe
File created	C:\Windows\{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe
File created	C:\Windows\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe
File created	C:\Windows\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}.exe	{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe
File created	C:\Windows\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe
File created	C:\Windows\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe
File created	C:\Windows\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4348	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe
Token: SeIncBasePriorityPrivilege	2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe
Token: SeIncBasePriorityPrivilege	1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe
Token: SeIncBasePriorityPrivilege	4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe
Token: SeIncBasePriorityPrivilege	4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe
Token: SeIncBasePriorityPrivilege	4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe
Token: SeIncBasePriorityPrivilege	5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe
Token: SeIncBasePriorityPrivilege	1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe
Token: SeIncBasePriorityPrivilege	2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe
Token: SeIncBasePriorityPrivilege	2084	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe
Token: SeIncBasePriorityPrivilege	4672	{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4660	4348	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe	85
PID 4348 wrote to memory of 4660	4348	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe	85
PID 4348 wrote to memory of 4660	4348	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe	85
PID 4348 wrote to memory of 4468	4348	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe	86
PID 4348 wrote to memory of 4468	4348	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe	86
PID 4348 wrote to memory of 4468	4348	56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe	86
PID 4660 wrote to memory of 2192	4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe	90
PID 4660 wrote to memory of 2192	4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe	90
PID 4660 wrote to memory of 2192	4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe	90
PID 4660 wrote to memory of 4644	4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe	91
PID 4660 wrote to memory of 4644	4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe	91
PID 4660 wrote to memory of 4644	4660	{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe	91
PID 2192 wrote to memory of 1112	2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe	94
PID 2192 wrote to memory of 1112	2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe	94
PID 2192 wrote to memory of 1112	2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe	94
PID 2192 wrote to memory of 4120	2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe	93
PID 2192 wrote to memory of 4120	2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe	93
PID 2192 wrote to memory of 4120	2192	{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe	93
PID 1112 wrote to memory of 4900	1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe	96
PID 1112 wrote to memory of 4900	1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe	96
PID 1112 wrote to memory of 4900	1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe	96
PID 1112 wrote to memory of 3848	1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe	95
PID 1112 wrote to memory of 3848	1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe	95
PID 1112 wrote to memory of 3848	1112	{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe	95
PID 4900 wrote to memory of 4192	4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe	97
PID 4900 wrote to memory of 4192	4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe	97
PID 4900 wrote to memory of 4192	4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe	97
PID 4900 wrote to memory of 420	4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe	98
PID 4900 wrote to memory of 420	4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe	98
PID 4900 wrote to memory of 420	4900	{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe	98
PID 4192 wrote to memory of 4988	4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe	99
PID 4192 wrote to memory of 4988	4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe	99
PID 4192 wrote to memory of 4988	4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe	99
PID 4192 wrote to memory of 3740	4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe	100
PID 4192 wrote to memory of 3740	4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe	100
PID 4192 wrote to memory of 3740	4192	{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe	100
PID 4988 wrote to memory of 5056	4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe	102
PID 4988 wrote to memory of 5056	4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe	102
PID 4988 wrote to memory of 5056	4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe	102
PID 4988 wrote to memory of 4360	4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe	101
PID 4988 wrote to memory of 4360	4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe	101
PID 4988 wrote to memory of 4360	4988	{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe	101
PID 5056 wrote to memory of 1432	5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe	103
PID 5056 wrote to memory of 1432	5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe	103
PID 5056 wrote to memory of 1432	5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe	103
PID 5056 wrote to memory of 1696	5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe	104
PID 5056 wrote to memory of 1696	5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe	104
PID 5056 wrote to memory of 1696	5056	{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe	104
PID 1432 wrote to memory of 2660	1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe	105
PID 1432 wrote to memory of 2660	1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe	105
PID 1432 wrote to memory of 2660	1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe	105
PID 1432 wrote to memory of 2148	1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe	106
PID 1432 wrote to memory of 2148	1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe	106
PID 1432 wrote to memory of 2148	1432	{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe	106
PID 2660 wrote to memory of 2084	2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe	107
PID 2660 wrote to memory of 2084	2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe	107
PID 2660 wrote to memory of 2084	2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe	107
PID 2660 wrote to memory of 404	2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe	108
PID 2660 wrote to memory of 404	2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe	108
PID 2660 wrote to memory of 404	2660	{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe	108
PID 2084 wrote to memory of 4672	2084	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe	109
PID 2084 wrote to memory of 4672	2084	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe	109
PID 2084 wrote to memory of 4672	2084	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe	109
PID 2084 wrote to memory of 3924	2084	{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe	110

C:\Users\Admin\AppData\Local\Temp\56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\56a450acf27eac20015f8b8bcef4bea2_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe
  C:\Windows\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe
    C:\Windows\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D02B3~1.EXE > nul
      4⤵
      PID:4120
  - - C:\Windows\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe
      C:\Windows\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE402~1.EXE > nul
        5⤵
        
        PID:3848
    - - C:\Windows\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe
        
        C:\Windows\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe
        
        C:\Windows\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe
        
        C:\Windows\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97EB2~1.EXE > nul
        8⤵
        
        PID:4360
        
        C:\Windows\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe
        
        C:\Windows\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe
        
        C:\Windows\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe
        
        C:\Windows\{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe
        
        C:\Windows\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe
        
        C:\Windows\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}.exe
        
        C:\Windows\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12A8A~1.EXE > nul
        13⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F51E~1.EXE > nul
        12⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{779B3~1.EXE > nul
        11⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49748~1.EXE > nul
        10⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2AB5~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DDAA~1.EXE > nul
        7⤵
        
        PID:3740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9245D~1.EXE > nul
        6⤵
        
        PID:420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EF9C2~1.EXE > nul
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56A450~1.EXE > nul
  2⤵
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe

Filesize
372KB

MD5
ed97b3080835e53ba181279f9832291e

SHA1
57855bfc439b108921cf11facb8efba316fa2dcd

SHA256
0691bf4ec8aacf2254fb402bca9f1d84c7015b9c65ff54dde269ce62e2b53d95

SHA512
0ce53a3827f39cc85f66b71624a64e7ebcfd5cb7556c042f9b64fddd99342e15a8885c23a822af7b0043f5cf45dabf99ed84e847d433d69e5e65a41e7d480f5c

Download Submit
C:\Windows\{12A8A1EB-FAA3-4f49-9834-B85F9EB9337A}.exe

Filesize
372KB

MD5
ed97b3080835e53ba181279f9832291e

SHA1
57855bfc439b108921cf11facb8efba316fa2dcd

SHA256
0691bf4ec8aacf2254fb402bca9f1d84c7015b9c65ff54dde269ce62e2b53d95

SHA512
0ce53a3827f39cc85f66b71624a64e7ebcfd5cb7556c042f9b64fddd99342e15a8885c23a822af7b0043f5cf45dabf99ed84e847d433d69e5e65a41e7d480f5c

Download Submit
C:\Windows\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe

Filesize
372KB

MD5
0d8eaa0d98c4d4ef351c92b1e85494c2

SHA1
bdf3e3c6c21b88b2863209d8a9f9e2589e7d1de0

SHA256
92ad30b639217a48906ec4500f7556206bbbc96517c5ab69a4ad6f5c5b5ecc11

SHA512
d6603e979175048b00e5d23a83e8c20b04868cf77dd9aa19c5d3a3d15cd2b556b1557e983194d1fa9dde056e54fe3cf148f5c7484b94235fb578a487136a7027

Download Submit
C:\Windows\{1F51EE60-CE3C-4aae-8A6F-5F58E9A921CD}.exe

Filesize
372KB

MD5
0d8eaa0d98c4d4ef351c92b1e85494c2

SHA1
bdf3e3c6c21b88b2863209d8a9f9e2589e7d1de0

SHA256
92ad30b639217a48906ec4500f7556206bbbc96517c5ab69a4ad6f5c5b5ecc11

SHA512
d6603e979175048b00e5d23a83e8c20b04868cf77dd9aa19c5d3a3d15cd2b556b1557e983194d1fa9dde056e54fe3cf148f5c7484b94235fb578a487136a7027

Download Submit
C:\Windows\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}.exe

Filesize
372KB

MD5
48e55a25a310624ae071c69c57bc9fa2

SHA1
5bb09b3391eaf757177d529bfad6a40c74ca8bfa

SHA256
7d95ccaeae393981a83ddab2590095d8ac33098eb9438da4053a8113a5dcd533

SHA512
9351c2221d941425b64d925801025af5d1a90996aca414e8e9e63cc1bc13e10b105d3bc2758c59311c00db9613b20df714814d655611e0fb515d7f2ece3ecb8e

Download Submit
C:\Windows\{34ECF621-10D6-45c8-9B0E-9704FA619C7F}.exe

Filesize
372KB

MD5
48e55a25a310624ae071c69c57bc9fa2

SHA1
5bb09b3391eaf757177d529bfad6a40c74ca8bfa

SHA256
7d95ccaeae393981a83ddab2590095d8ac33098eb9438da4053a8113a5dcd533

SHA512
9351c2221d941425b64d925801025af5d1a90996aca414e8e9e63cc1bc13e10b105d3bc2758c59311c00db9613b20df714814d655611e0fb515d7f2ece3ecb8e

Download Submit
C:\Windows\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe

Filesize
372KB

MD5
d33baf49cea8130d92792231f28f4fd9

SHA1
101b91786fe02d29d1f9b7bf2011be26105d1c8f

SHA256
05e0ff8c6257696d816e88bf0d896d96c63b3852fe97f50f277fed158c08ed14

SHA512
e3c343acf6890c0f148e8a62c985bff291e912a46443d113a6644461ba0e7bb4dbd63b37202e1298637df9cf0b3aa8371b8b10a621d9610d0c9edf5e2121e911

Download Submit
C:\Windows\{49748594-FD27-4a3f-B94D-C122DEEBFEDF}.exe

Filesize
372KB

MD5
d33baf49cea8130d92792231f28f4fd9

SHA1
101b91786fe02d29d1f9b7bf2011be26105d1c8f

SHA256
05e0ff8c6257696d816e88bf0d896d96c63b3852fe97f50f277fed158c08ed14

SHA512
e3c343acf6890c0f148e8a62c985bff291e912a46443d113a6644461ba0e7bb4dbd63b37202e1298637df9cf0b3aa8371b8b10a621d9610d0c9edf5e2121e911

Download Submit
C:\Windows\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe

Filesize
372KB

MD5
2377a7c96c0bf8d54d194a662a8842cd

SHA1
7ed7d35b705e04e2bf092f67ea45d86d8fbd5f26

SHA256
13b610cd14cd5989ff023b4fb07d24367d2a5934c90ac7c0ee9d654c005ebc90

SHA512
7e69e93ed0f77e5495f4514ca753d3973f002eb339c89b3e9261d04367b6cc9c9bc178ead1cb3f2029f6dede0662479df60622e6e0e17e62b683b844ad73527d

Download Submit
C:\Windows\{4DDAAF61-63C9-417d-8BCA-A8E4A4B23652}.exe

Filesize
372KB

MD5
2377a7c96c0bf8d54d194a662a8842cd

SHA1
7ed7d35b705e04e2bf092f67ea45d86d8fbd5f26

SHA256
13b610cd14cd5989ff023b4fb07d24367d2a5934c90ac7c0ee9d654c005ebc90

SHA512
7e69e93ed0f77e5495f4514ca753d3973f002eb339c89b3e9261d04367b6cc9c9bc178ead1cb3f2029f6dede0662479df60622e6e0e17e62b683b844ad73527d

Download Submit
C:\Windows\{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe

Filesize
372KB

MD5
f34b7b47499a6c5c3708bc6f923e5396

SHA1
515b3efbb47f514855c9e3a61bc7bb5ccbe6aa7a

SHA256
54bdf252982b8b04cb387281f7f4f8ca660b16cc1725069acbd68f231a9d99c0

SHA512
73cf247df4612618921d6f48454d7a6bc00e40fc6ea44fb68903bd6e89f1c1105f5324c3caa0e62146622e5e63c658237c28e65de475c096e6c2f6f1adfa5e3f

Download Submit
C:\Windows\{779B3A65-5594-4c29-A187-37C540FD5A3A}.exe

Filesize
372KB

MD5
f34b7b47499a6c5c3708bc6f923e5396

SHA1
515b3efbb47f514855c9e3a61bc7bb5ccbe6aa7a

SHA256
54bdf252982b8b04cb387281f7f4f8ca660b16cc1725069acbd68f231a9d99c0

SHA512
73cf247df4612618921d6f48454d7a6bc00e40fc6ea44fb68903bd6e89f1c1105f5324c3caa0e62146622e5e63c658237c28e65de475c096e6c2f6f1adfa5e3f

Download Submit
C:\Windows\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe

Filesize
372KB

MD5
aa6f0821d163cb02a5585e07e537f231

SHA1
22ce643a683adcecffdb93f6769e200863c923f1

SHA256
10a4510727164072622ea4cfbe1516487e5f087d90e929e29934f518e845f154

SHA512
339646a6c95e4e4d2bf40d7563cc0a609a4f068f697a41bc90477df537cb48bd0c96e26e1fa181ef5837db1e6ae757e0f464448a40e0d07b5fccc3b352c83a09

Download Submit
C:\Windows\{9245DCB7-6A40-46e0-B5ED-08D46E6F4FC2}.exe

Filesize
372KB

MD5
aa6f0821d163cb02a5585e07e537f231

SHA1
22ce643a683adcecffdb93f6769e200863c923f1

SHA256
10a4510727164072622ea4cfbe1516487e5f087d90e929e29934f518e845f154

SHA512
339646a6c95e4e4d2bf40d7563cc0a609a4f068f697a41bc90477df537cb48bd0c96e26e1fa181ef5837db1e6ae757e0f464448a40e0d07b5fccc3b352c83a09

Download Submit
C:\Windows\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe

Filesize
372KB

MD5
99cfcabd0676f39974577f6b9edadfd5

SHA1
9491c273bf7578da88876f102c379bfe7d02a168

SHA256
acff4e3bce95c229b3201a3bed6a7b4b28602743e8ed09f87be7db0dd76686ba

SHA512
46b3e1e178ddedeaea9ea2061e81b90a55d25a86c8bc1d9b51df90619973e936f7451646e73fc2b365d3926d528d090953b0b47701e8a2bfa8ccb477b82924cb

Download Submit
C:\Windows\{97EB2B2A-2B0D-4457-B929-8ABCF3AA0484}.exe

Filesize
372KB

MD5
99cfcabd0676f39974577f6b9edadfd5

SHA1
9491c273bf7578da88876f102c379bfe7d02a168

SHA256
acff4e3bce95c229b3201a3bed6a7b4b28602743e8ed09f87be7db0dd76686ba

SHA512
46b3e1e178ddedeaea9ea2061e81b90a55d25a86c8bc1d9b51df90619973e936f7451646e73fc2b365d3926d528d090953b0b47701e8a2bfa8ccb477b82924cb

Download Submit
C:\Windows\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe

Filesize
372KB

MD5
1b668de51a0b3991bdcf0ebda959a185

SHA1
60ec43eba70774f76c8a96596b82726b897ea9d8

SHA256
c74d0664d3f997f14d636a24b09dcf96b580ae20c930d93e28875bf5c1801912

SHA512
56b787bf25b8a8e51819f8fb20529a0b2f979f90ec0ec23581cee9d57ccf3706b36f74358dfdf298d1bd5232a558762a5e50ec21ab35b4be212a9874bbad7c1c

Download Submit
C:\Windows\{D02B3939-3C42-4e42-B7C1-432B66D2AE7F}.exe

Filesize
372KB

MD5
1b668de51a0b3991bdcf0ebda959a185

SHA1
60ec43eba70774f76c8a96596b82726b897ea9d8

SHA256
c74d0664d3f997f14d636a24b09dcf96b580ae20c930d93e28875bf5c1801912

SHA512
56b787bf25b8a8e51819f8fb20529a0b2f979f90ec0ec23581cee9d57ccf3706b36f74358dfdf298d1bd5232a558762a5e50ec21ab35b4be212a9874bbad7c1c

Download Submit
C:\Windows\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe

Filesize
372KB

MD5
84eab422e18016ddcac7143919ee4db7

SHA1
59ea5e79bfa145a56c5454a2d3570c51a5a5cdc5

SHA256
d807cd3acacd57f88900355140bba2125f275b1ead53229c81572bac2cbb275c

SHA512
9942c99f20fac86ac7b982408cbc3d37dddbc5db9a0c100600b497caf82bb66615189b7b2b5b05c0a4fec03c3ea039a25db3cff0d1ad45e6680d89a70b6d6e01

Download Submit
C:\Windows\{E2AB55B5-56AC-42bc-88B9-5D425C29638B}.exe

Filesize
372KB

MD5
84eab422e18016ddcac7143919ee4db7

SHA1
59ea5e79bfa145a56c5454a2d3570c51a5a5cdc5

SHA256
d807cd3acacd57f88900355140bba2125f275b1ead53229c81572bac2cbb275c

SHA512
9942c99f20fac86ac7b982408cbc3d37dddbc5db9a0c100600b497caf82bb66615189b7b2b5b05c0a4fec03c3ea039a25db3cff0d1ad45e6680d89a70b6d6e01

Download Submit
C:\Windows\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe

Filesize
372KB

MD5
3cb620d7e9176be96c959bcaddea74be

SHA1
aa3f88533c1932081683d0ea4ab95cc3a03fa1cf

SHA256
ef4d61bc598fd12416b3841b7a7e492d00ea07125d4704e8278687f08c4e6ca9

SHA512
fb6238994d79b4080bf756ad44ba1a67669aefc2f56b96a50c584f2d85966dcac79e15a3053b545af6d624a2ef86867915eb3898ced0433a98f3ba3459c956c5

Download Submit
C:\Windows\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe

Filesize
372KB

MD5
3cb620d7e9176be96c959bcaddea74be

SHA1
aa3f88533c1932081683d0ea4ab95cc3a03fa1cf

SHA256
ef4d61bc598fd12416b3841b7a7e492d00ea07125d4704e8278687f08c4e6ca9

SHA512
fb6238994d79b4080bf756ad44ba1a67669aefc2f56b96a50c584f2d85966dcac79e15a3053b545af6d624a2ef86867915eb3898ced0433a98f3ba3459c956c5

Download Submit
C:\Windows\{EE402B64-A716-40a3-B13D-6A8EFC44A61E}.exe

Filesize
372KB

MD5
3cb620d7e9176be96c959bcaddea74be

SHA1
aa3f88533c1932081683d0ea4ab95cc3a03fa1cf

SHA256
ef4d61bc598fd12416b3841b7a7e492d00ea07125d4704e8278687f08c4e6ca9

SHA512
fb6238994d79b4080bf756ad44ba1a67669aefc2f56b96a50c584f2d85966dcac79e15a3053b545af6d624a2ef86867915eb3898ced0433a98f3ba3459c956c5

Download Submit
C:\Windows\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe

Filesize
372KB

MD5
ea6f085c39af8ffe2bceccb26c60419c

SHA1
63aa279a7c4efba90dfae295cfac8bf2a3724fd7

SHA256
2ffbeb7bf0e833f19f1af4868142602cc5e92f5bafae467c95d18d43331f5b81

SHA512
bdff8a3ba895dc9042b308cc0153ebda603026c241b22c36308bda1d84e5ff82aee6c4dcb69f697d13ff417ae69ec4e8b8e34101da70602114a9889585d7faf4

Download Submit
C:\Windows\{EF9C2077-AF94-4a9e-8EAA-03092893E0AE}.exe

Filesize
372KB

MD5
ea6f085c39af8ffe2bceccb26c60419c

SHA1
63aa279a7c4efba90dfae295cfac8bf2a3724fd7

SHA256
2ffbeb7bf0e833f19f1af4868142602cc5e92f5bafae467c95d18d43331f5b81

SHA512
bdff8a3ba895dc9042b308cc0153ebda603026c241b22c36308bda1d84e5ff82aee6c4dcb69f697d13ff417ae69ec4e8b8e34101da70602114a9889585d7faf4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads