e082eecc516af2926a3b37b1966c462fa8f9e4064bbee7d9c3807f0183e5e4a2

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe
Size

204KB
MD5

bb91e7bbda5f5530e896028f90a1ded8
SHA1

feea9e88954f2480082a82d1d8922c7811433cbc
SHA256

e082eecc516af2926a3b37b1966c462fa8f9e4064bbee7d9c3807f0183e5e4a2
SHA512

7294b1bff47e833bd52def0d449c06b8d4cad08b6d55ccc777a65146954de545982e1e75b62f41e5a02498cb0ffc6e805b3c086a3710cd5891260bcb9d9a3d13
SSDEEP

1536:1EGh0o6l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o6l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30A5514-444B-41ae-BB66-A066F8D219DF}	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30A5514-444B-41ae-BB66-A066F8D219DF}\stubpath = "C:\\Windows\\{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe"	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}\stubpath = "C:\\Windows\\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe"	{AA404074-13EE-417c-8123-8369E179F3C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B908F862-572D-40d0-9F70-52C1A2DB626F}	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}	{982D2010-83AD-471a-9DAF-4A563539666B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}\stubpath = "C:\\Windows\\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe"	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C29816-D40A-48ee-880E-4339C2481261}	{F3D0C189-4486-461b-A63E-E588240CA878}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA404074-13EE-417c-8123-8369E179F3C5}	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}	{AA404074-13EE-417c-8123-8369E179F3C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B908F862-572D-40d0-9F70-52C1A2DB626F}\stubpath = "C:\\Windows\\{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe"	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{982D2010-83AD-471a-9DAF-4A563539666B}	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}\stubpath = "C:\\Windows\\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe"	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D0C189-4486-461b-A63E-E588240CA878}	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C29816-D40A-48ee-880E-4339C2481261}\stubpath = "C:\\Windows\\{C6C29816-D40A-48ee-880E-4339C2481261}.exe"	{F3D0C189-4486-461b-A63E-E588240CA878}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA404074-13EE-417c-8123-8369E179F3C5}\stubpath = "C:\\Windows\\{AA404074-13EE-417c-8123-8369E179F3C5}.exe"	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}\stubpath = "C:\\Windows\\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe"	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{982D2010-83AD-471a-9DAF-4A563539666B}\stubpath = "C:\\Windows\\{982D2010-83AD-471a-9DAF-4A563539666B}.exe"	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}\stubpath = "C:\\Windows\\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe"	{982D2010-83AD-471a-9DAF-4A563539666B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}\stubpath = "C:\\Windows\\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe"	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D0C189-4486-461b-A63E-E588240CA878}\stubpath = "C:\\Windows\\{F3D0C189-4486-461b-A63E-E588240CA878}.exe"	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe
1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe
2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe
3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe
5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe
5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe
4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe
372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe
4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe
4020	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe
4136	{F3D0C189-4486-461b-A63E-E588240CA878}.exe
2688	{C6C29816-D40A-48ee-880E-4339C2481261}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe
File created	C:\Windows\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe
File created	C:\Windows\{F3D0C189-4486-461b-A63E-E588240CA878}.exe	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe
File created	C:\Windows\{AA404074-13EE-417c-8123-8369E179F3C5}.exe	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe
File created	C:\Windows\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe	{AA404074-13EE-417c-8123-8369E179F3C5}.exe
File created	C:\Windows\{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe
File created	C:\Windows\{982D2010-83AD-471a-9DAF-4A563539666B}.exe	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe
File created	C:\Windows\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe	{982D2010-83AD-471a-9DAF-4A563539666B}.exe
File created	C:\Windows\{C6C29816-D40A-48ee-880E-4339C2481261}.exe	{F3D0C189-4486-461b-A63E-E588240CA878}.exe
File created	C:\Windows\{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe
File created	C:\Windows\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe
File created	C:\Windows\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3564	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe
Token: SeIncBasePriorityPrivilege	1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe
Token: SeIncBasePriorityPrivilege	2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe
Token: SeIncBasePriorityPrivilege	3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe
Token: SeIncBasePriorityPrivilege	5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe
Token: SeIncBasePriorityPrivilege	5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe
Token: SeIncBasePriorityPrivilege	4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe
Token: SeIncBasePriorityPrivilege	372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe
Token: SeIncBasePriorityPrivilege	4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe
Token: SeIncBasePriorityPrivilege	4020	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe
Token: SeIncBasePriorityPrivilege	4136	{F3D0C189-4486-461b-A63E-E588240CA878}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4488	3564	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe	90
PID 3564 wrote to memory of 4488	3564	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe	90
PID 3564 wrote to memory of 4488	3564	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe	90
PID 3564 wrote to memory of 4876	3564	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe	91
PID 3564 wrote to memory of 4876	3564	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe	91
PID 3564 wrote to memory of 4876	3564	bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe	91
PID 4488 wrote to memory of 1892	4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe	92
PID 4488 wrote to memory of 1892	4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe	92
PID 4488 wrote to memory of 1892	4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe	92
PID 4488 wrote to memory of 4316	4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe	93
PID 4488 wrote to memory of 4316	4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe	93
PID 4488 wrote to memory of 4316	4488	{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe	93
PID 1892 wrote to memory of 2920	1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe	96
PID 1892 wrote to memory of 2920	1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe	96
PID 1892 wrote to memory of 2920	1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe	96
PID 1892 wrote to memory of 2148	1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe	95
PID 1892 wrote to memory of 2148	1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe	95
PID 1892 wrote to memory of 2148	1892	{AA404074-13EE-417c-8123-8369E179F3C5}.exe	95
PID 2920 wrote to memory of 3692	2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe	97
PID 2920 wrote to memory of 3692	2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe	97
PID 2920 wrote to memory of 3692	2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe	97
PID 2920 wrote to memory of 4860	2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe	98
PID 2920 wrote to memory of 4860	2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe	98
PID 2920 wrote to memory of 4860	2920	{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe	98
PID 3692 wrote to memory of 5060	3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe	99
PID 3692 wrote to memory of 5060	3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe	99
PID 3692 wrote to memory of 5060	3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe	99
PID 3692 wrote to memory of 232	3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe	100
PID 3692 wrote to memory of 232	3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe	100
PID 3692 wrote to memory of 232	3692	{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe	100
PID 5060 wrote to memory of 5024	5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe	101
PID 5060 wrote to memory of 5024	5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe	101
PID 5060 wrote to memory of 5024	5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe	101
PID 5060 wrote to memory of 2620	5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe	102
PID 5060 wrote to memory of 2620	5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe	102
PID 5060 wrote to memory of 2620	5060	{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe	102
PID 5024 wrote to memory of 4816	5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe	103
PID 5024 wrote to memory of 4816	5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe	103
PID 5024 wrote to memory of 4816	5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe	103
PID 5024 wrote to memory of 4980	5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe	104
PID 5024 wrote to memory of 4980	5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe	104
PID 5024 wrote to memory of 4980	5024	{982D2010-83AD-471a-9DAF-4A563539666B}.exe	104
PID 4816 wrote to memory of 372	4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe	105
PID 4816 wrote to memory of 372	4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe	105
PID 4816 wrote to memory of 372	4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe	105
PID 4816 wrote to memory of 4184	4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe	106
PID 4816 wrote to memory of 4184	4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe	106
PID 4816 wrote to memory of 4184	4816	{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe	106
PID 372 wrote to memory of 4684	372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe	108
PID 372 wrote to memory of 4684	372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe	108
PID 372 wrote to memory of 4684	372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe	108
PID 372 wrote to memory of 2140	372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe	107
PID 372 wrote to memory of 2140	372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe	107
PID 372 wrote to memory of 2140	372	{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe	107
PID 4684 wrote to memory of 4020	4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe	109
PID 4684 wrote to memory of 4020	4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe	109
PID 4684 wrote to memory of 4020	4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe	109
PID 4684 wrote to memory of 3784	4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe	110
PID 4684 wrote to memory of 3784	4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe	110
PID 4684 wrote to memory of 3784	4684	{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe	110
PID 4020 wrote to memory of 4136	4020	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe	111
PID 4020 wrote to memory of 4136	4020	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe	111
PID 4020 wrote to memory of 4136	4020	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe	111
PID 4020 wrote to memory of 4044	4020	{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe	112

C:\Users\Admin\AppData\Local\Temp\bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bb91e7bbda5f5530e896028f90a1ded8_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe
  C:\Windows\{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\{AA404074-13EE-417c-8123-8369E179F3C5}.exe
    C:\Windows\{AA404074-13EE-417c-8123-8369E179F3C5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA404~1.EXE > nul
      4⤵
      PID:2148
  - - C:\Windows\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe
      C:\Windows\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe
        
        C:\Windows\{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe
        
        C:\Windows\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{982D2010-83AD-471a-9DAF-4A563539666B}.exe
        
        C:\Windows\{982D2010-83AD-471a-9DAF-4A563539666B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe
        
        C:\Windows\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe
        
        C:\Windows\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF241~1.EXE > nul
        10⤵
        
        PID:2140
        
        C:\Windows\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe
        
        C:\Windows\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe
        
        C:\Windows\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\{F3D0C189-4486-461b-A63E-E588240CA878}.exe
        
        C:\Windows\{F3D0C189-4486-461b-A63E-E588240CA878}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
        
        C:\Windows\{C6C29816-D40A-48ee-880E-4339C2481261}.exe
        
        C:\Windows\{C6C29816-D40A-48ee-880E-4339C2481261}.exe
        13⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3D0C~1.EXE > nul
        13⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78582~1.EXE > nul
        12⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1A6C~1.EXE > nul
        11⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AFBA~1.EXE > nul
        9⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{982D2~1.EXE > nul
        8⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA62~1.EXE > nul
        7⤵
        
        PID:2620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B908F~1.EXE > nul
        6⤵
        
        PID:232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D2EC~1.EXE > nul
        5⤵
        
        PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E30A5~1.EXE > nul
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BB91E7~1.EXE > nul
  2⤵
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe

Filesize
204KB

MD5
10d02420fc5f57351742fad2b1acd121

SHA1
a805a3121267c3f82bf57485b3b412ce7f047d1a

SHA256
374a6dc795be028fe27acf72870d0ad6a40e012aa1465cfa06d4ccdd328e78ee

SHA512
d3708648bc1a577f019ef41e0ed0aa80df410d8c8425b9b426257a6443735625d78e270e2deb4886e58154d6c43d9d8d31134a9f0c14f978370ab8a2ae8fd784

Download Submit
C:\Windows\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe

Filesize
204KB

MD5
10d02420fc5f57351742fad2b1acd121

SHA1
a805a3121267c3f82bf57485b3b412ce7f047d1a

SHA256
374a6dc795be028fe27acf72870d0ad6a40e012aa1465cfa06d4ccdd328e78ee

SHA512
d3708648bc1a577f019ef41e0ed0aa80df410d8c8425b9b426257a6443735625d78e270e2deb4886e58154d6c43d9d8d31134a9f0c14f978370ab8a2ae8fd784

Download Submit
C:\Windows\{0D2EC7A9-DD6C-45d0-9651-A5F2D413122B}.exe

Filesize
204KB

MD5
10d02420fc5f57351742fad2b1acd121

SHA1
a805a3121267c3f82bf57485b3b412ce7f047d1a

SHA256
374a6dc795be028fe27acf72870d0ad6a40e012aa1465cfa06d4ccdd328e78ee

SHA512
d3708648bc1a577f019ef41e0ed0aa80df410d8c8425b9b426257a6443735625d78e270e2deb4886e58154d6c43d9d8d31134a9f0c14f978370ab8a2ae8fd784

Download Submit
C:\Windows\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe

Filesize
204KB

MD5
4260b1369be8aed647892301d5b2f84d

SHA1
31aaaabd7fd0d4b550fc5b6b5a7779e36d661ba0

SHA256
f1c272fe8a7b5c1c3589acab3ae7929bbfb28f4e5fc24a5cfafc4988dbf557b7

SHA512
bfe2471502e63dcfacc9be9d9fe79b7c4b103da367ce805e8201cc96ab7e402b15313e910086db05d73b57e73eb354ebe8398f5412108af9a57b4079c674d656

Download Submit
C:\Windows\{6AFBAB01-C968-4cb1-AFEA-BFE1F87B5E47}.exe

Filesize
204KB

MD5
4260b1369be8aed647892301d5b2f84d

SHA1
31aaaabd7fd0d4b550fc5b6b5a7779e36d661ba0

SHA256
f1c272fe8a7b5c1c3589acab3ae7929bbfb28f4e5fc24a5cfafc4988dbf557b7

SHA512
bfe2471502e63dcfacc9be9d9fe79b7c4b103da367ce805e8201cc96ab7e402b15313e910086db05d73b57e73eb354ebe8398f5412108af9a57b4079c674d656

Download Submit
C:\Windows\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe

Filesize
204KB

MD5
ed98a6da8f15c876aca2af706a35c5a1

SHA1
427bbabc60c867a91f0466ac2dc8a7e33f2c1892

SHA256
0ba2e4dc18e66b9191400660454cce4b661446978ea6cb53e8175f8fd1b77666

SHA512
3332fc5aa6af971785fdb99e8b099a696ad11004557b7759533fab46293ab847e8c9371ea3459a65ee6b9706c71b723743d5d6b48d1760f4b5ef820d9a2abe61

Download Submit
C:\Windows\{785824A0-152A-42b8-BF4D-F4D81EAE9AE4}.exe

Filesize
204KB

MD5
ed98a6da8f15c876aca2af706a35c5a1

SHA1
427bbabc60c867a91f0466ac2dc8a7e33f2c1892

SHA256
0ba2e4dc18e66b9191400660454cce4b661446978ea6cb53e8175f8fd1b77666

SHA512
3332fc5aa6af971785fdb99e8b099a696ad11004557b7759533fab46293ab847e8c9371ea3459a65ee6b9706c71b723743d5d6b48d1760f4b5ef820d9a2abe61

Download Submit
C:\Windows\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe

Filesize
204KB

MD5
7899b6fd338c79398b5d48c8f096c505

SHA1
1c4b94d293bcabd5de4967c8609ec8dffc830e60

SHA256
fb2bfdf4cf6bfdcab06ccbb86021f683021e350cee2ae3592845709e6296b3b1

SHA512
77ef1cc037abd54f5d89434a14290bc04cf086a265f65880da5584b1f2c6c3cd095776b892bb54a72becd462af98e9de88f5b668cd3bddf443b27e0995a3fb7a

Download Submit
C:\Windows\{8EA62D64-2320-457e-9AE7-3F43E8AF4CF8}.exe

Filesize
204KB

MD5
7899b6fd338c79398b5d48c8f096c505

SHA1
1c4b94d293bcabd5de4967c8609ec8dffc830e60

SHA256
fb2bfdf4cf6bfdcab06ccbb86021f683021e350cee2ae3592845709e6296b3b1

SHA512
77ef1cc037abd54f5d89434a14290bc04cf086a265f65880da5584b1f2c6c3cd095776b892bb54a72becd462af98e9de88f5b668cd3bddf443b27e0995a3fb7a

Download Submit
C:\Windows\{982D2010-83AD-471a-9DAF-4A563539666B}.exe

Filesize
204KB

MD5
51a44185464726b264fa93af87728df9

SHA1
61e0e0ea61918f97e4c369082a9509d84df918c4

SHA256
f7b80751f65a735d5aef6e2b1d29828a7cd406f635c09067ced88ae51efe7ae0

SHA512
4f82d6996f64eb3b79e8884d00c5c09257fda79b0785f55568902e1cd323dca38858c782606c1d57ba5c611ab0736794594603b71c35a3cf5c16dbd051d2badf

Download Submit
C:\Windows\{982D2010-83AD-471a-9DAF-4A563539666B}.exe

Filesize
204KB

MD5
51a44185464726b264fa93af87728df9

SHA1
61e0e0ea61918f97e4c369082a9509d84df918c4

SHA256
f7b80751f65a735d5aef6e2b1d29828a7cd406f635c09067ced88ae51efe7ae0

SHA512
4f82d6996f64eb3b79e8884d00c5c09257fda79b0785f55568902e1cd323dca38858c782606c1d57ba5c611ab0736794594603b71c35a3cf5c16dbd051d2badf

Download Submit
C:\Windows\{AA404074-13EE-417c-8123-8369E179F3C5}.exe

Filesize
204KB

MD5
165ef2d0a1921276c384fa6ebedaf7bf

SHA1
37d8b48a67f16bce12c5ee2a9b1d3d918a8d3c44

SHA256
5511c704f23a9130c582c1c0e766db25bf761a7d5f9eed37a32fd5275c17d6c7

SHA512
62c94e84d64a27add5f711824fd04ebe6e4d23bf3acae1500e547f7e0a6d9ac8145da91aa37c71090de73a51fe4c7edbc5b9d39f4db849154afbbb49afefafc5

Download Submit
C:\Windows\{AA404074-13EE-417c-8123-8369E179F3C5}.exe

Filesize
204KB

MD5
165ef2d0a1921276c384fa6ebedaf7bf

SHA1
37d8b48a67f16bce12c5ee2a9b1d3d918a8d3c44

SHA256
5511c704f23a9130c582c1c0e766db25bf761a7d5f9eed37a32fd5275c17d6c7

SHA512
62c94e84d64a27add5f711824fd04ebe6e4d23bf3acae1500e547f7e0a6d9ac8145da91aa37c71090de73a51fe4c7edbc5b9d39f4db849154afbbb49afefafc5

Download Submit
C:\Windows\{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe

Filesize
204KB

MD5
9d037cf18ba12cfcbc23f44e7d71e54e

SHA1
d35893ff74b11aa858ed342b5b44185d874613ba

SHA256
09c998fa30f10725415389a75d971e77fc7cf05bae22f11e61d6ee13b968d0f8

SHA512
81dab1462b30587878dade0b40872ba3bee3a61e5c0c945ac833b4989b25cd90c7e39d2443f095b8bf3ce88cf2b677fe696cb4514af4e8c46578c318c7f328ad

Download Submit
C:\Windows\{B908F862-572D-40d0-9F70-52C1A2DB626F}.exe

Filesize
204KB

MD5
9d037cf18ba12cfcbc23f44e7d71e54e

SHA1
d35893ff74b11aa858ed342b5b44185d874613ba

SHA256
09c998fa30f10725415389a75d971e77fc7cf05bae22f11e61d6ee13b968d0f8

SHA512
81dab1462b30587878dade0b40872ba3bee3a61e5c0c945ac833b4989b25cd90c7e39d2443f095b8bf3ce88cf2b677fe696cb4514af4e8c46578c318c7f328ad

Download Submit
C:\Windows\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe

Filesize
204KB

MD5
9c8ea4d2c64c33488488c1e73d46bb6b

SHA1
d94786de3a066de931c5262e413cd117f4bae495

SHA256
6095ac0e4c92296882695f3b3ccb85eaec897cdbd1c5b3df54a6015b9e9e8387

SHA512
2e23b6e5b466a4b37dc238e140930c34951072468184e0dc31e74cf7c687b99d0b11f2c4c94bf973a8e69cbd247f6b8852b22418baaac326a1b800efcdd0c42e

Download Submit
C:\Windows\{BF24148A-1AF5-408c-A136-D017FB7C2BFA}.exe

Filesize
204KB

MD5
9c8ea4d2c64c33488488c1e73d46bb6b

SHA1
d94786de3a066de931c5262e413cd117f4bae495

SHA256
6095ac0e4c92296882695f3b3ccb85eaec897cdbd1c5b3df54a6015b9e9e8387

SHA512
2e23b6e5b466a4b37dc238e140930c34951072468184e0dc31e74cf7c687b99d0b11f2c4c94bf973a8e69cbd247f6b8852b22418baaac326a1b800efcdd0c42e

Download Submit
C:\Windows\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe

Filesize
204KB

MD5
ddafea38512c94a8dd1179881bce1df3

SHA1
3b686822ba6d27eef00659d7d997959ea38a1eab

SHA256
5205d6db2a35039e98d933801769b47730adfc2c49fcd4ab67fb047d22c27314

SHA512
e06133795a2de5b87498b39c731a8bf01d1336cf32771653e9b6e2414a848d03c209ced369e52d343ae616e60d3c5c78ed2ca069a7a3b20dd5488ed76e87c3db

Download Submit
C:\Windows\{C1A6CC2F-BB75-4956-8B7D-9D18667D7A09}.exe

Filesize
204KB

MD5
ddafea38512c94a8dd1179881bce1df3

SHA1
3b686822ba6d27eef00659d7d997959ea38a1eab

SHA256
5205d6db2a35039e98d933801769b47730adfc2c49fcd4ab67fb047d22c27314

SHA512
e06133795a2de5b87498b39c731a8bf01d1336cf32771653e9b6e2414a848d03c209ced369e52d343ae616e60d3c5c78ed2ca069a7a3b20dd5488ed76e87c3db

Download Submit
C:\Windows\{C6C29816-D40A-48ee-880E-4339C2481261}.exe

Filesize
204KB

MD5
354f625e931e616b545ac990d1e8cc3f

SHA1
712458dabdde775eb0a9f3aee07705b0a27a074f

SHA256
41c9689ed1e6fb76c4b344cbed219609b7184db59f4060ac46702d14b736746b

SHA512
a7a0aa5c7684c19cb0a6f76e8588e49be494cd36824a746b05a91e2eeae9a22a6644eaef791d9632147b3e86b012af6a7ad4ae7f8721ca9ee0882bead550a190

Download Submit
C:\Windows\{C6C29816-D40A-48ee-880E-4339C2481261}.exe

Filesize
41KB

MD5
eaac8ab0873612f3dd807cc42901b809

SHA1
bef2f5418e9fa5fc8ad3b81d5374f669d10cc236

SHA256
70f8866b0c340b15c6e6f32deaa7d4451ef844dba9b9a783842c34837b9812cf

SHA512
2ba4a704d6a5cb377fa2dc3a8c44af70d89a80703d516d1ca5f957ef380568ca2f0107992873b875a9207bb86a060de3b783cf5aaa917192d3a695936396512e

Download Submit
C:\Windows\{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe

Filesize
204KB

MD5
134c61add18494c59cf52b851d47f6eb

SHA1
79b93d72f98edcd24ed7621db478460b0592351a

SHA256
8fbc6cd958167834addb65d868b5b7df99b0fed99811633aceed945babe0a104

SHA512
ef7742a28ac042495497381b218eaa5ea5afeec6843c965c744a1cc0f13e56eff9ad961cf69e24a059d54dd74fdee987bcb3021f474dd4fe4f1a9f5175d68de1

Download Submit
C:\Windows\{E30A5514-444B-41ae-BB66-A066F8D219DF}.exe

Filesize
204KB

MD5
134c61add18494c59cf52b851d47f6eb

SHA1
79b93d72f98edcd24ed7621db478460b0592351a

SHA256
8fbc6cd958167834addb65d868b5b7df99b0fed99811633aceed945babe0a104

SHA512
ef7742a28ac042495497381b218eaa5ea5afeec6843c965c744a1cc0f13e56eff9ad961cf69e24a059d54dd74fdee987bcb3021f474dd4fe4f1a9f5175d68de1

Download Submit
C:\Windows\{F3D0C189-4486-461b-A63E-E588240CA878}.exe

Filesize
204KB

MD5
a2e909bedee6bc4485304ed993a94d99

SHA1
f9ebf5ff671bce8344efd7f4e0023daa39c435c3

SHA256
7f89f5dce479aa8a3af15d519738da2c0b25ac45e321e864ae08f344f0aa2848

SHA512
92ea83610d6325eacf2e0e11004feaa8f3707f139583524c6856b71eca128d9b3d0ca8f21fca7de3bb437a44770199009cccdaa8380543bc0fb50d22b2ac377e

Download Submit
C:\Windows\{F3D0C189-4486-461b-A63E-E588240CA878}.exe

Filesize
204KB

MD5
a2e909bedee6bc4485304ed993a94d99

SHA1
f9ebf5ff671bce8344efd7f4e0023daa39c435c3

SHA256
7f89f5dce479aa8a3af15d519738da2c0b25ac45e321e864ae08f344f0aa2848

SHA512
92ea83610d6325eacf2e0e11004feaa8f3707f139583524c6856b71eca128d9b3d0ca8f21fca7de3bb437a44770199009cccdaa8380543bc0fb50d22b2ac377e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads