6fa2afe27207708bd9262e3b271dea0301f79032611cb579018842ee1952a915

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Size

204KB
MD5

9aa10fcfd350b7a05b41de6972ab8827
SHA1

edc141fc5be807828f69f9ca36e3a0b1201f7f9b
SHA256

6fa2afe27207708bd9262e3b271dea0301f79032611cb579018842ee1952a915
SHA512

efe4fede9023b9bbd69d36bc9e322cf79bd7117e302aa1bb833bde0f451c895213875e011ac15ab4a49551fd04b54c1f6a76a133703ab3d739293288a172982e
SSDEEP

1536:1EGh0oYl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oYl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23BC8237-F43B-4009-91CD-38D669DBEBE6}	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}\stubpath = "C:\\Windows\\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe"	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B32975E-6795-4485-9830-4EEE7A051331}\stubpath = "C:\\Windows\\{2B32975E-6795-4485-9830-4EEE7A051331}.exe"	{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}\stubpath = "C:\\Windows\\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe"	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}\stubpath = "C:\\Windows\\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe"	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}\stubpath = "C:\\Windows\\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe"	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}\stubpath = "C:\\Windows\\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe"	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}\stubpath = "C:\\Windows\\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe"	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}\stubpath = "C:\\Windows\\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe"	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23BC8237-F43B-4009-91CD-38D669DBEBE6}\stubpath = "C:\\Windows\\{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe"	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}\stubpath = "C:\\Windows\\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe"	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B32975E-6795-4485-9830-4EEE7A051331}	{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}\stubpath = "C:\\Windows\\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe"	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}\stubpath = "C:\\Windows\\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe"	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe

Executes dropped EXE 12 IoCs

pid	Process
1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe
3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe
3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe
1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe
2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe
2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe
324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe
1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe
3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe
2144	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe
4220	{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe
2452	{2B32975E-6795-4485-9830-4EEE7A051331}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe
File created	C:\Windows\{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe
File created	C:\Windows\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe
File created	C:\Windows\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe
File created	C:\Windows\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe
File created	C:\Windows\{2B32975E-6795-4485-9830-4EEE7A051331}.exe	{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe
File created	C:\Windows\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
File created	C:\Windows\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe
File created	C:\Windows\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe
File created	C:\Windows\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe
File created	C:\Windows\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe
File created	C:\Windows\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1616	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe
Token: SeIncBasePriorityPrivilege	3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe
Token: SeIncBasePriorityPrivilege	3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe
Token: SeIncBasePriorityPrivilege	1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe
Token: SeIncBasePriorityPrivilege	2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe
Token: SeIncBasePriorityPrivilege	2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe
Token: SeIncBasePriorityPrivilege	324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe
Token: SeIncBasePriorityPrivilege	1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe
Token: SeIncBasePriorityPrivilege	3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe
Token: SeIncBasePriorityPrivilege	2144	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe
Token: SeIncBasePriorityPrivilege	4220	{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1232	1616	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	90
PID 1616 wrote to memory of 1232	1616	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	90
PID 1616 wrote to memory of 1232	1616	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	90
PID 1616 wrote to memory of 3136	1616	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	91
PID 1616 wrote to memory of 3136	1616	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	91
PID 1616 wrote to memory of 3136	1616	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	91
PID 1232 wrote to memory of 3752	1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe	92
PID 1232 wrote to memory of 3752	1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe	92
PID 1232 wrote to memory of 3752	1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe	92
PID 1232 wrote to memory of 3256	1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe	93
PID 1232 wrote to memory of 3256	1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe	93
PID 1232 wrote to memory of 3256	1232	{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe	93
PID 3752 wrote to memory of 3472	3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe	95
PID 3752 wrote to memory of 3472	3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe	95
PID 3752 wrote to memory of 3472	3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe	95
PID 3752 wrote to memory of 4148	3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe	96
PID 3752 wrote to memory of 4148	3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe	96
PID 3752 wrote to memory of 4148	3752	{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe	96
PID 3472 wrote to memory of 1484	3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe	97
PID 3472 wrote to memory of 1484	3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe	97
PID 3472 wrote to memory of 1484	3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe	97
PID 3472 wrote to memory of 4852	3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe	98
PID 3472 wrote to memory of 4852	3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe	98
PID 3472 wrote to memory of 4852	3472	{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe	98
PID 1484 wrote to memory of 2216	1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe	99
PID 1484 wrote to memory of 2216	1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe	99
PID 1484 wrote to memory of 2216	1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe	99
PID 1484 wrote to memory of 4860	1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe	100
PID 1484 wrote to memory of 4860	1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe	100
PID 1484 wrote to memory of 4860	1484	{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe	100
PID 2216 wrote to memory of 2064	2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe	101
PID 2216 wrote to memory of 2064	2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe	101
PID 2216 wrote to memory of 2064	2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe	101
PID 2216 wrote to memory of 3980	2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe	102
PID 2216 wrote to memory of 3980	2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe	102
PID 2216 wrote to memory of 3980	2216	{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe	102
PID 2064 wrote to memory of 324	2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe	103
PID 2064 wrote to memory of 324	2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe	103
PID 2064 wrote to memory of 324	2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe	103
PID 2064 wrote to memory of 4408	2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe	104
PID 2064 wrote to memory of 4408	2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe	104
PID 2064 wrote to memory of 4408	2064	{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe	104
PID 324 wrote to memory of 1708	324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe	105
PID 324 wrote to memory of 1708	324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe	105
PID 324 wrote to memory of 1708	324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe	105
PID 324 wrote to memory of 2872	324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe	106
PID 324 wrote to memory of 2872	324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe	106
PID 324 wrote to memory of 2872	324	{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe	106
PID 1708 wrote to memory of 3244	1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe	107
PID 1708 wrote to memory of 3244	1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe	107
PID 1708 wrote to memory of 3244	1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe	107
PID 1708 wrote to memory of 1208	1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe	108
PID 1708 wrote to memory of 1208	1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe	108
PID 1708 wrote to memory of 1208	1708	{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe	108
PID 3244 wrote to memory of 2144	3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe	109
PID 3244 wrote to memory of 2144	3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe	109
PID 3244 wrote to memory of 2144	3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe	109
PID 3244 wrote to memory of 3048	3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe	110
PID 3244 wrote to memory of 3048	3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe	110
PID 3244 wrote to memory of 3048	3244	{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe	110
PID 2144 wrote to memory of 4220	2144	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe	111
PID 2144 wrote to memory of 4220	2144	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe	111
PID 2144 wrote to memory of 4220	2144	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe	111
PID 2144 wrote to memory of 2656	2144	{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe	112

C:\Users\Admin\AppData\Local\Temp\9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe
  C:\Windows\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe
    C:\Windows\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe
      C:\Windows\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe
        
        C:\Windows\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe
        
        C:\Windows\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe
        
        C:\Windows\{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe
        
        C:\Windows\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe
        
        C:\Windows\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe
        
        C:\Windows\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe
        
        C:\Windows\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe
        
        C:\Windows\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\{2B32975E-6795-4485-9830-4EEE7A051331}.exe
        
        C:\Windows\{2B32975E-6795-4485-9830-4EEE7A051331}.exe
        13⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CE06~1.EXE > nul
        13⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C23B~1.EXE > nul
        12⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01BA5~1.EXE > nul
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B304~1.EXE > nul
        10⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DAE8~1.EXE > nul
        9⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23BC8~1.EXE > nul
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6BF7~1.EXE > nul
        7⤵
        
        PID:3980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37952~1.EXE > nul
        6⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F0DE~1.EXE > nul
        5⤵
        
        PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E68~1.EXE > nul
      4⤵
      PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E86CC~1.EXE > nul
    3⤵
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9AA10F~1.EXE > nul
  2⤵
  PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe

Filesize
204KB

MD5
8e912af263c39d710f3d167e3e743a73

SHA1
90ba172606d1149c7ba06456afff79877817059b

SHA256
be37eff1986407d8a877d1d69eeacf820865c049459ecf0e4944ebf60b3aaa7c

SHA512
9dc69a5d491aae973eb0c25d0df9c736c2b2c24c4379954e21a6fa2189f221afc425a7dc53951c5114deac4541975977d47b81368078a7f5a926ee8f69768373

Download Submit
C:\Windows\{01BA534F-0CC2-4a38-BB80-54D73EC42D93}.exe

Filesize
204KB

MD5
8e912af263c39d710f3d167e3e743a73

SHA1
90ba172606d1149c7ba06456afff79877817059b

SHA256
be37eff1986407d8a877d1d69eeacf820865c049459ecf0e4944ebf60b3aaa7c

SHA512
9dc69a5d491aae973eb0c25d0df9c736c2b2c24c4379954e21a6fa2189f221afc425a7dc53951c5114deac4541975977d47b81368078a7f5a926ee8f69768373

Download Submit
C:\Windows\{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe

Filesize
204KB

MD5
a7e909c9b79f16fca859d0552627cc58

SHA1
ca89f5c30fc0f4a06f06e909786cee64ef25386a

SHA256
2d626d77973e1e70893374038b6fc4495b8bae17504f2700b787552ce312e454

SHA512
99db37d028778fa99f6fadd1d049cba4f96df72c9c9660cf8ea5b43e12922dc1aaa2db20e1fc36bbbfbfd2bb97c634dda46f434017f55cb929c1560ea6bd4f90

Download Submit
C:\Windows\{23BC8237-F43B-4009-91CD-38D669DBEBE6}.exe

Filesize
204KB

MD5
a7e909c9b79f16fca859d0552627cc58

SHA1
ca89f5c30fc0f4a06f06e909786cee64ef25386a

SHA256
2d626d77973e1e70893374038b6fc4495b8bae17504f2700b787552ce312e454

SHA512
99db37d028778fa99f6fadd1d049cba4f96df72c9c9660cf8ea5b43e12922dc1aaa2db20e1fc36bbbfbfd2bb97c634dda46f434017f55cb929c1560ea6bd4f90

Download Submit
C:\Windows\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe

Filesize
204KB

MD5
f6e4e22c60c19858979e566d56a04dd1

SHA1
61e26863cb572dbd4bfde87fa220989024371eb7

SHA256
787076ca9695ceb3f85e4135c58fa3d97d73d1b77c75bb694d77dfe69c2753b5

SHA512
481ac204826e2bf5affbd02ec7a9156dcb1bafde5b47e71c6ee5d2cbdfba2962403fe996e141998eecadc6571c1e326c8ce450988213c9e519f1789dde6bfea5

Download Submit
C:\Windows\{2B30401D-85D4-4d49-8B1C-53E9D80B92DC}.exe

Filesize
204KB

MD5
f6e4e22c60c19858979e566d56a04dd1

SHA1
61e26863cb572dbd4bfde87fa220989024371eb7

SHA256
787076ca9695ceb3f85e4135c58fa3d97d73d1b77c75bb694d77dfe69c2753b5

SHA512
481ac204826e2bf5affbd02ec7a9156dcb1bafde5b47e71c6ee5d2cbdfba2962403fe996e141998eecadc6571c1e326c8ce450988213c9e519f1789dde6bfea5

Download Submit
C:\Windows\{2B32975E-6795-4485-9830-4EEE7A051331}.exe

Filesize
204KB

MD5
0f418c8a9f32e1b210bd9fee7b63c82a

SHA1
9f80a73c010e2623489ff2e610caed712141eeca

SHA256
3bb7ac9ba3dd2d2befd4db6b6f7209ff23e1453530fb68ac2a4f8a2edc80e5a1

SHA512
3c9b293c12991c09f1fa7261327421bbe27308415765da02a87827ee92c7f15c7cabe6df1b4f1b8470d7e0a694b7eed0780143f488947067190a8f2ae3e02313

Download Submit
C:\Windows\{2B32975E-6795-4485-9830-4EEE7A051331}.exe

Filesize
204KB

MD5
0f418c8a9f32e1b210bd9fee7b63c82a

SHA1
9f80a73c010e2623489ff2e610caed712141eeca

SHA256
3bb7ac9ba3dd2d2befd4db6b6f7209ff23e1453530fb68ac2a4f8a2edc80e5a1

SHA512
3c9b293c12991c09f1fa7261327421bbe27308415765da02a87827ee92c7f15c7cabe6df1b4f1b8470d7e0a694b7eed0780143f488947067190a8f2ae3e02313

Download Submit
C:\Windows\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe

Filesize
204KB

MD5
b4bbe0717b3dd3c9f2b03fd9a2062823

SHA1
206bfba7b555e484e3da83e905eaed0f798080a8

SHA256
4fd18e02a6a393f6a8e146bd8699d7e1e7af40e53a4cd3157afceeae4537d1f9

SHA512
e8054f0d407f77521c085b88ddf066eac9e8c31f2760ad13f888672bd7597ad8470a8e748c076c802896c4bfb08228032c3e8fbfdecc67cc3787f9578fb52f99

Download Submit
C:\Windows\{37952128-7EDF-4e3e-B0DF-92948D1B9CFF}.exe

Filesize
204KB

MD5
b4bbe0717b3dd3c9f2b03fd9a2062823

SHA1
206bfba7b555e484e3da83e905eaed0f798080a8

SHA256
4fd18e02a6a393f6a8e146bd8699d7e1e7af40e53a4cd3157afceeae4537d1f9

SHA512
e8054f0d407f77521c085b88ddf066eac9e8c31f2760ad13f888672bd7597ad8470a8e748c076c802896c4bfb08228032c3e8fbfdecc67cc3787f9578fb52f99

Download Submit
C:\Windows\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe

Filesize
204KB

MD5
d9773aeb305c6e39d60263005c766061

SHA1
f34923e9b3e62ab7207b02d0b8f9980c96e4bc78

SHA256
5e1fbd0a4681e95fe420261b4b8bff2aae05db47c33803a95f86f7163b685616

SHA512
93f1eb37be8ecf8aa8cc86c60e8d276f66ff2a44e83e73b7193e4a77cbab62acdf2914acb9a0cf42010c5514e1e1404757d3680572594c34214edb6e80ccad64

Download Submit
C:\Windows\{4CE0646D-3EB6-4098-9F00-39D4CFBF9342}.exe

Filesize
204KB

MD5
d9773aeb305c6e39d60263005c766061

SHA1
f34923e9b3e62ab7207b02d0b8f9980c96e4bc78

SHA256
5e1fbd0a4681e95fe420261b4b8bff2aae05db47c33803a95f86f7163b685616

SHA512
93f1eb37be8ecf8aa8cc86c60e8d276f66ff2a44e83e73b7193e4a77cbab62acdf2914acb9a0cf42010c5514e1e1404757d3680572594c34214edb6e80ccad64

Download Submit
C:\Windows\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe

Filesize
204KB

MD5
37b2c1f4f281a06b16ce0afc03738277

SHA1
5adcb50d0efb070b1e634706219306b9ef0e1082

SHA256
33840e95742c60cfa6aa7db81b847d73e9811411fdfc89a186e35bf46860b52f

SHA512
52957a7ca0e88fcdf834d403adec3b297bf710baf093a1376b96601419a832439b8e91a7a04da5c3ace5386a74aecebde3ce3327ab2b1e03770bfd9a1504b04d

Download Submit
C:\Windows\{5C23B074-3CDF-43b1-A3CE-F941B6E4DE86}.exe

Filesize
204KB

MD5
37b2c1f4f281a06b16ce0afc03738277

SHA1
5adcb50d0efb070b1e634706219306b9ef0e1082

SHA256
33840e95742c60cfa6aa7db81b847d73e9811411fdfc89a186e35bf46860b52f

SHA512
52957a7ca0e88fcdf834d403adec3b297bf710baf093a1376b96601419a832439b8e91a7a04da5c3ace5386a74aecebde3ce3327ab2b1e03770bfd9a1504b04d

Download Submit
C:\Windows\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe

Filesize
204KB

MD5
39a2b36d840c10f9a45b3182cae0dd1b

SHA1
963b3134874908832075c0cfe1fb9a422113dfb6

SHA256
08b36d3167f5b79dc47b3ee1807a9183faa48625ecd0203b2c748d9cf3fb37a1

SHA512
d4dfef0c90b957112086891787d3d2b6bc75ad98db319a53c3a1a990c6b9958ee13ad38aed1457c63c42fedd54682bf33b1d24c815b4c7d7734b3547eb779c66

Download Submit
C:\Windows\{9DAE827A-BCC9-45eb-9C16-703F3325CEEF}.exe

Filesize
204KB

MD5
39a2b36d840c10f9a45b3182cae0dd1b

SHA1
963b3134874908832075c0cfe1fb9a422113dfb6

SHA256
08b36d3167f5b79dc47b3ee1807a9183faa48625ecd0203b2c748d9cf3fb37a1

SHA512
d4dfef0c90b957112086891787d3d2b6bc75ad98db319a53c3a1a990c6b9958ee13ad38aed1457c63c42fedd54682bf33b1d24c815b4c7d7734b3547eb779c66

Download Submit
C:\Windows\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe

Filesize
204KB

MD5
b335cc4dad097878162879bee9dede5c

SHA1
2afb1c6a8106c0aa97dc68bc73ce88f12ffd0d91

SHA256
092caba05ec9bf4f5caca94108fe4000f34f3f5c341204ae3d9c9713589afc3f

SHA512
9b2bda1fa924dc7534316b05a9fde33ffc3a95d01aa16238b3312e35fe031d49c64653eac41af50c2028b16bfca0020474acce48f9ac2060531de66417f15981

Download Submit
C:\Windows\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe

Filesize
204KB

MD5
b335cc4dad097878162879bee9dede5c

SHA1
2afb1c6a8106c0aa97dc68bc73ce88f12ffd0d91

SHA256
092caba05ec9bf4f5caca94108fe4000f34f3f5c341204ae3d9c9713589afc3f

SHA512
9b2bda1fa924dc7534316b05a9fde33ffc3a95d01aa16238b3312e35fe031d49c64653eac41af50c2028b16bfca0020474acce48f9ac2060531de66417f15981

Download Submit
C:\Windows\{9F0DE640-6E77-4334-BAC7-A4CE265293F9}.exe

Filesize
204KB

MD5
b335cc4dad097878162879bee9dede5c

SHA1
2afb1c6a8106c0aa97dc68bc73ce88f12ffd0d91

SHA256
092caba05ec9bf4f5caca94108fe4000f34f3f5c341204ae3d9c9713589afc3f

SHA512
9b2bda1fa924dc7534316b05a9fde33ffc3a95d01aa16238b3312e35fe031d49c64653eac41af50c2028b16bfca0020474acce48f9ac2060531de66417f15981

Download Submit
C:\Windows\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe

Filesize
204KB

MD5
23970bd89bfe316f4a814764eee562d7

SHA1
0a9a4b4bd527c53f39483f4c9fff5d6485ea5c57

SHA256
41b372d45cf621a6b1867fa4976316703c3b533556b3db43e13c526933e451c2

SHA512
b4ab33dbedb9dc88ae4b9ff41d9cff82c29582df1739b8013789360adb853c31d02a159c706f9874fd6a5472f3d429062ce0b25ca40f4fd61401c5808d17f4a3

Download Submit
C:\Windows\{D7E683A5-F8A0-4472-AB6B-E478B7B9DF5A}.exe

Filesize
204KB

MD5
23970bd89bfe316f4a814764eee562d7

SHA1
0a9a4b4bd527c53f39483f4c9fff5d6485ea5c57

SHA256
41b372d45cf621a6b1867fa4976316703c3b533556b3db43e13c526933e451c2

SHA512
b4ab33dbedb9dc88ae4b9ff41d9cff82c29582df1739b8013789360adb853c31d02a159c706f9874fd6a5472f3d429062ce0b25ca40f4fd61401c5808d17f4a3

Download Submit
C:\Windows\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe

Filesize
204KB

MD5
e1814b317a489a3422baa868d0832523

SHA1
78ef121c0eaded733992abb7a41d4fd25beb2d9c

SHA256
b6066791987064fd75d4d8a2f6204bdbb8aea1f1bbd435a537d85a1a406ef6e2

SHA512
367bd1b995e24f52e3ea6383a1115a55a8e54fd71e13c53f0e146e58ebbc2fbe458cbf094b4a464efbea3c12237678d5a282b63c70ae9c8f568da37689e51989

Download Submit
C:\Windows\{E6BF7DDB-D35A-4cb2-BF9B-D8C862130A0E}.exe

Filesize
204KB

MD5
e1814b317a489a3422baa868d0832523

SHA1
78ef121c0eaded733992abb7a41d4fd25beb2d9c

SHA256
b6066791987064fd75d4d8a2f6204bdbb8aea1f1bbd435a537d85a1a406ef6e2

SHA512
367bd1b995e24f52e3ea6383a1115a55a8e54fd71e13c53f0e146e58ebbc2fbe458cbf094b4a464efbea3c12237678d5a282b63c70ae9c8f568da37689e51989

Download Submit
C:\Windows\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe

Filesize
204KB

MD5
079f81bf2a1f1dfba55bb9b31ceec6df

SHA1
cc24d1c201fbee62feba061f7ea1a667af63bd20

SHA256
7f3dcdd3c725aedbb8d48bb7a4f48fd669f8989ffec8f84b674af8ef5e07c93e

SHA512
e097c2bad70651eeccf8588a075b8d7c702a91d3e881ab751c279c1b196a808903d44368dfb66efbcba8fd54c587c4ab56b2ce3ef16901e76345ba97449c241e

Download Submit
C:\Windows\{E86CCE1B-0230-4836-9C50-FCBD6028DD10}.exe

Filesize
204KB

MD5
079f81bf2a1f1dfba55bb9b31ceec6df

SHA1
cc24d1c201fbee62feba061f7ea1a667af63bd20

SHA256
7f3dcdd3c725aedbb8d48bb7a4f48fd669f8989ffec8f84b674af8ef5e07c93e

SHA512
e097c2bad70651eeccf8588a075b8d7c702a91d3e881ab751c279c1b196a808903d44368dfb66efbcba8fd54c587c4ab56b2ce3ef16901e76345ba97449c241e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads