a0d240bf417ed593194d4ad73f7d439c008d262d2b7a8a860ed995843ca9f7a3

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 17:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
Size

168KB
MD5

6d0e146fd664fa1604f17a1ee9da6f05
SHA1

fc7ed052b786f5ef9f17d492d57e86f912b9fd00
SHA256

a0d240bf417ed593194d4ad73f7d439c008d262d2b7a8a860ed995843ca9f7a3
SHA512

32f484915194b80e4bb6710341f670ff8f163eeb36823092de8bb1c74a6b9e40e6975cab7f2607ff0df202a1f560be6fa88ef04a65cc0abe404ec3a55733884a
SSDEEP

1536:1EGh0o9lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o9lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503B90BD-2B57-4675-89CC-0FEA5A28B525}	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503B90BD-2B57-4675-89CC-0FEA5A28B525}\stubpath = "C:\\Windows\\{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe"	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A505E806-4F37-45e5-BA1E-A57DDFF82846}\stubpath = "C:\\Windows\\{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe"	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{198D34E2-4394-41ee-8483-EBCEF27CFC27}	{D5295334-0537-4f81-8738-496B715AB4BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}\stubpath = "C:\\Windows\\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}.exe"	{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}\stubpath = "C:\\Windows\\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe"	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}\stubpath = "C:\\Windows\\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe"	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}	{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F445123-8022-4d88-BAD1-9BD53AF26820}\stubpath = "C:\\Windows\\{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe"	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A505E806-4F37-45e5-BA1E-A57DDFF82846}	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5295334-0537-4f81-8738-496B715AB4BA}	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5295334-0537-4f81-8738-496B715AB4BA}\stubpath = "C:\\Windows\\{D5295334-0537-4f81-8738-496B715AB4BA}.exe"	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{198D34E2-4394-41ee-8483-EBCEF27CFC27}\stubpath = "C:\\Windows\\{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe"	{D5295334-0537-4f81-8738-496B715AB4BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F445123-8022-4d88-BAD1-9BD53AF26820}	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}\stubpath = "C:\\Windows\\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe"	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6481C5-10EF-4e16-8FBC-2783603A1200}	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6481C5-10EF-4e16-8FBC-2783603A1200}\stubpath = "C:\\Windows\\{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe"	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}\stubpath = "C:\\Windows\\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe"	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C69E72-620E-45af-836B-C689BE9CD29D}	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C69E72-620E-45af-836B-C689BE9CD29D}\stubpath = "C:\\Windows\\{52C69E72-620E-45af-836B-C689BE9CD29D}.exe"	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe

Executes dropped EXE 12 IoCs

pid	Process
2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe
532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe
1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe
2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe
1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe
3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe
1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe
2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe
5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe
2384	{D5295334-0537-4f81-8738-496B715AB4BA}.exe
2376	{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe
4188	{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}.exe	{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe
File created	C:\Windows\{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
File created	C:\Windows\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe
File created	C:\Windows\{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe
File created	C:\Windows\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe
File created	C:\Windows\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe
File created	C:\Windows\{52C69E72-620E-45af-836B-C689BE9CD29D}.exe	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe
File created	C:\Windows\{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe	{D5295334-0537-4f81-8738-496B715AB4BA}.exe
File created	C:\Windows\{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe
File created	C:\Windows\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe
File created	C:\Windows\{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe
File created	C:\Windows\{D5295334-0537-4f81-8738-496B715AB4BA}.exe	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe
Token: SeIncBasePriorityPrivilege	532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe
Token: SeIncBasePriorityPrivilege	1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe
Token: SeIncBasePriorityPrivilege	2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe
Token: SeIncBasePriorityPrivilege	1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe
Token: SeIncBasePriorityPrivilege	3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe
Token: SeIncBasePriorityPrivilege	1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe
Token: SeIncBasePriorityPrivilege	2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe
Token: SeIncBasePriorityPrivilege	5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe
Token: SeIncBasePriorityPrivilege	2384	{D5295334-0537-4f81-8738-496B715AB4BA}.exe
Token: SeIncBasePriorityPrivilege	2376	{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2024	2616	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	88
PID 2616 wrote to memory of 2024	2616	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	88
PID 2616 wrote to memory of 2024	2616	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	88
PID 2616 wrote to memory of 460	2616	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	89
PID 2616 wrote to memory of 460	2616	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	89
PID 2616 wrote to memory of 460	2616	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	89
PID 2024 wrote to memory of 532	2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe	90
PID 2024 wrote to memory of 532	2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe	90
PID 2024 wrote to memory of 532	2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe	90
PID 2024 wrote to memory of 1512	2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe	91
PID 2024 wrote to memory of 1512	2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe	91
PID 2024 wrote to memory of 1512	2024	{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe	91
PID 532 wrote to memory of 1076	532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe	93
PID 532 wrote to memory of 1076	532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe	93
PID 532 wrote to memory of 1076	532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe	93
PID 532 wrote to memory of 2548	532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe	94
PID 532 wrote to memory of 2548	532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe	94
PID 532 wrote to memory of 2548	532	{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe	94
PID 1076 wrote to memory of 2828	1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe	95
PID 1076 wrote to memory of 2828	1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe	95
PID 1076 wrote to memory of 2828	1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe	95
PID 1076 wrote to memory of 3876	1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe	96
PID 1076 wrote to memory of 3876	1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe	96
PID 1076 wrote to memory of 3876	1076	{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe	96
PID 2828 wrote to memory of 1964	2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe	97
PID 2828 wrote to memory of 1964	2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe	97
PID 2828 wrote to memory of 1964	2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe	97
PID 2828 wrote to memory of 4620	2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe	98
PID 2828 wrote to memory of 4620	2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe	98
PID 2828 wrote to memory of 4620	2828	{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe	98
PID 1964 wrote to memory of 3200	1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe	99
PID 1964 wrote to memory of 3200	1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe	99
PID 1964 wrote to memory of 3200	1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe	99
PID 1964 wrote to memory of 4436	1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe	100
PID 1964 wrote to memory of 4436	1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe	100
PID 1964 wrote to memory of 4436	1964	{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe	100
PID 3200 wrote to memory of 1836	3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe	101
PID 3200 wrote to memory of 1836	3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe	101
PID 3200 wrote to memory of 1836	3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe	101
PID 3200 wrote to memory of 4336	3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe	102
PID 3200 wrote to memory of 4336	3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe	102
PID 3200 wrote to memory of 4336	3200	{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe	102
PID 1836 wrote to memory of 2320	1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe	103
PID 1836 wrote to memory of 2320	1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe	103
PID 1836 wrote to memory of 2320	1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe	103
PID 1836 wrote to memory of 3304	1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe	104
PID 1836 wrote to memory of 3304	1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe	104
PID 1836 wrote to memory of 3304	1836	{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe	104
PID 2320 wrote to memory of 5040	2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe	105
PID 2320 wrote to memory of 5040	2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe	105
PID 2320 wrote to memory of 5040	2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe	105
PID 2320 wrote to memory of 4268	2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe	106
PID 2320 wrote to memory of 4268	2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe	106
PID 2320 wrote to memory of 4268	2320	{52C69E72-620E-45af-836B-C689BE9CD29D}.exe	106
PID 5040 wrote to memory of 2384	5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe	107
PID 5040 wrote to memory of 2384	5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe	107
PID 5040 wrote to memory of 2384	5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe	107
PID 5040 wrote to memory of 1948	5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe	108
PID 5040 wrote to memory of 1948	5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe	108
PID 5040 wrote to memory of 1948	5040	{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe	108
PID 2384 wrote to memory of 2376	2384	{D5295334-0537-4f81-8738-496B715AB4BA}.exe	109
PID 2384 wrote to memory of 2376	2384	{D5295334-0537-4f81-8738-496B715AB4BA}.exe	109
PID 2384 wrote to memory of 2376	2384	{D5295334-0537-4f81-8738-496B715AB4BA}.exe	109
PID 2384 wrote to memory of 3056	2384	{D5295334-0537-4f81-8738-496B715AB4BA}.exe	110

C:\Users\Admin\AppData\Local\Temp\6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe
  C:\Windows\{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe
    C:\Windows\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe
      C:\Windows\{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe
        
        C:\Windows\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe
        
        C:\Windows\{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe
        
        C:\Windows\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe
        
        C:\Windows\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{52C69E72-620E-45af-836B-C689BE9CD29D}.exe
        
        C:\Windows\{52C69E72-620E-45af-836B-C689BE9CD29D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe
        
        C:\Windows\{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{D5295334-0537-4f81-8738-496B715AB4BA}.exe
        
        C:\Windows\{D5295334-0537-4f81-8738-496B715AB4BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe
        
        C:\Windows\{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}.exe
        
        C:\Windows\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{198D3~1.EXE > nul
        13⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5295~1.EXE > nul
        12⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A505E~1.EXE > nul
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C69~1.EXE > nul
        10⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A8C5~1.EXE > nul
        9⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECD6E~1.EXE > nul
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D648~1.EXE > nul
        7⤵
        
        PID:4436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DBD7~1.EXE > nul
        6⤵
        
        PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{503B9~1.EXE > nul
        5⤵
        
        PID:3876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2A409~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2F445~1.EXE > nul
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6D0E14~1.EXE > nul
  2⤵
  PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe

Filesize
168KB

MD5
cc4e0b9d3a4d23fa80ebffe7372c4813

SHA1
3f8c1d56cb5562591dced3173962d789422ee90c

SHA256
e8b281173f399f08eb86d0ca4e498ec3d4f95c905cfd05219b7d0123a81b6552

SHA512
84985e7e805235beaac41a4255669f25b5ebd463c74369d37686f6a3c5f06b334f5e16f40fd63096a452ef4e31ccefdc3c8a64f6419f1c4f85907b548d34573d

Download Submit
C:\Windows\{0A8C546A-905C-46a9-A633-D49DA77F1FE1}.exe

Filesize
168KB

MD5
cc4e0b9d3a4d23fa80ebffe7372c4813

SHA1
3f8c1d56cb5562591dced3173962d789422ee90c

SHA256
e8b281173f399f08eb86d0ca4e498ec3d4f95c905cfd05219b7d0123a81b6552

SHA512
84985e7e805235beaac41a4255669f25b5ebd463c74369d37686f6a3c5f06b334f5e16f40fd63096a452ef4e31ccefdc3c8a64f6419f1c4f85907b548d34573d

Download Submit
C:\Windows\{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe

Filesize
168KB

MD5
e81d74a197d88bfa2e58752ea5d3e60e

SHA1
08043616be075e48b683e623066a7936794c0bc6

SHA256
076dcf33cfdcbc9d61a61f1611f9042e38ac3d28eb9ed433985a80376c9d7a0a

SHA512
7fa6b7d641a53c25aa5d4a79a582640ff74f0712665d67faf448d69caed1edb1fd5055785d926deda0ade993bcb1dd98a2f4cfb5f10e5a91cba52f25ad39ab08

Download Submit
C:\Windows\{198D34E2-4394-41ee-8483-EBCEF27CFC27}.exe

Filesize
168KB

MD5
e81d74a197d88bfa2e58752ea5d3e60e

SHA1
08043616be075e48b683e623066a7936794c0bc6

SHA256
076dcf33cfdcbc9d61a61f1611f9042e38ac3d28eb9ed433985a80376c9d7a0a

SHA512
7fa6b7d641a53c25aa5d4a79a582640ff74f0712665d67faf448d69caed1edb1fd5055785d926deda0ade993bcb1dd98a2f4cfb5f10e5a91cba52f25ad39ab08

Download Submit
C:\Windows\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe

Filesize
168KB

MD5
9e2543e101d6ba84c4ee44814c1a9d54

SHA1
d6d82c288943d77bc8baf49cf716d7c67c84372b

SHA256
b24983df05c3310f112931d531ed61dbd4d3e91723c4039fd35ef4483a76cf6f

SHA512
f4b3d2e06f1880766ba83f60daf71a0f9542f5af382b578b8f038b4a3e290df5eddf2d865a08c76108894c6aebdb87ec6c5b530c16f83d8b842681c158c624d7

Download Submit
C:\Windows\{2A409A80-395B-4b6e-B196-2FF6AFDB9812}.exe

Filesize
168KB

MD5
9e2543e101d6ba84c4ee44814c1a9d54

SHA1
d6d82c288943d77bc8baf49cf716d7c67c84372b

SHA256
b24983df05c3310f112931d531ed61dbd4d3e91723c4039fd35ef4483a76cf6f

SHA512
f4b3d2e06f1880766ba83f60daf71a0f9542f5af382b578b8f038b4a3e290df5eddf2d865a08c76108894c6aebdb87ec6c5b530c16f83d8b842681c158c624d7

Download Submit
C:\Windows\{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe

Filesize
168KB

MD5
870e2eeed88b35cb01c40e5cda432a6e

SHA1
d66f0fb17b69cc2ee9400922379c44e7070c0c02

SHA256
444ca412b3e9cd17a0d9ad36a30eb2c0ca59151a34cb06bdaf6f4ad758b9b221

SHA512
4649e8661bc782ffbc5f5e173b79a7c2fbf5af334917ac7f3fac7f3f427e32e9a0a60f0a9721980f361ec804eabba928bda5fa64808c75d3fd07d59ac600fcfc

Download Submit
C:\Windows\{2F445123-8022-4d88-BAD1-9BD53AF26820}.exe

Filesize
168KB

MD5
870e2eeed88b35cb01c40e5cda432a6e

SHA1
d66f0fb17b69cc2ee9400922379c44e7070c0c02

SHA256
444ca412b3e9cd17a0d9ad36a30eb2c0ca59151a34cb06bdaf6f4ad758b9b221

SHA512
4649e8661bc782ffbc5f5e173b79a7c2fbf5af334917ac7f3fac7f3f427e32e9a0a60f0a9721980f361ec804eabba928bda5fa64808c75d3fd07d59ac600fcfc

Download Submit
C:\Windows\{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe

Filesize
168KB

MD5
026c46bc883aacbc6114382aedd06857

SHA1
ed8fe0f0fc0f6e206fbc38cc6f311c76f297230a

SHA256
862bf7b6b8dbfb9eed3c9f93473794c8d7563b19e898961af513e95a5b127f24

SHA512
c77d0ff55f36101779fcee34645e8a0d02f0e9d2ba9d39ed88813163dc69a7d4da64937d558c28ef4930f7d07efd067586da5d7b5acceaab751cfda617ab8d12

Download Submit
C:\Windows\{3D6481C5-10EF-4e16-8FBC-2783603A1200}.exe

Filesize
168KB

MD5
026c46bc883aacbc6114382aedd06857

SHA1
ed8fe0f0fc0f6e206fbc38cc6f311c76f297230a

SHA256
862bf7b6b8dbfb9eed3c9f93473794c8d7563b19e898961af513e95a5b127f24

SHA512
c77d0ff55f36101779fcee34645e8a0d02f0e9d2ba9d39ed88813163dc69a7d4da64937d558c28ef4930f7d07efd067586da5d7b5acceaab751cfda617ab8d12

Download Submit
C:\Windows\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe

Filesize
168KB

MD5
7e7fad9c004615497db6e8f6eef4d2e4

SHA1
acd065980b47d66d483c8f844b1168b4f5f83c6e

SHA256
4af8a4fb9cde4d3e20a3cc7c9f6f30bdd59059179ecbc3ede919f870e60a659c

SHA512
d1e95aabbb5a5d13e71095cfa6bba5bfcf31dd1b3b87ca0ec684406f5c835bd7d7776e8481164e79b38fff02539e67b1cfe2780b990e46f52d15379dfa847f96

Download Submit
C:\Windows\{3DBD7B20-B5E7-4894-ABEA-FCA96420EDE7}.exe

Filesize
168KB

MD5
7e7fad9c004615497db6e8f6eef4d2e4

SHA1
acd065980b47d66d483c8f844b1168b4f5f83c6e

SHA256
4af8a4fb9cde4d3e20a3cc7c9f6f30bdd59059179ecbc3ede919f870e60a659c

SHA512
d1e95aabbb5a5d13e71095cfa6bba5bfcf31dd1b3b87ca0ec684406f5c835bd7d7776e8481164e79b38fff02539e67b1cfe2780b990e46f52d15379dfa847f96

Download Submit
C:\Windows\{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe

Filesize
168KB

MD5
01c3db546cb59315c7fe50c4909781fe

SHA1
fb91bba346de1002491d0b4cb8f66d8090a505a0

SHA256
0812f9d38258301c4af3e58821a052a09fb998147731df5807a8f4d1d8cedd07

SHA512
78f4dcfb19835d8ed88c0270841e3ad0f022ae505ab0a8cd2c9684f62c244cb5fb88260cd82a52e786c186be3ec0f06ce4ca1fcc78ce02afab2af5b5010172ad

Download Submit
C:\Windows\{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe

Filesize
168KB

MD5
01c3db546cb59315c7fe50c4909781fe

SHA1
fb91bba346de1002491d0b4cb8f66d8090a505a0

SHA256
0812f9d38258301c4af3e58821a052a09fb998147731df5807a8f4d1d8cedd07

SHA512
78f4dcfb19835d8ed88c0270841e3ad0f022ae505ab0a8cd2c9684f62c244cb5fb88260cd82a52e786c186be3ec0f06ce4ca1fcc78ce02afab2af5b5010172ad

Download Submit
C:\Windows\{503B90BD-2B57-4675-89CC-0FEA5A28B525}.exe

Filesize
168KB

MD5
01c3db546cb59315c7fe50c4909781fe

SHA1
fb91bba346de1002491d0b4cb8f66d8090a505a0

SHA256
0812f9d38258301c4af3e58821a052a09fb998147731df5807a8f4d1d8cedd07

SHA512
78f4dcfb19835d8ed88c0270841e3ad0f022ae505ab0a8cd2c9684f62c244cb5fb88260cd82a52e786c186be3ec0f06ce4ca1fcc78ce02afab2af5b5010172ad

Download Submit
C:\Windows\{52C69E72-620E-45af-836B-C689BE9CD29D}.exe

Filesize
168KB

MD5
516bb54a5f527f440bebe1c9de9354f3

SHA1
33f6c0648e4cfe88fb12327453dd0984fac6e2dc

SHA256
15492bbac88a427bb06b9c1f27df06b5e8acfc54c524e5c5e867304fe60669fb

SHA512
48a8bfc3a3bf4c393d940915f98025e8d1ab4fdb9bef3a201a3fd23870f847caf4ed47959fb525ab23ca62bd973686385014f1f7bebb47b788435f2961ed72d6

Download Submit
C:\Windows\{52C69E72-620E-45af-836B-C689BE9CD29D}.exe

Filesize
168KB

MD5
516bb54a5f527f440bebe1c9de9354f3

SHA1
33f6c0648e4cfe88fb12327453dd0984fac6e2dc

SHA256
15492bbac88a427bb06b9c1f27df06b5e8acfc54c524e5c5e867304fe60669fb

SHA512
48a8bfc3a3bf4c393d940915f98025e8d1ab4fdb9bef3a201a3fd23870f847caf4ed47959fb525ab23ca62bd973686385014f1f7bebb47b788435f2961ed72d6

Download Submit
C:\Windows\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}.exe

Filesize
168KB

MD5
02cc134caa3cc011872f9d51f9c68299

SHA1
0803550581cee8d90209c4ca5097cc0eaacc53f7

SHA256
09155ca5d292605d5e34ae34b8eef2994fddaa704ee2b374933545fb80be7945

SHA512
6689f9054c2892795b4593d839a8aa6bca8b90a7e1b9120ffd6386b8937d0d20e2d5aee54887f2c13290ceb6a3d8cb9da45675a28788d54a3070ffcb5856f259

Download Submit
C:\Windows\{700F5EEA-E9C1-4246-8D2C-B59DD11F285F}.exe

Filesize
168KB

MD5
02cc134caa3cc011872f9d51f9c68299

SHA1
0803550581cee8d90209c4ca5097cc0eaacc53f7

SHA256
09155ca5d292605d5e34ae34b8eef2994fddaa704ee2b374933545fb80be7945

SHA512
6689f9054c2892795b4593d839a8aa6bca8b90a7e1b9120ffd6386b8937d0d20e2d5aee54887f2c13290ceb6a3d8cb9da45675a28788d54a3070ffcb5856f259

Download Submit
C:\Windows\{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe

Filesize
168KB

MD5
f7a4929c1580133441e3b2b358c4069e

SHA1
f90f5d6bcc4fc328e1d9ff77db3508cd4f5ec68c

SHA256
95dcb71f53aef113fd3a7afffe0ecfffbeae6de9bb2314e5cfd6fe33ff30c6e6

SHA512
27c9e03021e7314f4fc9ff792bbd0270fea50303710d0f6c8626173d85774b3b2771e55cbfc3a1515d5d7d61c747539d6e487d2fdbc52d09cd4b7fd34158256f

Download Submit
C:\Windows\{A505E806-4F37-45e5-BA1E-A57DDFF82846}.exe

Filesize
168KB

MD5
f7a4929c1580133441e3b2b358c4069e

SHA1
f90f5d6bcc4fc328e1d9ff77db3508cd4f5ec68c

SHA256
95dcb71f53aef113fd3a7afffe0ecfffbeae6de9bb2314e5cfd6fe33ff30c6e6

SHA512
27c9e03021e7314f4fc9ff792bbd0270fea50303710d0f6c8626173d85774b3b2771e55cbfc3a1515d5d7d61c747539d6e487d2fdbc52d09cd4b7fd34158256f

Download Submit
C:\Windows\{D5295334-0537-4f81-8738-496B715AB4BA}.exe

Filesize
168KB

MD5
3bbcd5167c96ca5fdbe3e6f2b4ddde56

SHA1
bd3604e3dd16fa6b8511e313d43f58603cc62829

SHA256
c079a5299dfbfa4a24a36d075ef709ee6e28a162d5c10d8ba96816470cdd80ea

SHA512
5b130ba15c76db40e74ee80055dbd10fd122efb82efdd6238948d2358cc5583e048bdf23e20d844142319f2d238880d90f968e1d094bdc646637f8ba9a2fdce3

Download Submit
C:\Windows\{D5295334-0537-4f81-8738-496B715AB4BA}.exe

Filesize
168KB

MD5
3bbcd5167c96ca5fdbe3e6f2b4ddde56

SHA1
bd3604e3dd16fa6b8511e313d43f58603cc62829

SHA256
c079a5299dfbfa4a24a36d075ef709ee6e28a162d5c10d8ba96816470cdd80ea

SHA512
5b130ba15c76db40e74ee80055dbd10fd122efb82efdd6238948d2358cc5583e048bdf23e20d844142319f2d238880d90f968e1d094bdc646637f8ba9a2fdce3

Download Submit
C:\Windows\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe

Filesize
168KB

MD5
26006c8fd956f9e46bcfc3489e0b738b

SHA1
68fb9e38311a6a3a7060eaac85a535cb75cc49fb

SHA256
4be209dc5b195b427bc169597ee023225149a2029f78b8ffad018342eaf404f8

SHA512
7c49e2efb039a5d23647d06856549f24f1414d61da56579ce2bc6d0033c3703845cdfb1b2b89b032aef40d41c7ca1afac16ce822b37d8704b57ed4486db721ed

Download Submit
C:\Windows\{ECD6E2CE-BE7B-4bf8-B2D2-9B1AD6B13699}.exe

Filesize
168KB

MD5
26006c8fd956f9e46bcfc3489e0b738b

SHA1
68fb9e38311a6a3a7060eaac85a535cb75cc49fb

SHA256
4be209dc5b195b427bc169597ee023225149a2029f78b8ffad018342eaf404f8

SHA512
7c49e2efb039a5d23647d06856549f24f1414d61da56579ce2bc6d0033c3703845cdfb1b2b89b032aef40d41c7ca1afac16ce822b37d8704b57ed4486db721ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads