67a12f5cc6bdac32d24600fdfe477a945c810cb1922a0dac4252f6969cbcb89e

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe
Size

380KB
MD5

70d2aea02efb4f53bb703721d5e41f74
SHA1

469acfcdff117ec76009f030abbec4841ed5e8a4
SHA256

67a12f5cc6bdac32d24600fdfe477a945c810cb1922a0dac4252f6969cbcb89e
SHA512

d22a98322a5cace905918345dd24694eced5bbcf259953122b5e46da5c1133f6f19bb1f593d897c8cc23e8c4ab430b80f283919841513ed3812042a999b39f43
SSDEEP

3072:mEGh0o2lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGsl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71980722-A247-4a3b-ABF9-40E31C1FA658}\stubpath = "C:\\Windows\\{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe"	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8926C6-4060-477a-8072-CBCDE0489584}\stubpath = "C:\\Windows\\{5F8926C6-4060-477a-8072-CBCDE0489584}.exe"	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD6F56FE-6969-4557-B381-3A2574950C60}	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD6F56FE-6969-4557-B381-3A2574950C60}\stubpath = "C:\\Windows\\{AD6F56FE-6969-4557-B381-3A2574950C60}.exe"	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}\stubpath = "C:\\Windows\\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe"	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}\stubpath = "C:\\Windows\\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe"	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEECAC97-E253-4b41-A727-5DC274FE3695}\stubpath = "C:\\Windows\\{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe"	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}\stubpath = "C:\\Windows\\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe"	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}\stubpath = "C:\\Windows\\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe"	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE63AE8-DCA0-4967-BB42-097079CECB02}	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE63AE8-DCA0-4967-BB42-097079CECB02}\stubpath = "C:\\Windows\\{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe"	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}\stubpath = "C:\\Windows\\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe"	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8926C6-4060-477a-8072-CBCDE0489584}	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEECAC97-E253-4b41-A727-5DC274FE3695}	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71980722-A247-4a3b-ABF9-40E31C1FA658}	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}\stubpath = "C:\\Windows\\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}.exe"	{5F8926C6-4060-477a-8072-CBCDE0489584}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}\stubpath = "C:\\Windows\\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe"	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}	{5F8926C6-4060-477a-8072-CBCDE0489584}.exe

Executes dropped EXE 12 IoCs

pid	Process
2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe
3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe
440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe
3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe
3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe
4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe
2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe
5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe
2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe
4572	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe
5084	{5F8926C6-4060-477a-8072-CBCDE0489584}.exe
1060	{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe
File created	C:\Windows\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe
File created	C:\Windows\{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe
File created	C:\Windows\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe
File created	C:\Windows\{5F8926C6-4060-477a-8072-CBCDE0489584}.exe	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe
File created	C:\Windows\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}.exe	{5F8926C6-4060-477a-8072-CBCDE0489584}.exe
File created	C:\Windows\{AD6F56FE-6969-4557-B381-3A2574950C60}.exe	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe
File created	C:\Windows\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe
File created	C:\Windows\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe
File created	C:\Windows\{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe
File created	C:\Windows\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe
File created	C:\Windows\{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4968	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe
Token: SeIncBasePriorityPrivilege	3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe
Token: SeIncBasePriorityPrivilege	440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe
Token: SeIncBasePriorityPrivilege	3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe
Token: SeIncBasePriorityPrivilege	3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe
Token: SeIncBasePriorityPrivilege	4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe
Token: SeIncBasePriorityPrivilege	2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe
Token: SeIncBasePriorityPrivilege	5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe
Token: SeIncBasePriorityPrivilege	2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe
Token: SeIncBasePriorityPrivilege	4572	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe
Token: SeIncBasePriorityPrivilege	5084	{5F8926C6-4060-477a-8072-CBCDE0489584}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 2132	4968	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe	90
PID 4968 wrote to memory of 2132	4968	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe	90
PID 4968 wrote to memory of 2132	4968	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe	90
PID 4968 wrote to memory of 4468	4968	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe	91
PID 4968 wrote to memory of 4468	4968	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe	91
PID 4968 wrote to memory of 4468	4968	70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe	91
PID 2132 wrote to memory of 3752	2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe	92
PID 2132 wrote to memory of 3752	2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe	92
PID 2132 wrote to memory of 3752	2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe	92
PID 2132 wrote to memory of 4576	2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe	93
PID 2132 wrote to memory of 4576	2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe	93
PID 2132 wrote to memory of 4576	2132	{AD6F56FE-6969-4557-B381-3A2574950C60}.exe	93
PID 3752 wrote to memory of 440	3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe	95
PID 3752 wrote to memory of 440	3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe	95
PID 3752 wrote to memory of 440	3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe	95
PID 3752 wrote to memory of 4620	3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe	96
PID 3752 wrote to memory of 4620	3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe	96
PID 3752 wrote to memory of 4620	3752	{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe	96
PID 440 wrote to memory of 3932	440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe	97
PID 440 wrote to memory of 3932	440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe	97
PID 440 wrote to memory of 3932	440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe	97
PID 440 wrote to memory of 3884	440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe	98
PID 440 wrote to memory of 3884	440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe	98
PID 440 wrote to memory of 3884	440	{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe	98
PID 3932 wrote to memory of 3900	3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe	99
PID 3932 wrote to memory of 3900	3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe	99
PID 3932 wrote to memory of 3900	3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe	99
PID 3932 wrote to memory of 568	3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe	100
PID 3932 wrote to memory of 568	3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe	100
PID 3932 wrote to memory of 568	3932	{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe	100
PID 3900 wrote to memory of 4696	3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe	101
PID 3900 wrote to memory of 4696	3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe	101
PID 3900 wrote to memory of 4696	3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe	101
PID 3900 wrote to memory of 4220	3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe	102
PID 3900 wrote to memory of 4220	3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe	102
PID 3900 wrote to memory of 4220	3900	{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe	102
PID 4696 wrote to memory of 2760	4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe	103
PID 4696 wrote to memory of 2760	4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe	103
PID 4696 wrote to memory of 2760	4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe	103
PID 4696 wrote to memory of 1244	4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe	104
PID 4696 wrote to memory of 1244	4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe	104
PID 4696 wrote to memory of 1244	4696	{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe	104
PID 2760 wrote to memory of 5096	2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe	105
PID 2760 wrote to memory of 5096	2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe	105
PID 2760 wrote to memory of 5096	2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe	105
PID 2760 wrote to memory of 4476	2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe	106
PID 2760 wrote to memory of 4476	2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe	106
PID 2760 wrote to memory of 4476	2760	{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe	106
PID 5096 wrote to memory of 2848	5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe	107
PID 5096 wrote to memory of 2848	5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe	107
PID 5096 wrote to memory of 2848	5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe	107
PID 5096 wrote to memory of 4380	5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe	108
PID 5096 wrote to memory of 4380	5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe	108
PID 5096 wrote to memory of 4380	5096	{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe	108
PID 2848 wrote to memory of 4572	2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe	109
PID 2848 wrote to memory of 4572	2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe	109
PID 2848 wrote to memory of 4572	2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe	109
PID 2848 wrote to memory of 5068	2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe	110
PID 2848 wrote to memory of 5068	2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe	110
PID 2848 wrote to memory of 5068	2848	{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe	110
PID 4572 wrote to memory of 5084	4572	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe	112
PID 4572 wrote to memory of 5084	4572	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe	112
PID 4572 wrote to memory of 5084	4572	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe	112
PID 4572 wrote to memory of 4652	4572	{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe	111

C:\Users\Admin\AppData\Local\Temp\70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\70d2aea02efb4f53bb703721d5e41f74_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\{AD6F56FE-6969-4557-B381-3A2574950C60}.exe
  C:\Windows\{AD6F56FE-6969-4557-B381-3A2574950C60}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe
    C:\Windows\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe
      C:\Windows\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe
        
        C:\Windows\{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe
        
        C:\Windows\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe
        
        C:\Windows\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe
        
        C:\Windows\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe
        
        C:\Windows\{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe
        
        C:\Windows\{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe
        
        C:\Windows\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0EBC~1.EXE > nul
        12⤵
        
        PID:4652
        
        C:\Windows\{5F8926C6-4060-477a-8072-CBCDE0489584}.exe
        
        C:\Windows\{5F8926C6-4060-477a-8072-CBCDE0489584}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}.exe
        
        C:\Windows\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}.exe
        13⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F892~1.EXE > nul
        13⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71980~1.EXE > nul
        11⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEECA~1.EXE > nul
        10⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA24B~1.EXE > nul
        9⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4885~1.EXE > nul
        8⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA0F5~1.EXE > nul
        7⤵
        
        PID:4220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FE63~1.EXE > nul
        6⤵
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DBC9~1.EXE > nul
        5⤵
        
        PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{763DB~1.EXE > nul
      4⤵
      PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AD6F5~1.EXE > nul
    3⤵
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\70D2AE~1.EXE > nul
  2⤵
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe

Filesize
380KB

MD5
bbc10207a520dadc2e08e0e71fcdd747

SHA1
efe329aeb814210f3ebb8d0a6591c06ccda1d0ac

SHA256
0008ecc8a73fee775931d12b221005c31be215895cec4a212ec431f4854b8714

SHA512
1611eba73a714bcaeb1ddb5e7f05e51d2c2144a276fab3d95c383fee8f49f715b9a2efe9fbea10d23672fb4996a1a5f54b8d99a5ed52e4ff96a689ca4e2c6364

Download Submit
C:\Windows\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe

Filesize
380KB

MD5
bbc10207a520dadc2e08e0e71fcdd747

SHA1
efe329aeb814210f3ebb8d0a6591c06ccda1d0ac

SHA256
0008ecc8a73fee775931d12b221005c31be215895cec4a212ec431f4854b8714

SHA512
1611eba73a714bcaeb1ddb5e7f05e51d2c2144a276fab3d95c383fee8f49f715b9a2efe9fbea10d23672fb4996a1a5f54b8d99a5ed52e4ff96a689ca4e2c6364

Download Submit
C:\Windows\{0DBC9C6C-3028-4312-804C-E02CCA5E2C37}.exe

Filesize
380KB

MD5
bbc10207a520dadc2e08e0e71fcdd747

SHA1
efe329aeb814210f3ebb8d0a6591c06ccda1d0ac

SHA256
0008ecc8a73fee775931d12b221005c31be215895cec4a212ec431f4854b8714

SHA512
1611eba73a714bcaeb1ddb5e7f05e51d2c2144a276fab3d95c383fee8f49f715b9a2efe9fbea10d23672fb4996a1a5f54b8d99a5ed52e4ff96a689ca4e2c6364

Download Submit
C:\Windows\{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe

Filesize
380KB

MD5
ffc23170cff95a2002e9f0b372a08645

SHA1
731210f485c336047f00512c256d228897b7669c

SHA256
4af9ac2477996ba2ff3cf422d65c06fcae14f5b8a17b805533c15cd89f780f7a

SHA512
3064633280341b62eb0a71547282d301678cde77bce8f82c2c1e554a9f133539209edc9e89d33a40fabcc60802728ab9ffa0f109c6a56ab7162b8c6d4baddb01

Download Submit
C:\Windows\{0FE63AE8-DCA0-4967-BB42-097079CECB02}.exe

Filesize
380KB

MD5
ffc23170cff95a2002e9f0b372a08645

SHA1
731210f485c336047f00512c256d228897b7669c

SHA256
4af9ac2477996ba2ff3cf422d65c06fcae14f5b8a17b805533c15cd89f780f7a

SHA512
3064633280341b62eb0a71547282d301678cde77bce8f82c2c1e554a9f133539209edc9e89d33a40fabcc60802728ab9ffa0f109c6a56ab7162b8c6d4baddb01

Download Submit
C:\Windows\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}.exe

Filesize
380KB

MD5
bf2630dadf9ba9a150595de8f08b5ce7

SHA1
543678ccb6326a578e1d97627fc0b38ca689a858

SHA256
ad0acfe5514a6bcf28c2da2e2e13bf7aa973a9a2fe5e8257bbb22c2735da65bb

SHA512
cd75dd7a7d07088b64399257884c44dade38ef99a70df8c90a45d51f37f2b29f10c0823f87686573276fbaccf313ae1ae1efd148fe051078a88513af15580c03

Download Submit
C:\Windows\{4E09FE3C-B79B-4001-AC35-9A9403CE15AF}.exe

Filesize
380KB

MD5
bf2630dadf9ba9a150595de8f08b5ce7

SHA1
543678ccb6326a578e1d97627fc0b38ca689a858

SHA256
ad0acfe5514a6bcf28c2da2e2e13bf7aa973a9a2fe5e8257bbb22c2735da65bb

SHA512
cd75dd7a7d07088b64399257884c44dade38ef99a70df8c90a45d51f37f2b29f10c0823f87686573276fbaccf313ae1ae1efd148fe051078a88513af15580c03

Download Submit
C:\Windows\{5F8926C6-4060-477a-8072-CBCDE0489584}.exe

Filesize
380KB

MD5
9f492e5cdfe12aa7688c237588b7500f

SHA1
866bfe1e007e0ece5b64f0f389bab6c73d676161

SHA256
2ffca27bbc16d22243b07a0624ffd40216c018024bfb00fa30f2b8db1695db02

SHA512
3978bb816ccf26abfd3bcb7add9d3ea78d3aa9fc3c8b5310a512931bb677ff99f74bcaf627f1e925c4c0579f6d1455600027e89511136990b75639172da4cd13

Download Submit
C:\Windows\{5F8926C6-4060-477a-8072-CBCDE0489584}.exe

Filesize
380KB

MD5
9f492e5cdfe12aa7688c237588b7500f

SHA1
866bfe1e007e0ece5b64f0f389bab6c73d676161

SHA256
2ffca27bbc16d22243b07a0624ffd40216c018024bfb00fa30f2b8db1695db02

SHA512
3978bb816ccf26abfd3bcb7add9d3ea78d3aa9fc3c8b5310a512931bb677ff99f74bcaf627f1e925c4c0579f6d1455600027e89511136990b75639172da4cd13

Download Submit
C:\Windows\{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe

Filesize
380KB

MD5
4c48532094f784147a449b16f4fc7894

SHA1
74a536c63b85d1c0c09474d3734da95fb23515cf

SHA256
af628dc6799fd6018998b808d042c1687cb6fe5539290ba0c470700f93f30a86

SHA512
475ac5f9a197248aa92ce90b5e921a0213cef556b0d1250d5e040f69e87227041429e448bd6a2eb6e0a6c983b837e568cebceb1d47f36f01ed3c57924a7d62cf

Download Submit
C:\Windows\{71980722-A247-4a3b-ABF9-40E31C1FA658}.exe

Filesize
380KB

MD5
4c48532094f784147a449b16f4fc7894

SHA1
74a536c63b85d1c0c09474d3734da95fb23515cf

SHA256
af628dc6799fd6018998b808d042c1687cb6fe5539290ba0c470700f93f30a86

SHA512
475ac5f9a197248aa92ce90b5e921a0213cef556b0d1250d5e040f69e87227041429e448bd6a2eb6e0a6c983b837e568cebceb1d47f36f01ed3c57924a7d62cf

Download Submit
C:\Windows\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe

Filesize
380KB

MD5
4c1cc8b88e9dd84518f0ce02ee47099d

SHA1
1dd635de16136a76dfb216ce7764b7373b5036eb

SHA256
e599b714f06e130d09d358b2d14519aacb8962dd7531774ab89e16ba8d44601a

SHA512
ab834c78e44a4860a029961ab47c009191ba0f2f858918f1566fcf543d2f737dc5d270a570df690659d87e4c9ba71c48e8150b52c62b44ef1458730ccd6bddda

Download Submit
C:\Windows\{763DBF70-3B72-46d9-BFEE-0C5113C744C1}.exe

Filesize
380KB

MD5
4c1cc8b88e9dd84518f0ce02ee47099d

SHA1
1dd635de16136a76dfb216ce7764b7373b5036eb

SHA256
e599b714f06e130d09d358b2d14519aacb8962dd7531774ab89e16ba8d44601a

SHA512
ab834c78e44a4860a029961ab47c009191ba0f2f858918f1566fcf543d2f737dc5d270a570df690659d87e4c9ba71c48e8150b52c62b44ef1458730ccd6bddda

Download Submit
C:\Windows\{AD6F56FE-6969-4557-B381-3A2574950C60}.exe

Filesize
380KB

MD5
7951af99f658d5ed013ecaaf9f1d491d

SHA1
ac1b411eed48bbd20a2352910ff3861f1325c210

SHA256
8bb48e9a35bd7fd8fd54450f4010ee67e77ded4e8427fe7e3658bd3ecbed5f79

SHA512
af1c55c8b710d6674e3b499cca7179c1f85c5c73bb0dfd09528cc91257d1bd4ca72cfb5517ae71c00f56712c66d4d214bf4871aaead1864fd9ce588f2e6c5837

Download Submit
C:\Windows\{AD6F56FE-6969-4557-B381-3A2574950C60}.exe

Filesize
380KB

MD5
7951af99f658d5ed013ecaaf9f1d491d

SHA1
ac1b411eed48bbd20a2352910ff3861f1325c210

SHA256
8bb48e9a35bd7fd8fd54450f4010ee67e77ded4e8427fe7e3658bd3ecbed5f79

SHA512
af1c55c8b710d6674e3b499cca7179c1f85c5c73bb0dfd09528cc91257d1bd4ca72cfb5517ae71c00f56712c66d4d214bf4871aaead1864fd9ce588f2e6c5837

Download Submit
C:\Windows\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe

Filesize
380KB

MD5
e9d1a35cae6a9a81d2d22fc84b491792

SHA1
1da8c59a08b2daa1a3be672ecad20091f7e4c7f5

SHA256
2dc1ac5f6580f982f81ad90087dc133a2cf5816f6639fa8ddfe2b6da34dff34d

SHA512
0dc0c79e277ef77f3f194b79d710806298040aae8cb679fa9169831efc079f67eaf543627eb34092aee27d4b8b84ad86b287955b80fc9f830ba0f341e5f4056d

Download Submit
C:\Windows\{B0EBCF13-9EFF-40f3-94C3-AEE2D5D53B02}.exe

Filesize
380KB

MD5
e9d1a35cae6a9a81d2d22fc84b491792

SHA1
1da8c59a08b2daa1a3be672ecad20091f7e4c7f5

SHA256
2dc1ac5f6580f982f81ad90087dc133a2cf5816f6639fa8ddfe2b6da34dff34d

SHA512
0dc0c79e277ef77f3f194b79d710806298040aae8cb679fa9169831efc079f67eaf543627eb34092aee27d4b8b84ad86b287955b80fc9f830ba0f341e5f4056d

Download Submit
C:\Windows\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe

Filesize
380KB

MD5
ad0ed43ac3146cf9af031f772ade9987

SHA1
04c3510c5c05c3e363788e89d2e5e0e7d7ca07b6

SHA256
d2d032a862953ee06bda8948dd0bcd05b8687139bcb922a0c8f1e55dab7e9286

SHA512
f0f376463485ad701a16747b622f714ba1422226f41bcaa90fadb417ac7dcf8468138cae5d93d697ae24b2ef1443dc872dadf53f2dd52d8e863e31bbe6886eda

Download Submit
C:\Windows\{BA24BC7E-86E9-49b1-B481-8368D4ED9881}.exe

Filesize
380KB

MD5
ad0ed43ac3146cf9af031f772ade9987

SHA1
04c3510c5c05c3e363788e89d2e5e0e7d7ca07b6

SHA256
d2d032a862953ee06bda8948dd0bcd05b8687139bcb922a0c8f1e55dab7e9286

SHA512
f0f376463485ad701a16747b622f714ba1422226f41bcaa90fadb417ac7dcf8468138cae5d93d697ae24b2ef1443dc872dadf53f2dd52d8e863e31bbe6886eda

Download Submit
C:\Windows\{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe

Filesize
380KB

MD5
48f8e19a34c3f6a53ce9aef1dccbac79

SHA1
fcd99129cd76f8b1ae9ab5491b8ac33016ec6f27

SHA256
e11db640c82cca7f599214f4e17e4770ab768ff57b34d771ead584dfaff5807a

SHA512
e4398f228fd353a310af8f477a0c3da66087d4e1375aa554ce02eeef136052ba18fe66c53b02d04571f514bc726f64fee40c234dcdcc53c2ea4995eb71ea2a55

Download Submit
C:\Windows\{DEECAC97-E253-4b41-A727-5DC274FE3695}.exe

Filesize
380KB

MD5
48f8e19a34c3f6a53ce9aef1dccbac79

SHA1
fcd99129cd76f8b1ae9ab5491b8ac33016ec6f27

SHA256
e11db640c82cca7f599214f4e17e4770ab768ff57b34d771ead584dfaff5807a

SHA512
e4398f228fd353a310af8f477a0c3da66087d4e1375aa554ce02eeef136052ba18fe66c53b02d04571f514bc726f64fee40c234dcdcc53c2ea4995eb71ea2a55

Download Submit
C:\Windows\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe

Filesize
380KB

MD5
744fcb824af1c505b86dd105dd0acd38

SHA1
4df312ab539039d6adaa4d99023dea220da8d89d

SHA256
c2c35cbb6242a0786e9d3986269c08840eb324e74bae2a58c926fa0f12a7f80f

SHA512
7f5b4d0162761c98699e94a1159b7eb43c37e1552772eda55fa2068e7b633a17040ce42b44067352b1192bcbf20da7cbb0eb012519ab9b452fb91526db23c6c0

Download Submit
C:\Windows\{E4885AB0-E964-47ff-9FB1-BA78F26C11C8}.exe

Filesize
380KB

MD5
744fcb824af1c505b86dd105dd0acd38

SHA1
4df312ab539039d6adaa4d99023dea220da8d89d

SHA256
c2c35cbb6242a0786e9d3986269c08840eb324e74bae2a58c926fa0f12a7f80f

SHA512
7f5b4d0162761c98699e94a1159b7eb43c37e1552772eda55fa2068e7b633a17040ce42b44067352b1192bcbf20da7cbb0eb012519ab9b452fb91526db23c6c0

Download Submit
C:\Windows\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe

Filesize
380KB

MD5
0e09c25be238ec98840ac8009d61ef57

SHA1
5c71e121abcdf654319262fc61b8ade3cf69a108

SHA256
c960104cf804a7000a0a095e5142db2715f176a9fb7f8712359e7ede504724d8

SHA512
c9c6ed961710d465b903134255bae128717483f1efd9f58fb3729dc9cb28e2030e9c44c8e2fc793e07016f556de94b9ef3e7797925741b8d58d04c68c26b3dc3

Download Submit
C:\Windows\{EA0F5D60-7376-4f4f-9E81-0F4CBA8F0E33}.exe

Filesize
380KB

MD5
0e09c25be238ec98840ac8009d61ef57

SHA1
5c71e121abcdf654319262fc61b8ade3cf69a108

SHA256
c960104cf804a7000a0a095e5142db2715f176a9fb7f8712359e7ede504724d8

SHA512
c9c6ed961710d465b903134255bae128717483f1efd9f58fb3729dc9cb28e2030e9c44c8e2fc793e07016f556de94b9ef3e7797925741b8d58d04c68c26b3dc3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads