bab86ddf4744da23c74ee5a69475760654c71c7a82e9c9bdba0e3a410a2a28f7

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Size

372KB
MD5

83bf96dc0aa16013a1d4fafd4173a357
SHA1

3f44c164b1ae25729f24e1aaebe16e48868ecbe8
SHA256

bab86ddf4744da23c74ee5a69475760654c71c7a82e9c9bdba0e3a410a2a28f7
SHA512

db8fa6862cd8d14b31d459d52015bfc6edc14073101d1ea0e53bc7dc5ce3c4aeb3cd00202c39336507999d979773d8be757a6b69f881b652d117a68d1697ea58
SSDEEP

3072:CEGh0oSmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG9l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65C6733C-4AE2-4934-AB78-3CB911B67472}	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94923A0-2C8D-4548-9FAE-1823621EB48A}\stubpath = "C:\\Windows\\{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe"	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53944D17-F0FF-4a21-8B08-2488D300675B}	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}\stubpath = "C:\\Windows\\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe"	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}\stubpath = "C:\\Windows\\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe"	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65C6733C-4AE2-4934-AB78-3CB911B67472}\stubpath = "C:\\Windows\\{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe"	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}\stubpath = "C:\\Windows\\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}.exe"	{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17504B82-095B-4307-847F-5CF1472ED460}\stubpath = "C:\\Windows\\{17504B82-095B-4307-847F-5CF1472ED460}.exe"	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}\stubpath = "C:\\Windows\\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe"	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC194BC-54CB-497b-912A-AD147B02A8D5}	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC194BC-54CB-497b-912A-AD147B02A8D5}\stubpath = "C:\\Windows\\{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe"	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17504B82-095B-4307-847F-5CF1472ED460}	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B082DCE-EE18-48c5-B16E-36785D8D487D}\stubpath = "C:\\Windows\\{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe"	{17504B82-095B-4307-847F-5CF1472ED460}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}\stubpath = "C:\\Windows\\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe"	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94923A0-2C8D-4548-9FAE-1823621EB48A}	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B082DCE-EE18-48c5-B16E-36785D8D487D}	{17504B82-095B-4307-847F-5CF1472ED460}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53944D17-F0FF-4a21-8B08-2488D300675B}\stubpath = "C:\\Windows\\{53944D17-F0FF-4a21-8B08-2488D300675B}.exe"	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}\stubpath = "C:\\Windows\\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe"	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}	{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe

Executes dropped EXE 12 IoCs

pid	Process
3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe
3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe
2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe
4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe
2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe
3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe
2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe
4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe
4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe
4924	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe
4940	{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe
2476	{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{53944D17-F0FF-4a21-8B08-2488D300675B}.exe	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe
File created	C:\Windows\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe
File created	C:\Windows\{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe
File created	C:\Windows\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}.exe	{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe
File created	C:\Windows\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe
File created	C:\Windows\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe
File created	C:\Windows\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe
File created	C:\Windows\{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe
File created	C:\Windows\{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
File created	C:\Windows\{17504B82-095B-4307-847F-5CF1472ED460}.exe	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe
File created	C:\Windows\{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe	{17504B82-095B-4307-847F-5CF1472ED460}.exe
File created	C:\Windows\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	348	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe
Token: SeIncBasePriorityPrivilege	3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe
Token: SeIncBasePriorityPrivilege	2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe
Token: SeIncBasePriorityPrivilege	4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe
Token: SeIncBasePriorityPrivilege	2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe
Token: SeIncBasePriorityPrivilege	3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe
Token: SeIncBasePriorityPrivilege	2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe
Token: SeIncBasePriorityPrivilege	4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe
Token: SeIncBasePriorityPrivilege	4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe
Token: SeIncBasePriorityPrivilege	4924	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe
Token: SeIncBasePriorityPrivilege	4940	{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 3288	348	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	89
PID 348 wrote to memory of 3288	348	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	89
PID 348 wrote to memory of 3288	348	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	89
PID 348 wrote to memory of 548	348	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	90
PID 348 wrote to memory of 548	348	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	90
PID 348 wrote to memory of 548	348	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	90
PID 3288 wrote to memory of 3784	3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe	91
PID 3288 wrote to memory of 3784	3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe	91
PID 3288 wrote to memory of 3784	3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe	91
PID 3288 wrote to memory of 3660	3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe	92
PID 3288 wrote to memory of 3660	3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe	92
PID 3288 wrote to memory of 3660	3288	{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe	92
PID 3784 wrote to memory of 2640	3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe	94
PID 3784 wrote to memory of 2640	3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe	94
PID 3784 wrote to memory of 2640	3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe	94
PID 3784 wrote to memory of 4772	3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe	95
PID 3784 wrote to memory of 4772	3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe	95
PID 3784 wrote to memory of 4772	3784	{17504B82-095B-4307-847F-5CF1472ED460}.exe	95
PID 2640 wrote to memory of 4528	2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe	96
PID 2640 wrote to memory of 4528	2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe	96
PID 2640 wrote to memory of 4528	2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe	96
PID 2640 wrote to memory of 4952	2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe	97
PID 2640 wrote to memory of 4952	2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe	97
PID 2640 wrote to memory of 4952	2640	{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe	97
PID 4528 wrote to memory of 2564	4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe	99
PID 4528 wrote to memory of 2564	4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe	99
PID 4528 wrote to memory of 2564	4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe	99
PID 4528 wrote to memory of 2876	4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe	98
PID 4528 wrote to memory of 2876	4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe	98
PID 4528 wrote to memory of 2876	4528	{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe	98
PID 2564 wrote to memory of 3428	2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe	100
PID 2564 wrote to memory of 3428	2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe	100
PID 2564 wrote to memory of 3428	2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe	100
PID 2564 wrote to memory of 2092	2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe	101
PID 2564 wrote to memory of 2092	2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe	101
PID 2564 wrote to memory of 2092	2564	{53944D17-F0FF-4a21-8B08-2488D300675B}.exe	101
PID 3428 wrote to memory of 2848	3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe	103
PID 3428 wrote to memory of 2848	3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe	103
PID 3428 wrote to memory of 2848	3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe	103
PID 3428 wrote to memory of 3976	3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe	102
PID 3428 wrote to memory of 3976	3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe	102
PID 3428 wrote to memory of 3976	3428	{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe	102
PID 2848 wrote to memory of 4156	2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe	104
PID 2848 wrote to memory of 4156	2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe	104
PID 2848 wrote to memory of 4156	2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe	104
PID 2848 wrote to memory of 2472	2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe	105
PID 2848 wrote to memory of 2472	2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe	105
PID 2848 wrote to memory of 2472	2848	{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe	105
PID 4156 wrote to memory of 4540	4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe	106
PID 4156 wrote to memory of 4540	4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe	106
PID 4156 wrote to memory of 4540	4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe	106
PID 4156 wrote to memory of 1664	4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe	107
PID 4156 wrote to memory of 1664	4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe	107
PID 4156 wrote to memory of 1664	4156	{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe	107
PID 4540 wrote to memory of 4924	4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe	108
PID 4540 wrote to memory of 4924	4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe	108
PID 4540 wrote to memory of 4924	4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe	108
PID 4540 wrote to memory of 4916	4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe	109
PID 4540 wrote to memory of 4916	4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe	109
PID 4540 wrote to memory of 4916	4540	{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe	109
PID 4924 wrote to memory of 4940	4924	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe	110
PID 4924 wrote to memory of 4940	4924	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe	110
PID 4924 wrote to memory of 4940	4924	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe	110
PID 4924 wrote to memory of 404	4924	{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe	111

C:\Users\Admin\AppData\Local\Temp\83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe
  C:\Windows\{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\{17504B82-095B-4307-847F-5CF1472ED460}.exe
    C:\Windows\{17504B82-095B-4307-847F-5CF1472ED460}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe
      C:\Windows\{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe
        
        C:\Windows\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BEA7~1.EXE > nul
        6⤵
        
        PID:2876
      - C:\Windows\{53944D17-F0FF-4a21-8B08-2488D300675B}.exe
        
        C:\Windows\{53944D17-F0FF-4a21-8B08-2488D300675B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe
        
        C:\Windows\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F6C8~1.EXE > nul
        8⤵
        
        PID:3976
        
        C:\Windows\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe
        
        C:\Windows\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe
        
        C:\Windows\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe
        
        C:\Windows\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe
        
        C:\Windows\{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe
        
        C:\Windows\{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}.exe
        
        C:\Windows\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}.exe
        13⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC19~1.EXE > nul
        13⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65C67~1.EXE > nul
        12⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40919~1.EXE > nul
        11⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE46D~1.EXE > nul
        10⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A9FD~1.EXE > nul
        9⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53944~1.EXE > nul
        7⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B082~1.EXE > nul
        5⤵
        
        PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17504~1.EXE > nul
      4⤵
      PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9492~1.EXE > nul
    3⤵
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\83BF96~1.EXE > nul
  2⤵
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe

Filesize
372KB

MD5
dd1b21019ea5fbb397f8dad476c4406a

SHA1
b45df80cfb535b7e30be112dbf4b73939c3bdddd

SHA256
e598742b0c33fa9a36fd2f81c8ac591ac4209aa4b204f202a4e25c940e7dcb0e

SHA512
8aea7d1130db9e5ab5ec8416094206b7dd7c396acbc3d6b72e5e37067d5ca87c20bc670ea65e8cbb2e4b651f8085de460f088b7d24797604e39dceb6753da678

Download Submit
C:\Windows\{0BEA7FA1-F73D-403b-BEDB-600644AA44A3}.exe

Filesize
372KB

MD5
dd1b21019ea5fbb397f8dad476c4406a

SHA1
b45df80cfb535b7e30be112dbf4b73939c3bdddd

SHA256
e598742b0c33fa9a36fd2f81c8ac591ac4209aa4b204f202a4e25c940e7dcb0e

SHA512
8aea7d1130db9e5ab5ec8416094206b7dd7c396acbc3d6b72e5e37067d5ca87c20bc670ea65e8cbb2e4b651f8085de460f088b7d24797604e39dceb6753da678

Download Submit
C:\Windows\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe

Filesize
372KB

MD5
3dc2ad0f84e69d16adc3285f12187b34

SHA1
81e77543056b804e78a4237c0c10b1ed3e8021dd

SHA256
f69f160c3b52f793f7be6b66167c0604906af6abc5fa959431027732864e4a4b

SHA512
1ae637c287890bbb54813b6be194e93e205e99af20a83f1a4a8d137be52a4bdf037f84227d517d9f03b90efe3cea854e4cdef876b0dde42ed38dc3ee58904d5e

Download Submit
C:\Windows\{0F6C8CDE-5B69-43dc-849E-E2E93B465276}.exe

Filesize
372KB

MD5
3dc2ad0f84e69d16adc3285f12187b34

SHA1
81e77543056b804e78a4237c0c10b1ed3e8021dd

SHA256
f69f160c3b52f793f7be6b66167c0604906af6abc5fa959431027732864e4a4b

SHA512
1ae637c287890bbb54813b6be194e93e205e99af20a83f1a4a8d137be52a4bdf037f84227d517d9f03b90efe3cea854e4cdef876b0dde42ed38dc3ee58904d5e

Download Submit
C:\Windows\{17504B82-095B-4307-847F-5CF1472ED460}.exe

Filesize
372KB

MD5
2c51c8a6641fd44c889c71ad32b58bdd

SHA1
1cfd234ea4a6233e89aeec8b5ae6ac2c6f59569b

SHA256
e8696d2b7da607c24cf8a7f9270dbb817367aab8c9b9c4e4bfa561c4fdd87dad

SHA512
73152fa41f5d27b8ef1631d3ef7c1a50cc3cdd3ed78a21426dd884bd6a3e5853946f63cc99b86aa22b4e45e3c5788a26ba37ad90132b8a993bf2cd06f16e5871

Download Submit
C:\Windows\{17504B82-095B-4307-847F-5CF1472ED460}.exe

Filesize
372KB

MD5
2c51c8a6641fd44c889c71ad32b58bdd

SHA1
1cfd234ea4a6233e89aeec8b5ae6ac2c6f59569b

SHA256
e8696d2b7da607c24cf8a7f9270dbb817367aab8c9b9c4e4bfa561c4fdd87dad

SHA512
73152fa41f5d27b8ef1631d3ef7c1a50cc3cdd3ed78a21426dd884bd6a3e5853946f63cc99b86aa22b4e45e3c5788a26ba37ad90132b8a993bf2cd06f16e5871

Download Submit
C:\Windows\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe

Filesize
372KB

MD5
0f5d3918a957298b148082d2bcc94ae3

SHA1
20351633a5faf448777a5c191522fb5521c9033e

SHA256
21bc7caa2c2dd583371f1dc271074985b9ad37f30e57c7b33795eeac1cddfa9a

SHA512
f47eaeefebc69242eafb61c3567f9991f45a7e5133e59974a80df551de93f1125fa73e0013df9e5d81e301a644a41bc94779e1cb2f15f9cc5f08bde87f157590

Download Submit
C:\Windows\{2A9FD2B0-E6F0-4ce4-A0C0-EED8F911560C}.exe

Filesize
372KB

MD5
0f5d3918a957298b148082d2bcc94ae3

SHA1
20351633a5faf448777a5c191522fb5521c9033e

SHA256
21bc7caa2c2dd583371f1dc271074985b9ad37f30e57c7b33795eeac1cddfa9a

SHA512
f47eaeefebc69242eafb61c3567f9991f45a7e5133e59974a80df551de93f1125fa73e0013df9e5d81e301a644a41bc94779e1cb2f15f9cc5f08bde87f157590

Download Submit
C:\Windows\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe

Filesize
372KB

MD5
77635fae439b9d05c465221d0fb43750

SHA1
8a07e6389b74489e8a3d809bad4ba37d8701b3ee

SHA256
bd82d9f695a2d44ad8c2d1b0cc3215d3ca970c162b6a0894de31f3bba8d59f61

SHA512
dd5e8b5271c1e03d318d239e29b28eaf8ce1cd7ecee145ddb5b3f0a108a1380b3db41749c1432380e568bed0c96d41dee1f93904bccee1b1f540dea0d3f18d28

Download Submit
C:\Windows\{40919A21-3E0F-4cc8-A0A5-A5C7941E7F19}.exe

Filesize
372KB

MD5
77635fae439b9d05c465221d0fb43750

SHA1
8a07e6389b74489e8a3d809bad4ba37d8701b3ee

SHA256
bd82d9f695a2d44ad8c2d1b0cc3215d3ca970c162b6a0894de31f3bba8d59f61

SHA512
dd5e8b5271c1e03d318d239e29b28eaf8ce1cd7ecee145ddb5b3f0a108a1380b3db41749c1432380e568bed0c96d41dee1f93904bccee1b1f540dea0d3f18d28

Download Submit
C:\Windows\{53944D17-F0FF-4a21-8B08-2488D300675B}.exe

Filesize
372KB

MD5
3f1a4579a39d01bd97944ff894f8098b

SHA1
191d1889caa81f886fe1d5e1d5b748e2009cc1d9

SHA256
1803d7dd289f380bd0035e5ff6c584e739d465eb1146b4dbc8596c338231e339

SHA512
76e79fa3cbf23594247567170578c761f96042d763e0fb46882fccef222bedc3b5842a0a7134ed02ead6e4652aea4b276adfbb981fa50938fc3b696b5d059fac

Download Submit
C:\Windows\{53944D17-F0FF-4a21-8B08-2488D300675B}.exe

Filesize
372KB

MD5
3f1a4579a39d01bd97944ff894f8098b

SHA1
191d1889caa81f886fe1d5e1d5b748e2009cc1d9

SHA256
1803d7dd289f380bd0035e5ff6c584e739d465eb1146b4dbc8596c338231e339

SHA512
76e79fa3cbf23594247567170578c761f96042d763e0fb46882fccef222bedc3b5842a0a7134ed02ead6e4652aea4b276adfbb981fa50938fc3b696b5d059fac

Download Submit
C:\Windows\{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe

Filesize
372KB

MD5
0fce29d4aa19ef6aadc6efdef6796c77

SHA1
0f66ff8f0e995475ae6f06174f92f16653c595b6

SHA256
71dc7879397ec498a4ee44dbaed1b45a38a51de2fab92670fb464f5c158ea006

SHA512
7452500a67f83e731a54e67d6f5b9f6177bbefaa22bc76eec0e6029a88b82345dfab129f572e25ed1ebba5ee35f8c79c73ecb669f1358e1566ef7ea688ca3346

Download Submit
C:\Windows\{5FC194BC-54CB-497b-912A-AD147B02A8D5}.exe

Filesize
372KB

MD5
0fce29d4aa19ef6aadc6efdef6796c77

SHA1
0f66ff8f0e995475ae6f06174f92f16653c595b6

SHA256
71dc7879397ec498a4ee44dbaed1b45a38a51de2fab92670fb464f5c158ea006

SHA512
7452500a67f83e731a54e67d6f5b9f6177bbefaa22bc76eec0e6029a88b82345dfab129f572e25ed1ebba5ee35f8c79c73ecb669f1358e1566ef7ea688ca3346

Download Submit
C:\Windows\{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe

Filesize
372KB

MD5
c1906dc051b1e4cee423052b17bce3cd

SHA1
5c3c43ba9ddb954be4244a7eb42353af23c2739b

SHA256
30d4b00268ed5daef0cb7f09ab81c970a39bdb21eb01785cc471317531c1a31b

SHA512
22ca741264ef39a2f43c0316b988f383e0ca5fad02dafde707a8ad203eb7dbf6d50cb177521cde2c1163ad857c17cdbba77e393994b9de35fc4cdad68a87b998

Download Submit
C:\Windows\{65C6733C-4AE2-4934-AB78-3CB911B67472}.exe

Filesize
372KB

MD5
c1906dc051b1e4cee423052b17bce3cd

SHA1
5c3c43ba9ddb954be4244a7eb42353af23c2739b

SHA256
30d4b00268ed5daef0cb7f09ab81c970a39bdb21eb01785cc471317531c1a31b

SHA512
22ca741264ef39a2f43c0316b988f383e0ca5fad02dafde707a8ad203eb7dbf6d50cb177521cde2c1163ad857c17cdbba77e393994b9de35fc4cdad68a87b998

Download Submit
C:\Windows\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}.exe

Filesize
372KB

MD5
b7b718b159315837d91e6e478c90d77c

SHA1
b33c38025373a1472d4e12f93a2817866124ca78

SHA256
f1ebe5ac1248df8972bf9628051f35921bd0e2ad3eadaa7acdb2265fdb2fb344

SHA512
1d104c571661b720a320d4e8c8d72d1b03b0b16160478e720d5c3374bf4df8841da6edcfeadd98295bda638d2581519bcad44d144e5b7d51b64904a8045d70ff

Download Submit
C:\Windows\{7A76D115-53C8-4cbb-B7B2-3601F8B60AC4}.exe

Filesize
372KB

MD5
b7b718b159315837d91e6e478c90d77c

SHA1
b33c38025373a1472d4e12f93a2817866124ca78

SHA256
f1ebe5ac1248df8972bf9628051f35921bd0e2ad3eadaa7acdb2265fdb2fb344

SHA512
1d104c571661b720a320d4e8c8d72d1b03b0b16160478e720d5c3374bf4df8841da6edcfeadd98295bda638d2581519bcad44d144e5b7d51b64904a8045d70ff

Download Submit
C:\Windows\{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe

Filesize
372KB

MD5
db30191ed1dabeb5776f79e453f70826

SHA1
fc8a0dfcfc521b7727653025f731565f7a581448

SHA256
9c8d5ae2dfc038130be4cff9030d8218df3a9b1c8cea9ccf8edb0946759e3098

SHA512
36270fe51f144eb0013b7e7f3f835a922b56d56b39aa9daaefe2679e80bd3a38644a3132cd131fc1bdc30511d8e2b258f595e85c2d02f0dfa29b43ca6bebcb90

Download Submit
C:\Windows\{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe

Filesize
372KB

MD5
db30191ed1dabeb5776f79e453f70826

SHA1
fc8a0dfcfc521b7727653025f731565f7a581448

SHA256
9c8d5ae2dfc038130be4cff9030d8218df3a9b1c8cea9ccf8edb0946759e3098

SHA512
36270fe51f144eb0013b7e7f3f835a922b56d56b39aa9daaefe2679e80bd3a38644a3132cd131fc1bdc30511d8e2b258f595e85c2d02f0dfa29b43ca6bebcb90

Download Submit
C:\Windows\{9B082DCE-EE18-48c5-B16E-36785D8D487D}.exe

Filesize
372KB

MD5
db30191ed1dabeb5776f79e453f70826

SHA1
fc8a0dfcfc521b7727653025f731565f7a581448

SHA256
9c8d5ae2dfc038130be4cff9030d8218df3a9b1c8cea9ccf8edb0946759e3098

SHA512
36270fe51f144eb0013b7e7f3f835a922b56d56b39aa9daaefe2679e80bd3a38644a3132cd131fc1bdc30511d8e2b258f595e85c2d02f0dfa29b43ca6bebcb90

Download Submit
C:\Windows\{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe

Filesize
372KB

MD5
372694031162ee5ef1bb9fe9914db1ef

SHA1
9e13e5d83591c1952cae8b9877b85c4769aa6e08

SHA256
7571c43b542d706ecc8b53425979ab147c3c68ad2d73ea756adb6f240dcd9a0a

SHA512
0b3ef0d453ff5c1f94205920b7299e032bfb16efb683d368cdc47231926a331f8de89ce10c7430fa9a2afa009561f273a6c9dec9647babcca545e1b2682c98ea

Download Submit
C:\Windows\{D94923A0-2C8D-4548-9FAE-1823621EB48A}.exe

Filesize
372KB

MD5
372694031162ee5ef1bb9fe9914db1ef

SHA1
9e13e5d83591c1952cae8b9877b85c4769aa6e08

SHA256
7571c43b542d706ecc8b53425979ab147c3c68ad2d73ea756adb6f240dcd9a0a

SHA512
0b3ef0d453ff5c1f94205920b7299e032bfb16efb683d368cdc47231926a331f8de89ce10c7430fa9a2afa009561f273a6c9dec9647babcca545e1b2682c98ea

Download Submit
C:\Windows\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe

Filesize
372KB

MD5
34044f9e42c102ff7b9f8b5daa638e2b

SHA1
e3802f03c14cdcc4ac6087ec5ebe6c2987843f87

SHA256
831189fcdfd796ac4761295682ce4226561651ec9489ccca60004f3d9c1534ea

SHA512
bacfcc345614e6695b54a5043ea9a984ee9d491be09688368318427dfece1b7c360e1a510118cd3643b6082be24609b44282ce4c78b1731155fa00ae91e1f021

Download Submit
C:\Windows\{DE46DB12-E093-4513-9FAE-2FC4B1C6227E}.exe

Filesize
372KB

MD5
34044f9e42c102ff7b9f8b5daa638e2b

SHA1
e3802f03c14cdcc4ac6087ec5ebe6c2987843f87

SHA256
831189fcdfd796ac4761295682ce4226561651ec9489ccca60004f3d9c1534ea

SHA512
bacfcc345614e6695b54a5043ea9a984ee9d491be09688368318427dfece1b7c360e1a510118cd3643b6082be24609b44282ce4c78b1731155fa00ae91e1f021

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads