2f1621bc9621a80034f1de0a0dfdb3da86b7e62e7d757490a9d042cf1685f80d

Analysis

max time kernel
163s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2023 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Size

216KB
MD5

bffb5ff7202677c2cb4c71859f09f901
SHA1

5b9aea3732a0309b1141b563ddc7e7775181c1c1
SHA256

2f1621bc9621a80034f1de0a0dfdb3da86b7e62e7d757490a9d042cf1685f80d
SHA512

9a1e0896ad0caa9bde75f5c6e7aabeefcd77e15d1ec60fbfb728f556c337023fc09e22393b2a08ec2ecd6074457ef824deaf362edba511d141d6d0243c668070
SSDEEP

3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}\stubpath = "C:\\Windows\\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe"	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9009E818-BA16-4848-B922-FFED0A7CD91A}	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9009E818-BA16-4848-B922-FFED0A7CD91A}\stubpath = "C:\\Windows\\{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe"	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}\stubpath = "C:\\Windows\\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}.exe"	{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}\stubpath = "C:\\Windows\\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe"	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}\stubpath = "C:\\Windows\\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe"	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D573981D-3A77-49ba-9BB7-90F8BE455394}	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D573981D-3A77-49ba-9BB7-90F8BE455394}\stubpath = "C:\\Windows\\{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe"	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}\stubpath = "C:\\Windows\\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe"	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}	{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}\stubpath = "C:\\Windows\\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe"	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}\stubpath = "C:\\Windows\\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe"	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}\stubpath = "C:\\Windows\\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe"	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}\stubpath = "C:\\Windows\\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe"	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}\stubpath = "C:\\Windows\\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe"	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe

Executes dropped EXE 12 IoCs

pid	Process
2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe
4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe
2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe
4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe
2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe
1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe
2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe
3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe
4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe
3016	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe
2268	{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe
3376	{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}.exe	{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe
File created	C:\Windows\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
File created	C:\Windows\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe
File created	C:\Windows\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe
File created	C:\Windows\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe
File created	C:\Windows\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe
File created	C:\Windows\{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe
File created	C:\Windows\{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe
File created	C:\Windows\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe
File created	C:\Windows\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe
File created	C:\Windows\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe
File created	C:\Windows\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3660	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe
Token: SeIncBasePriorityPrivilege	4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe
Token: SeIncBasePriorityPrivilege	2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe
Token: SeIncBasePriorityPrivilege	4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe
Token: SeIncBasePriorityPrivilege	2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe
Token: SeIncBasePriorityPrivilege	1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe
Token: SeIncBasePriorityPrivilege	2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe
Token: SeIncBasePriorityPrivilege	3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe
Token: SeIncBasePriorityPrivilege	4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe
Token: SeIncBasePriorityPrivilege	3016	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe
Token: SeIncBasePriorityPrivilege	2268	{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2656	3660	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	88
PID 3660 wrote to memory of 2656	3660	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	88
PID 3660 wrote to memory of 2656	3660	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	88
PID 3660 wrote to memory of 3096	3660	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	89
PID 3660 wrote to memory of 3096	3660	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	89
PID 3660 wrote to memory of 3096	3660	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	89
PID 2656 wrote to memory of 4128	2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe	91
PID 2656 wrote to memory of 4128	2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe	91
PID 2656 wrote to memory of 4128	2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe	91
PID 2656 wrote to memory of 4252	2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe	92
PID 2656 wrote to memory of 4252	2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe	92
PID 2656 wrote to memory of 4252	2656	{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe	92
PID 4128 wrote to memory of 2320	4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe	93
PID 4128 wrote to memory of 2320	4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe	93
PID 4128 wrote to memory of 2320	4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe	93
PID 4128 wrote to memory of 1144	4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe	94
PID 4128 wrote to memory of 1144	4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe	94
PID 4128 wrote to memory of 1144	4128	{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe	94
PID 2320 wrote to memory of 4740	2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe	95
PID 2320 wrote to memory of 4740	2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe	95
PID 2320 wrote to memory of 4740	2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe	95
PID 2320 wrote to memory of 2660	2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe	96
PID 2320 wrote to memory of 2660	2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe	96
PID 2320 wrote to memory of 2660	2320	{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe	96
PID 4740 wrote to memory of 2760	4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe	97
PID 4740 wrote to memory of 2760	4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe	97
PID 4740 wrote to memory of 2760	4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe	97
PID 4740 wrote to memory of 2512	4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe	98
PID 4740 wrote to memory of 2512	4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe	98
PID 4740 wrote to memory of 2512	4740	{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe	98
PID 2760 wrote to memory of 1164	2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe	99
PID 2760 wrote to memory of 1164	2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe	99
PID 2760 wrote to memory of 1164	2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe	99
PID 2760 wrote to memory of 3668	2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe	100
PID 2760 wrote to memory of 3668	2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe	100
PID 2760 wrote to memory of 3668	2760	{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe	100
PID 1164 wrote to memory of 2088	1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe	101
PID 1164 wrote to memory of 2088	1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe	101
PID 1164 wrote to memory of 2088	1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe	101
PID 1164 wrote to memory of 1360	1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe	102
PID 1164 wrote to memory of 1360	1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe	102
PID 1164 wrote to memory of 1360	1164	{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe	102
PID 2088 wrote to memory of 3616	2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe	103
PID 2088 wrote to memory of 3616	2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe	103
PID 2088 wrote to memory of 3616	2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe	103
PID 2088 wrote to memory of 740	2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe	104
PID 2088 wrote to memory of 740	2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe	104
PID 2088 wrote to memory of 740	2088	{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe	104
PID 3616 wrote to memory of 4000	3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe	105
PID 3616 wrote to memory of 4000	3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe	105
PID 3616 wrote to memory of 4000	3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe	105
PID 3616 wrote to memory of 3092	3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe	106
PID 3616 wrote to memory of 3092	3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe	106
PID 3616 wrote to memory of 3092	3616	{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe	106
PID 4000 wrote to memory of 3016	4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe	107
PID 4000 wrote to memory of 3016	4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe	107
PID 4000 wrote to memory of 3016	4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe	107
PID 4000 wrote to memory of 1404	4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe	108
PID 4000 wrote to memory of 1404	4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe	108
PID 4000 wrote to memory of 1404	4000	{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe	108
PID 3016 wrote to memory of 2268	3016	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe	109
PID 3016 wrote to memory of 2268	3016	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe	109
PID 3016 wrote to memory of 2268	3016	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe	109
PID 3016 wrote to memory of 3736	3016	{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe	110

C:\Users\Admin\AppData\Local\Temp\bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe
  C:\Windows\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe
    C:\Windows\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe
      C:\Windows\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe
        
        C:\Windows\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe
        
        C:\Windows\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe
        
        C:\Windows\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe
        
        C:\Windows\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe
        
        C:\Windows\{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe
        
        C:\Windows\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe
        
        C:\Windows\{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe
        
        C:\Windows\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}.exe
        
        C:\Windows\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}.exe
        13⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B60F~1.EXE > nul
        13⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9009E~1.EXE > nul
        12⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EABAF~1.EXE > nul
        11⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5739~1.EXE > nul
        10⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E12F~1.EXE > nul
        9⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02E55~1.EXE > nul
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FD4D~1.EXE > nul
        7⤵
        
        PID:3668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BDF0~1.EXE > nul
        6⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0344~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE07~1.EXE > nul
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FDE6D~1.EXE > nul
    3⤵
    PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BFFB5F~1.EXE > nul
  2⤵
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe

Filesize
216KB

MD5
b3139ec79a5775c849f1e3fd9999039b

SHA1
6aeb198b697f8310169ce176fe77633602fec18b

SHA256
2d024816b8522b2e3e20eefebfc9645b8d174c891fcfff1dfc87caac79e5d5a2

SHA512
62ea5d41705803f93252ce78e85af89c2480ee1d671109b7c2daf6515761f775475db084e395eac164ecf021a46cb5ed8e2c19d4fb972548a6390bb1c0cdcb91

Download Submit
C:\Windows\{02E55431-729D-425c-B6FE-8A2CD5D86FEE}.exe

Filesize
216KB

MD5
b3139ec79a5775c849f1e3fd9999039b

SHA1
6aeb198b697f8310169ce176fe77633602fec18b

SHA256
2d024816b8522b2e3e20eefebfc9645b8d174c891fcfff1dfc87caac79e5d5a2

SHA512
62ea5d41705803f93252ce78e85af89c2480ee1d671109b7c2daf6515761f775475db084e395eac164ecf021a46cb5ed8e2c19d4fb972548a6390bb1c0cdcb91

Download Submit
C:\Windows\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe

Filesize
216KB

MD5
38c9fbed755e478847379a551fb23d1b

SHA1
c739267320f590c8874d07278a328690ec505f7f

SHA256
23195c8b6030b10ea95a138cdfe5d7179a2eb287bc2d170d2fa5451a2babbfef

SHA512
58ae907417ed549cfe2cba3f5641486f4e6131e484b3bfdefc38dc963c7fe0dedf9ea23eb30cd487094fe68cae565229c7fc516cdf422e4277e2e6c1f2490fc6

Download Submit
C:\Windows\{0BDF0574-B36A-4f6c-AAF1-BFDD19C587F9}.exe

Filesize
216KB

MD5
38c9fbed755e478847379a551fb23d1b

SHA1
c739267320f590c8874d07278a328690ec505f7f

SHA256
23195c8b6030b10ea95a138cdfe5d7179a2eb287bc2d170d2fa5451a2babbfef

SHA512
58ae907417ed549cfe2cba3f5641486f4e6131e484b3bfdefc38dc963c7fe0dedf9ea23eb30cd487094fe68cae565229c7fc516cdf422e4277e2e6c1f2490fc6

Download Submit
C:\Windows\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe

Filesize
216KB

MD5
af37ef28dbbe2d36423753b8da34d11d

SHA1
21fa0ea84fab1d9a551062dcb0342989c2cdbdc1

SHA256
49316040fdf0152a698b24737a9ee72679592d1375308b8ee38da10df5edfa40

SHA512
2ca264b576b32e5248abd4461650b4f2ec1110dcd3552072fcdb1af6523df6b1a89241214f1aa76b96caa26f0cff698bcc65c73a32777ef4315fac7b106562a0

Download Submit
C:\Windows\{3E12F9EC-537E-4312-8FB0-C7BA236E4BE6}.exe

Filesize
216KB

MD5
af37ef28dbbe2d36423753b8da34d11d

SHA1
21fa0ea84fab1d9a551062dcb0342989c2cdbdc1

SHA256
49316040fdf0152a698b24737a9ee72679592d1375308b8ee38da10df5edfa40

SHA512
2ca264b576b32e5248abd4461650b4f2ec1110dcd3552072fcdb1af6523df6b1a89241214f1aa76b96caa26f0cff698bcc65c73a32777ef4315fac7b106562a0

Download Submit
C:\Windows\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe

Filesize
216KB

MD5
507dfae26ab6a0d1c1f66eecf23b952a

SHA1
20756db6e8331a066037cd7b4d969fd6444b939a

SHA256
b0de9f84d469f02bd1b0e87c0f39e30f6f53acdb5813caa32d47cacf52ddca43

SHA512
ee1275a99a85f649a27258d94be7c3809c672444861a80e3f64b87e9c98570f656564a82cd0946f0bbe29b9835f554ed18f3e88a860d06c31d3f6adc64c91dd9

Download Submit
C:\Windows\{6FD4DE59-0852-4436-9FA5-B041C200F1FB}.exe

Filesize
216KB

MD5
507dfae26ab6a0d1c1f66eecf23b952a

SHA1
20756db6e8331a066037cd7b4d969fd6444b939a

SHA256
b0de9f84d469f02bd1b0e87c0f39e30f6f53acdb5813caa32d47cacf52ddca43

SHA512
ee1275a99a85f649a27258d94be7c3809c672444861a80e3f64b87e9c98570f656564a82cd0946f0bbe29b9835f554ed18f3e88a860d06c31d3f6adc64c91dd9

Download Submit
C:\Windows\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe

Filesize
216KB

MD5
5e66ef9f19f5229bfe14cac926ee97a8

SHA1
7c526b147f2c5d697b2bd6fc11537ec369a52061

SHA256
d8fc3c0bec82ffb12221cb3266b8254d571c63952c00d44b9811291d78662f50

SHA512
e319bbb748d618770cb4e93d89c0dbeadb502806bc9e4fee7726867cca93676430d3cc40dd6c458be9d69f07877fbc88ebac731717dbd27bdd018263718a94b5

Download Submit
C:\Windows\{8B60FCB5-6ED2-4213-85BE-169C73C59F60}.exe

Filesize
216KB

MD5
5e66ef9f19f5229bfe14cac926ee97a8

SHA1
7c526b147f2c5d697b2bd6fc11537ec369a52061

SHA256
d8fc3c0bec82ffb12221cb3266b8254d571c63952c00d44b9811291d78662f50

SHA512
e319bbb748d618770cb4e93d89c0dbeadb502806bc9e4fee7726867cca93676430d3cc40dd6c458be9d69f07877fbc88ebac731717dbd27bdd018263718a94b5

Download Submit
C:\Windows\{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe

Filesize
216KB

MD5
90cd8bbe2bf08b6fdfb59340ba37eee1

SHA1
2d0f6c149c668172d9b4f74618d3a8c53f678b3e

SHA256
de79368150553142c1a94d369ca304ef1f4a53f2ba7f6aabc609efb5471e5634

SHA512
6f4aaa78f3b7faaee1afe546cb156bec140b16b41b70b042a2988f50ee1b2159a8c5c9b7de0b375bc546397accc4b3a6fb0b972c7055b0094d606e58d0bf078f

Download Submit
C:\Windows\{9009E818-BA16-4848-B922-FFED0A7CD91A}.exe

Filesize
216KB

MD5
90cd8bbe2bf08b6fdfb59340ba37eee1

SHA1
2d0f6c149c668172d9b4f74618d3a8c53f678b3e

SHA256
de79368150553142c1a94d369ca304ef1f4a53f2ba7f6aabc609efb5471e5634

SHA512
6f4aaa78f3b7faaee1afe546cb156bec140b16b41b70b042a2988f50ee1b2159a8c5c9b7de0b375bc546397accc4b3a6fb0b972c7055b0094d606e58d0bf078f

Download Submit
C:\Windows\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe

Filesize
216KB

MD5
d2b014525cab67af8759e6436d2e8f15

SHA1
2035f231938e65dc3f9aa689a0de00f0761b485f

SHA256
c5449945cecbcb7797e7a03ce78990ccd1521764c9dc76485b750baf0e4fc62b

SHA512
7c969c717d4c01ef6eebd08139885dfb8bbbe99220caa45730d5479aa60802ee820dcb8dfd32ca3fce84abe3bb336b019f6849ecb8aa373923f9d9fd77708bf2

Download Submit
C:\Windows\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe

Filesize
216KB

MD5
d2b014525cab67af8759e6436d2e8f15

SHA1
2035f231938e65dc3f9aa689a0de00f0761b485f

SHA256
c5449945cecbcb7797e7a03ce78990ccd1521764c9dc76485b750baf0e4fc62b

SHA512
7c969c717d4c01ef6eebd08139885dfb8bbbe99220caa45730d5479aa60802ee820dcb8dfd32ca3fce84abe3bb336b019f6849ecb8aa373923f9d9fd77708bf2

Download Submit
C:\Windows\{A03445A0-B38E-4245-8F25-409CF2FFBF4F}.exe

Filesize
216KB

MD5
d2b014525cab67af8759e6436d2e8f15

SHA1
2035f231938e65dc3f9aa689a0de00f0761b485f

SHA256
c5449945cecbcb7797e7a03ce78990ccd1521764c9dc76485b750baf0e4fc62b

SHA512
7c969c717d4c01ef6eebd08139885dfb8bbbe99220caa45730d5479aa60802ee820dcb8dfd32ca3fce84abe3bb336b019f6849ecb8aa373923f9d9fd77708bf2

Download Submit
C:\Windows\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}.exe

Filesize
216KB

MD5
5175c3d6cc382746e4eb188ac34e9101

SHA1
5946f6a0782f3f34619c14afd12af7840fb03ffc

SHA256
c4b9ea7f66f9498be3b556cac677434d3422d7cf93ea7f09c702edcf34b29c00

SHA512
c865a463036406b526603e64978cc033987487a3a1cc38e6f07e2880a7a0fcb94467ba6e4259a8c62e15cdcb036be83f5d4a038ab9dadd4e66bd6de2b62d9b45

Download Submit
C:\Windows\{B42FC1BA-2B07-4c72-9336-AFE74E1AB6E3}.exe

Filesize
210KB

MD5
966224a7a9589f262fdb7d1cf8cbf851

SHA1
10623318821fb741fa60e79fea20dc6f59acdb0d

SHA256
b005aa900063d5b8306e80d126790c6da6ae4a17fc6a50888122f7d79375e0ba

SHA512
8664add3e66023e5c5560ae25a816578faa26d455e20ecc27c84ee2a90a9b20c9e920999bb0edeb7af9bd8568bd416e5f9c8f42d5ed77a9c2625da9db460389e

Download Submit
C:\Windows\{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe

Filesize
216KB

MD5
19a37204b4824655df0d49c11c734b9b

SHA1
2f4ffb377510b65eec11d20e3d403965f98b0b62

SHA256
72caf5659b505e52936d53309c6f6be318be5090ae3ca8b63ea6994644de9568

SHA512
d66c520e70aa76146920d34f1925acd568d3ee81593e5ebc9af74b655343b3741cb3d58213a05d55f6b63e9b67bc526ac8d2132fcdf246e419c5985e4f51d4b9

Download Submit
C:\Windows\{D573981D-3A77-49ba-9BB7-90F8BE455394}.exe

Filesize
216KB

MD5
19a37204b4824655df0d49c11c734b9b

SHA1
2f4ffb377510b65eec11d20e3d403965f98b0b62

SHA256
72caf5659b505e52936d53309c6f6be318be5090ae3ca8b63ea6994644de9568

SHA512
d66c520e70aa76146920d34f1925acd568d3ee81593e5ebc9af74b655343b3741cb3d58213a05d55f6b63e9b67bc526ac8d2132fcdf246e419c5985e4f51d4b9

Download Submit
C:\Windows\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe

Filesize
216KB

MD5
562c932d2728b34b4f76000a11755116

SHA1
9636f81a148bc9bb0d5f9d92a03f20bcc97f680a

SHA256
853ec9e4cf802091b74ff06c0b47b7bca11cdf8ea884af4717cecc0940051b9d

SHA512
c51be90470b2835ba5db8c7a94ca26040607ab61917b486735447e091e79bc89e8d91cb816ad9bf05f3ba592f50a0878a10f66b93e77fd7f6777b59d4b296d55

Download Submit
C:\Windows\{DBE07B4B-2474-4f03-A6C4-79F345A8810D}.exe

Filesize
216KB

MD5
562c932d2728b34b4f76000a11755116

SHA1
9636f81a148bc9bb0d5f9d92a03f20bcc97f680a

SHA256
853ec9e4cf802091b74ff06c0b47b7bca11cdf8ea884af4717cecc0940051b9d

SHA512
c51be90470b2835ba5db8c7a94ca26040607ab61917b486735447e091e79bc89e8d91cb816ad9bf05f3ba592f50a0878a10f66b93e77fd7f6777b59d4b296d55

Download Submit
C:\Windows\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe

Filesize
216KB

MD5
7dbba56a257d95386eefef35f2480b8a

SHA1
4e37188ead49180747bcaa3e231c337f20044f50

SHA256
7e8ca2363832d2aeb9f4ac6eefe3d1fe99f7a4ef8c323e8a089235f98ae5d1db

SHA512
b22f183ac76a325c20df0262fdd4692c76e352f3b8bf28d369d98df8629735827b36db0be159385112078667f35d6d1d21cc688e471905af48e6bcf642b86f9a

Download Submit
C:\Windows\{EABAF2D5-BD43-49e8-AF99-AEE94115D2FF}.exe

Filesize
216KB

MD5
7dbba56a257d95386eefef35f2480b8a

SHA1
4e37188ead49180747bcaa3e231c337f20044f50

SHA256
7e8ca2363832d2aeb9f4ac6eefe3d1fe99f7a4ef8c323e8a089235f98ae5d1db

SHA512
b22f183ac76a325c20df0262fdd4692c76e352f3b8bf28d369d98df8629735827b36db0be159385112078667f35d6d1d21cc688e471905af48e6bcf642b86f9a

Download Submit
C:\Windows\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe

Filesize
216KB

MD5
263f9a299a5707dce26dec0be9d65208

SHA1
4af007951317914a2512e6f1c3c4e372739e4b71

SHA256
ace220df36f91d4e6061b63958de05aded6e64c5654bfc66bc3f9e0fb55427dc

SHA512
191328cfab4d5d1c5be9ac2f482ead59c127970069e171ed0067e119f74642d4d983fab55db75dc0b2789ea413d1f59b0a596a677cb22bc5bbb9e83e71c4d3b0

Download Submit
C:\Windows\{FDE6D772-3F87-4809-9CD1-D859BBAF5E2D}.exe

Filesize
216KB

MD5
263f9a299a5707dce26dec0be9d65208

SHA1
4af007951317914a2512e6f1c3c4e372739e4b71

SHA256
ace220df36f91d4e6061b63958de05aded6e64c5654bfc66bc3f9e0fb55427dc

SHA512
191328cfab4d5d1c5be9ac2f482ead59c127970069e171ed0067e119f74642d4d983fab55db75dc0b2789ea413d1f59b0a596a677cb22bc5bbb9e83e71c4d3b0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads