1e5aa3a810b29fd6039e4f8d2d356ee0e7f6a70e49ca3051e80420340e585e73

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe
Size

204KB
MD5

a5a9b54676df51b056a5ee478f2d080c
SHA1

fe96b47b3eb6088530d9326a4834690918addadf
SHA256

1e5aa3a810b29fd6039e4f8d2d356ee0e7f6a70e49ca3051e80420340e585e73
SHA512

101f114008158576fa9512d8622bfa3ed800a12a7d99bbb6809981534d6d0008fd431f543748c3ad48c59bea1f5db3353cf501e2ceb3e1628f43a9ea6e10b06b
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC609D1-3B78-4ecf-8343-B6C15565D273}\stubpath = "C:\\Windows\\{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe"	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42ADF725-76BC-4809-A4A1-16165968EE4F}	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3099140-641C-4c49-BF86-A5FEEDB05131}	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}\stubpath = "C:\\Windows\\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}.exe"	{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}\stubpath = "C:\\Windows\\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe"	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42ADF725-76BC-4809-A4A1-16165968EE4F}\stubpath = "C:\\Windows\\{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe"	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3099140-641C-4c49-BF86-A5FEEDB05131}\stubpath = "C:\\Windows\\{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe"	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC609D1-3B78-4ecf-8343-B6C15565D273}	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}\stubpath = "C:\\Windows\\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe"	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{089F3C28-0178-4f13-A874-A3B3A63DAA56}	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{089F3C28-0178-4f13-A874-A3B3A63DAA56}\stubpath = "C:\\Windows\\{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe"	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}\stubpath = "C:\\Windows\\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe"	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}\stubpath = "C:\\Windows\\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe"	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71D2066-0151-411b-8980-FF21CF5C0B7C}\stubpath = "C:\\Windows\\{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe"	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}\stubpath = "C:\\Windows\\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe"	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71D2066-0151-411b-8980-FF21CF5C0B7C}	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}\stubpath = "C:\\Windows\\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe"	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}	{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe

Executes dropped EXE 12 IoCs

pid	Process
3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe
408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe
1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe
1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe
2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe
2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe
3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe
3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe
1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe
4904	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe
2380	{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe
2936	{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe
File created	C:\Windows\{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe
File created	C:\Windows\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe
File created	C:\Windows\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe
File created	C:\Windows\{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe
File created	C:\Windows\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe
File created	C:\Windows\{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe
File created	C:\Windows\{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe
File created	C:\Windows\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe
File created	C:\Windows\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}.exe	{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe
File created	C:\Windows\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe
File created	C:\Windows\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2764	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe
Token: SeIncBasePriorityPrivilege	408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe
Token: SeIncBasePriorityPrivilege	1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe
Token: SeIncBasePriorityPrivilege	1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe
Token: SeIncBasePriorityPrivilege	2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe
Token: SeIncBasePriorityPrivilege	2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe
Token: SeIncBasePriorityPrivilege	3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe
Token: SeIncBasePriorityPrivilege	3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe
Token: SeIncBasePriorityPrivilege	1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe
Token: SeIncBasePriorityPrivilege	4904	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe
Token: SeIncBasePriorityPrivilege	2380	{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3168	2764	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe	84
PID 2764 wrote to memory of 3168	2764	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe	84
PID 2764 wrote to memory of 3168	2764	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe	84
PID 2764 wrote to memory of 3768	2764	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe	85
PID 2764 wrote to memory of 3768	2764	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe	85
PID 2764 wrote to memory of 3768	2764	a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe	85
PID 3168 wrote to memory of 408	3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe	86
PID 3168 wrote to memory of 408	3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe	86
PID 3168 wrote to memory of 408	3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe	86
PID 3168 wrote to memory of 632	3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe	87
PID 3168 wrote to memory of 632	3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe	87
PID 3168 wrote to memory of 632	3168	{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe	87
PID 408 wrote to memory of 1432	408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe	92
PID 408 wrote to memory of 1432	408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe	92
PID 408 wrote to memory of 1432	408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe	92
PID 408 wrote to memory of 4204	408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe	91
PID 408 wrote to memory of 4204	408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe	91
PID 408 wrote to memory of 4204	408	{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe	91
PID 1432 wrote to memory of 1460	1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe	93
PID 1432 wrote to memory of 1460	1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe	93
PID 1432 wrote to memory of 1460	1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe	93
PID 1432 wrote to memory of 2796	1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe	94
PID 1432 wrote to memory of 2796	1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe	94
PID 1432 wrote to memory of 2796	1432	{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe	94
PID 1460 wrote to memory of 2880	1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe	95
PID 1460 wrote to memory of 2880	1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe	95
PID 1460 wrote to memory of 2880	1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe	95
PID 1460 wrote to memory of 924	1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe	96
PID 1460 wrote to memory of 924	1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe	96
PID 1460 wrote to memory of 924	1460	{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe	96
PID 2880 wrote to memory of 2656	2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe	97
PID 2880 wrote to memory of 2656	2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe	97
PID 2880 wrote to memory of 2656	2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe	97
PID 2880 wrote to memory of 1448	2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe	98
PID 2880 wrote to memory of 1448	2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe	98
PID 2880 wrote to memory of 1448	2880	{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe	98
PID 2656 wrote to memory of 3660	2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe	99
PID 2656 wrote to memory of 3660	2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe	99
PID 2656 wrote to memory of 3660	2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe	99
PID 2656 wrote to memory of 3984	2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe	100
PID 2656 wrote to memory of 3984	2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe	100
PID 2656 wrote to memory of 3984	2656	{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe	100
PID 3660 wrote to memory of 3384	3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe	101
PID 3660 wrote to memory of 3384	3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe	101
PID 3660 wrote to memory of 3384	3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe	101
PID 3660 wrote to memory of 3560	3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe	102
PID 3660 wrote to memory of 3560	3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe	102
PID 3660 wrote to memory of 3560	3660	{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe	102
PID 3384 wrote to memory of 1352	3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe	103
PID 3384 wrote to memory of 1352	3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe	103
PID 3384 wrote to memory of 1352	3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe	103
PID 3384 wrote to memory of 4212	3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe	104
PID 3384 wrote to memory of 4212	3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe	104
PID 3384 wrote to memory of 4212	3384	{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe	104
PID 1352 wrote to memory of 4904	1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe	105
PID 1352 wrote to memory of 4904	1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe	105
PID 1352 wrote to memory of 4904	1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe	105
PID 1352 wrote to memory of 116	1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe	106
PID 1352 wrote to memory of 116	1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe	106
PID 1352 wrote to memory of 116	1352	{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe	106
PID 4904 wrote to memory of 2380	4904	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe	107
PID 4904 wrote to memory of 2380	4904	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe	107
PID 4904 wrote to memory of 2380	4904	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe	107
PID 4904 wrote to memory of 2980	4904	{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe	108

C:\Users\Admin\AppData\Local\Temp\a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a5a9b54676df51b056a5ee478f2d080c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe
  C:\Windows\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe
    C:\Windows\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22B00~1.EXE > nul
      4⤵
      PID:4204
  - - C:\Windows\{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe
      C:\Windows\{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe
        
        C:\Windows\{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe
        
        C:\Windows\{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe
        
        C:\Windows\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe
        
        C:\Windows\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe
        
        C:\Windows\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe
        
        C:\Windows\{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe
        
        C:\Windows\{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe
        
        C:\Windows\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}.exe
        
        C:\Windows\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}.exe
        13⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56BAD~1.EXE > nul
        13⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3099~1.EXE > nul
        12⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B71D2~1.EXE > nul
        11⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFFF7~1.EXE > nul
        10⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E22D3~1.EXE > nul
        9⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8ECA~1.EXE > nul
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42ADF~1.EXE > nul
        7⤵
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{089F3~1.EXE > nul
        6⤵
        
        PID:924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC60~1.EXE > nul
        5⤵
        
        PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A29C~1.EXE > nul
    3⤵
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A5A9B5~1.EXE > nul
  2⤵
  PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe

Filesize
204KB

MD5
bfcc773ae4fedcc6f34dda0aff909bc9

SHA1
6986fcb6306482fb3c4e45d4bd365e702941ff25

SHA256
efa9e891ff4d7ce76bc94616c5f29544c38a72bc1fb56a4f5a923e80d6586085

SHA512
de93ff01f78b1099d5649f394e1336e265b1a4f4e25a46c8e6fbcf9a64fb71a8bc4a71aa4f6871ae5602da21a25cfebb07b46c20b188a78af03130ddabcdce55

Download Submit
C:\Windows\{089F3C28-0178-4f13-A874-A3B3A63DAA56}.exe

Filesize
204KB

MD5
bfcc773ae4fedcc6f34dda0aff909bc9

SHA1
6986fcb6306482fb3c4e45d4bd365e702941ff25

SHA256
efa9e891ff4d7ce76bc94616c5f29544c38a72bc1fb56a4f5a923e80d6586085

SHA512
de93ff01f78b1099d5649f394e1336e265b1a4f4e25a46c8e6fbcf9a64fb71a8bc4a71aa4f6871ae5602da21a25cfebb07b46c20b188a78af03130ddabcdce55

Download Submit
C:\Windows\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe

Filesize
204KB

MD5
555b2d453af28cf3c8f02d8fd7f5c1e0

SHA1
d139cd8c87e6398f15a004fba9cc8756e4961606

SHA256
26ae5464945d1501709e1636a032adf85894e72bb60011cf49d397ff80c7ac67

SHA512
c84625955dc19bfbd74040676eecbb0f0c6e74f0f810ec37613ee82dc2d29dd75889e8c4cc193f7ac70dd02c312cec7f57157e6c374560ba02478155b38fac29

Download Submit
C:\Windows\{22B00D47-C58B-4324-8C9F-EF5700EDDC12}.exe

Filesize
204KB

MD5
555b2d453af28cf3c8f02d8fd7f5c1e0

SHA1
d139cd8c87e6398f15a004fba9cc8756e4961606

SHA256
26ae5464945d1501709e1636a032adf85894e72bb60011cf49d397ff80c7ac67

SHA512
c84625955dc19bfbd74040676eecbb0f0c6e74f0f810ec37613ee82dc2d29dd75889e8c4cc193f7ac70dd02c312cec7f57157e6c374560ba02478155b38fac29

Download Submit
C:\Windows\{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe

Filesize
204KB

MD5
d3f3e4a330c6cc68b41a73c3db9c7b22

SHA1
58cfa866fdb7d3bfc56b618fa4cefaee9f1e904c

SHA256
d9bbc271ca8c98a4ead46fd2d589c920fdb7e45e1078da8e540c7561a132723d

SHA512
035c040f075e0e556e71293dcd3be1fbd74e6f2e4798b93aab054059ec5afff951278af4890fa1b14891b014bf69e248eec3f6f6e47bc0d3b8aa9f0945916cf6

Download Submit
C:\Windows\{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe

Filesize
204KB

MD5
d3f3e4a330c6cc68b41a73c3db9c7b22

SHA1
58cfa866fdb7d3bfc56b618fa4cefaee9f1e904c

SHA256
d9bbc271ca8c98a4ead46fd2d589c920fdb7e45e1078da8e540c7561a132723d

SHA512
035c040f075e0e556e71293dcd3be1fbd74e6f2e4798b93aab054059ec5afff951278af4890fa1b14891b014bf69e248eec3f6f6e47bc0d3b8aa9f0945916cf6

Download Submit
C:\Windows\{2FC609D1-3B78-4ecf-8343-B6C15565D273}.exe

Filesize
204KB

MD5
d3f3e4a330c6cc68b41a73c3db9c7b22

SHA1
58cfa866fdb7d3bfc56b618fa4cefaee9f1e904c

SHA256
d9bbc271ca8c98a4ead46fd2d589c920fdb7e45e1078da8e540c7561a132723d

SHA512
035c040f075e0e556e71293dcd3be1fbd74e6f2e4798b93aab054059ec5afff951278af4890fa1b14891b014bf69e248eec3f6f6e47bc0d3b8aa9f0945916cf6

Download Submit
C:\Windows\{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe

Filesize
204KB

MD5
b037366deca4464f268e8c859edd9c95

SHA1
741f437d06d751c1271a73aa05eef0d95e288f82

SHA256
7d0ad3cc2ec1c11b645661c522a49cb0ddd153b2f17d02f39b077685b06b3b1d

SHA512
b4259d06e95b15b6ef20477e9a6eb44fd94b2f0d4dcba8528396615ea4731df62c97fd0e68765d68c3d1655a23ca7dc596079109f0eeb2b33ca95e47271110d6

Download Submit
C:\Windows\{42ADF725-76BC-4809-A4A1-16165968EE4F}.exe

Filesize
204KB

MD5
b037366deca4464f268e8c859edd9c95

SHA1
741f437d06d751c1271a73aa05eef0d95e288f82

SHA256
7d0ad3cc2ec1c11b645661c522a49cb0ddd153b2f17d02f39b077685b06b3b1d

SHA512
b4259d06e95b15b6ef20477e9a6eb44fd94b2f0d4dcba8528396615ea4731df62c97fd0e68765d68c3d1655a23ca7dc596079109f0eeb2b33ca95e47271110d6

Download Submit
C:\Windows\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe

Filesize
204KB

MD5
e3e7db050d695b5f11d8fc6aa53de276

SHA1
4c11010c1e0ed10de2db9eb48e9250150cff19cb

SHA256
dc25c13f47f836aaf7c96dbef20ef07932cab601136563912a9e9581b7a9741e

SHA512
2ab1e2961ff10002920ec1c1d4ed701d16a39fbbdcd54c9986b51f7b0f985e59cce66292632b2801233c4b9019926335e18e6948c42e93c8f78b707b87a8312b

Download Submit
C:\Windows\{56BADBC0-D703-4d4b-B368-7499B8ABC85C}.exe

Filesize
204KB

MD5
e3e7db050d695b5f11d8fc6aa53de276

SHA1
4c11010c1e0ed10de2db9eb48e9250150cff19cb

SHA256
dc25c13f47f836aaf7c96dbef20ef07932cab601136563912a9e9581b7a9741e

SHA512
2ab1e2961ff10002920ec1c1d4ed701d16a39fbbdcd54c9986b51f7b0f985e59cce66292632b2801233c4b9019926335e18e6948c42e93c8f78b707b87a8312b

Download Submit
C:\Windows\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe

Filesize
204KB

MD5
b9dbc1f3f4d1eb7f0486085ec447a0d0

SHA1
14a583741b206d821963828380c65daf321d4023

SHA256
8cce2ffc710ba5c785d217352a9f98ff258a1b16b615ccef5e7788ed0fcaf825

SHA512
054afbe49fc478b17787ec50620553559c6888a354075a93f679b738c85b5f29f9881c77cf3674ce5835cd716406c2bc1d20a106c98c6439695de85b2c7eb9cd

Download Submit
C:\Windows\{5A29C451-6DB8-416a-AC5E-177D4A35CD1D}.exe

Filesize
204KB

MD5
b9dbc1f3f4d1eb7f0486085ec447a0d0

SHA1
14a583741b206d821963828380c65daf321d4023

SHA256
8cce2ffc710ba5c785d217352a9f98ff258a1b16b615ccef5e7788ed0fcaf825

SHA512
054afbe49fc478b17787ec50620553559c6888a354075a93f679b738c85b5f29f9881c77cf3674ce5835cd716406c2bc1d20a106c98c6439695de85b2c7eb9cd

Download Submit
C:\Windows\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}.exe

Filesize
204KB

MD5
834b373b976c41df016f7b649d56b46e

SHA1
0a667286cbdc7607ef638c399e552c2f9a860049

SHA256
f211924aa342ffc6319bad7a8b6bada14573f06942df593810b37e09628abd42

SHA512
2ba98bdda90481cce891d8f95148ec011746e241e548890fdb612da360976a3035effdbd064cd4662b8334b0224e8c341ef5e4182d824661a5b7482a84190ce2

Download Submit
C:\Windows\{8B6FAAB1-75A5-432e-86EB-1808EC9645AB}.exe

Filesize
204KB

MD5
834b373b976c41df016f7b649d56b46e

SHA1
0a667286cbdc7607ef638c399e552c2f9a860049

SHA256
f211924aa342ffc6319bad7a8b6bada14573f06942df593810b37e09628abd42

SHA512
2ba98bdda90481cce891d8f95148ec011746e241e548890fdb612da360976a3035effdbd064cd4662b8334b0224e8c341ef5e4182d824661a5b7482a84190ce2

Download Submit
C:\Windows\{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe

Filesize
204KB

MD5
fa645639fbe8b751d226eeb90d6cadab

SHA1
6f7114a6d112bcad92729e96b8109a4c3281198a

SHA256
82fcc1162d79691cccafaa5c447b945ecba9110ede1c1c300e052e28cb9ee755

SHA512
2115f24e6d987bf64ebcd771ea8de0db6d8273c564a0c999b8d243c2244329ab47cc821b0f2bc899e28405c99b15ec7a48721fc23a6ccf32426bbdb6fb96fd7c

Download Submit
C:\Windows\{B71D2066-0151-411b-8980-FF21CF5C0B7C}.exe

Filesize
204KB

MD5
fa645639fbe8b751d226eeb90d6cadab

SHA1
6f7114a6d112bcad92729e96b8109a4c3281198a

SHA256
82fcc1162d79691cccafaa5c447b945ecba9110ede1c1c300e052e28cb9ee755

SHA512
2115f24e6d987bf64ebcd771ea8de0db6d8273c564a0c999b8d243c2244329ab47cc821b0f2bc899e28405c99b15ec7a48721fc23a6ccf32426bbdb6fb96fd7c

Download Submit
C:\Windows\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe

Filesize
204KB

MD5
b795c517961e6aed1809aedbcade53ab

SHA1
38b647644e43617f934dfa9de6c4e448a82c2c25

SHA256
b2d376cd9d7c044fc150105a23ea56f7c1f1b54895ab9aeae00cc3ba0fb6a7f8

SHA512
20f76e92f49b5520e90ef4d4ff9d443d350ed3768a43fc8ac0b8b6fee0270258c8f67807467108da9ca6e4e656ae20700d0721bbf8b60a08450f7b3deba1add6

Download Submit
C:\Windows\{C8ECAD7E-0C0E-40ac-8EC8-A8FA59BEB8CD}.exe

Filesize
204KB

MD5
b795c517961e6aed1809aedbcade53ab

SHA1
38b647644e43617f934dfa9de6c4e448a82c2c25

SHA256
b2d376cd9d7c044fc150105a23ea56f7c1f1b54895ab9aeae00cc3ba0fb6a7f8

SHA512
20f76e92f49b5520e90ef4d4ff9d443d350ed3768a43fc8ac0b8b6fee0270258c8f67807467108da9ca6e4e656ae20700d0721bbf8b60a08450f7b3deba1add6

Download Submit
C:\Windows\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe

Filesize
204KB

MD5
6de6c0c080427f613528682f84b4de1a

SHA1
50e8680dce6b4fd8b0872b57f9b919b20c84788e

SHA256
6f876e23f2fcc507c79dd4f2755b68944d6a9c5c2ca9cb870b9909d012557eba

SHA512
923bb9c34b6854cd16c76b980e672e5719cf238f1e37999b8fe98a05ff8901943db94acdaaa18e6a3fefafccf8e24f73db65e33863cc835bb3b0fe552fdeceba

Download Submit
C:\Windows\{DFFF768A-06DF-4fec-A575-6419B3F9BC7A}.exe

Filesize
204KB

MD5
6de6c0c080427f613528682f84b4de1a

SHA1
50e8680dce6b4fd8b0872b57f9b919b20c84788e

SHA256
6f876e23f2fcc507c79dd4f2755b68944d6a9c5c2ca9cb870b9909d012557eba

SHA512
923bb9c34b6854cd16c76b980e672e5719cf238f1e37999b8fe98a05ff8901943db94acdaaa18e6a3fefafccf8e24f73db65e33863cc835bb3b0fe552fdeceba

Download Submit
C:\Windows\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe

Filesize
204KB

MD5
8aea1662ba82ed9c6030d61dbdb8074a

SHA1
04b799d1dde768d3ff5bbd503f1949ac5999a6ef

SHA256
8de9ebd888b7d9fcd1890aa473bcad402149813ad72fe9547a7ef4b23a641c21

SHA512
9a1dcbb61ece575668d0381e04f6897c735ee98de542702dd90711c9a01e9b82be9d7fa9b8f7f0b1743a0165b920957207b8201a590797ff2000d9ddfdc25461

Download Submit
C:\Windows\{E22D3FC3-D624-4496-918D-DA5DDB1C2F5C}.exe

Filesize
204KB

MD5
8aea1662ba82ed9c6030d61dbdb8074a

SHA1
04b799d1dde768d3ff5bbd503f1949ac5999a6ef

SHA256
8de9ebd888b7d9fcd1890aa473bcad402149813ad72fe9547a7ef4b23a641c21

SHA512
9a1dcbb61ece575668d0381e04f6897c735ee98de542702dd90711c9a01e9b82be9d7fa9b8f7f0b1743a0165b920957207b8201a590797ff2000d9ddfdc25461

Download Submit
C:\Windows\{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe

Filesize
204KB

MD5
b10e3d242bc934a22970486c7d014d00

SHA1
d9a435d7ef130313264ee6ebe6edde6663ad2bd3

SHA256
a8e6ea498974b1f3f465fa275fa9e4805f0e9d046cfd38fff758cdf7e1bc95b0

SHA512
d003688f97fc1bb89bc20ac72fb5ff17b07d6ed1b0cffa78cfcf004fb2c0d0fd3ca0c26676e7e4a5af64195bba8f29bab392e54c79c8b2fef103f79a25def861

Download Submit
C:\Windows\{F3099140-641C-4c49-BF86-A5FEEDB05131}.exe

Filesize
204KB

MD5
b10e3d242bc934a22970486c7d014d00

SHA1
d9a435d7ef130313264ee6ebe6edde6663ad2bd3

SHA256
a8e6ea498974b1f3f465fa275fa9e4805f0e9d046cfd38fff758cdf7e1bc95b0

SHA512
d003688f97fc1bb89bc20ac72fb5ff17b07d6ed1b0cffa78cfcf004fb2c0d0fd3ca0c26676e7e4a5af64195bba8f29bab392e54c79c8b2fef103f79a25def861

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads