e0c1bd10baf59fb97c16f72c2879adef8453713dfb838f48e694c25964daf5c6

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Size

216KB
MD5

e513ec73a054108973e01df3687c50cb
SHA1

74ef34fafe9fad1b00a51c7ea3f238f114e19952
SHA256

e0c1bd10baf59fb97c16f72c2879adef8453713dfb838f48e694c25964daf5c6
SHA512

ccdf8c95ff3081ffbd430ac061086aeb4cd28f1431c68e37e38d8a6b70186f14b7db99d4c83ea9e77bf6179ba4c42e83ceadcb8e84c33014134aef92f6cb17f2
SSDEEP

3072:jEGh0onl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}\stubpath = "C:\\Windows\\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe"	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E99A39-55A8-4863-9631-7FE9284D0C57}\stubpath = "C:\\Windows\\{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe"	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0B9334C-7AFF-49fc-9468-14290FF4E507}\stubpath = "C:\\Windows\\{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe"	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE7A638-DD51-4994-8B39-099E399F37A3}	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}\stubpath = "C:\\Windows\\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe"	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E99A39-55A8-4863-9631-7FE9284D0C57}	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61473BAB-5556-4bf9-B250-30DFB113D865}\stubpath = "C:\\Windows\\{61473BAB-5556-4bf9-B250-30DFB113D865}.exe"	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}\stubpath = "C:\\Windows\\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe"	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071B8FB9-330C-4077-A0BB-6E4A60258183}\stubpath = "C:\\Windows\\{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe"	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65F41A87-C2CA-4a20-AFAC-BC049836C088}	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65F41A87-C2CA-4a20-AFAC-BC049836C088}\stubpath = "C:\\Windows\\{65F41A87-C2CA-4a20-AFAC-BC049836C088}.exe"	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61473BAB-5556-4bf9-B250-30DFB113D865}	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE7A638-DD51-4994-8B39-099E399F37A3}\stubpath = "C:\\Windows\\{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe"	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0B9334C-7AFF-49fc-9468-14290FF4E507}	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071B8FB9-330C-4077-A0BB-6E4A60258183}	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}\stubpath = "C:\\Windows\\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe"	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D07CA324-604D-486c-A62B-20EE67AC2A74}	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D07CA324-604D-486c-A62B-20EE67AC2A74}\stubpath = "C:\\Windows\\{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe"	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe

Executes dropped EXE 11 IoCs

pid	Process
4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe
4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe
2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe
4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe
4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe
2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe
2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe
2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe
408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe
3852	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe
2716	{65F41A87-C2CA-4a20-AFAC-BC049836C088}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{65F41A87-C2CA-4a20-AFAC-BC049836C088}.exe	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe
File created	C:\Windows\{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
File created	C:\Windows\{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe
File created	C:\Windows\{61473BAB-5556-4bf9-B250-30DFB113D865}.exe	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe
File created	C:\Windows\{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe
File created	C:\Windows\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe
File created	C:\Windows\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe
File created	C:\Windows\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe
File created	C:\Windows\{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe
File created	C:\Windows\{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe
File created	C:\Windows\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1008	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe
Token: SeIncBasePriorityPrivilege	4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe
Token: SeIncBasePriorityPrivilege	2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe
Token: SeIncBasePriorityPrivilege	4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe
Token: SeIncBasePriorityPrivilege	4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe
Token: SeIncBasePriorityPrivilege	2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe
Token: SeIncBasePriorityPrivilege	2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe
Token: SeIncBasePriorityPrivilege	2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe
Token: SeIncBasePriorityPrivilege	408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe
Token: SeIncBasePriorityPrivilege	3852	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 4312	1008	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	89
PID 1008 wrote to memory of 4312	1008	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	89
PID 1008 wrote to memory of 4312	1008	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	89
PID 1008 wrote to memory of 3908	1008	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	90
PID 1008 wrote to memory of 3908	1008	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	90
PID 1008 wrote to memory of 3908	1008	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	90
PID 4312 wrote to memory of 4584	4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe	91
PID 4312 wrote to memory of 4584	4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe	91
PID 4312 wrote to memory of 4584	4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe	91
PID 4312 wrote to memory of 4140	4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe	92
PID 4312 wrote to memory of 4140	4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe	92
PID 4312 wrote to memory of 4140	4312	{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe	92
PID 4584 wrote to memory of 2500	4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe	95
PID 4584 wrote to memory of 2500	4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe	95
PID 4584 wrote to memory of 2500	4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe	95
PID 4584 wrote to memory of 2184	4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe	94
PID 4584 wrote to memory of 2184	4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe	94
PID 4584 wrote to memory of 2184	4584	{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe	94
PID 2500 wrote to memory of 4836	2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe	96
PID 2500 wrote to memory of 4836	2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe	96
PID 2500 wrote to memory of 4836	2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe	96
PID 2500 wrote to memory of 568	2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe	97
PID 2500 wrote to memory of 568	2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe	97
PID 2500 wrote to memory of 568	2500	{61473BAB-5556-4bf9-B250-30DFB113D865}.exe	97
PID 4836 wrote to memory of 4700	4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe	98
PID 4836 wrote to memory of 4700	4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe	98
PID 4836 wrote to memory of 4700	4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe	98
PID 4836 wrote to memory of 4056	4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe	99
PID 4836 wrote to memory of 4056	4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe	99
PID 4836 wrote to memory of 4056	4836	{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe	99
PID 4700 wrote to memory of 2896	4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe	100
PID 4700 wrote to memory of 2896	4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe	100
PID 4700 wrote to memory of 2896	4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe	100
PID 4700 wrote to memory of 3872	4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe	101
PID 4700 wrote to memory of 3872	4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe	101
PID 4700 wrote to memory of 3872	4700	{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe	101
PID 2896 wrote to memory of 2076	2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe	102
PID 2896 wrote to memory of 2076	2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe	102
PID 2896 wrote to memory of 2076	2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe	102
PID 2896 wrote to memory of 4852	2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe	103
PID 2896 wrote to memory of 4852	2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe	103
PID 2896 wrote to memory of 4852	2896	{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe	103
PID 2076 wrote to memory of 2744	2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe	104
PID 2076 wrote to memory of 2744	2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe	104
PID 2076 wrote to memory of 2744	2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe	104
PID 2076 wrote to memory of 4644	2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe	105
PID 2076 wrote to memory of 4644	2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe	105
PID 2076 wrote to memory of 4644	2076	{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe	105
PID 2744 wrote to memory of 408	2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe	106
PID 2744 wrote to memory of 408	2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe	106
PID 2744 wrote to memory of 408	2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe	106
PID 2744 wrote to memory of 1516	2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe	107
PID 2744 wrote to memory of 1516	2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe	107
PID 2744 wrote to memory of 1516	2744	{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe	107
PID 408 wrote to memory of 3852	408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe	108
PID 408 wrote to memory of 3852	408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe	108
PID 408 wrote to memory of 3852	408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe	108
PID 408 wrote to memory of 232	408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe	109
PID 408 wrote to memory of 232	408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe	109
PID 408 wrote to memory of 232	408	{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe	109
PID 3852 wrote to memory of 2716	3852	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe	110
PID 3852 wrote to memory of 2716	3852	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe	110
PID 3852 wrote to memory of 2716	3852	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe	110
PID 3852 wrote to memory of 1604	3852	{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe	111

C:\Users\Admin\AppData\Local\Temp\e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe
  C:\Windows\{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe
    C:\Windows\{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D07CA~1.EXE > nul
      4⤵
      PID:2184
  - - C:\Windows\{61473BAB-5556-4bf9-B250-30DFB113D865}.exe
      C:\Windows\{61473BAB-5556-4bf9-B250-30DFB113D865}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe
        
        C:\Windows\{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe
        
        C:\Windows\{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe
        
        C:\Windows\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe
        
        C:\Windows\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe
        
        C:\Windows\{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe
        
        C:\Windows\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe
        
        C:\Windows\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\{65F41A87-C2CA-4a20-AFAC-BC049836C088}.exe
        
        C:\Windows\{65F41A87-C2CA-4a20-AFAC-BC049836C088}.exe
        12⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0B0F~1.EXE > nul
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0A28~1.EXE > nul
        11⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{071B8~1.EXE > nul
        10⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21E7B~1.EXE > nul
        9⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5BB8~1.EXE > nul
        8⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE7A~1.EXE > nul
        7⤵
        
        PID:3872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0B93~1.EXE > nul
        6⤵
        
        PID:4056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61473~1.EXE > nul
        5⤵
        
        PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C8E99~1.EXE > nul
    3⤵
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E513EC~1.EXE > nul
  2⤵
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe

Filesize
216KB

MD5
665c233bee5eda3e4ea921fe72f1f3b7

SHA1
ed39f733c94266af15d5c39554a534490ee60531

SHA256
b8898963cf93f3919df1fed0a172a4274040c6e37a90e1ef85f820e05d518569

SHA512
70a71c1dcc2b06845a2d157e5ecb840f2c1d1636587d874b49c8c863b16d7604c06a2055f71812ea5c5d63804d838dee718d15acd5e0442d66b7228a54f12584

Download Submit
C:\Windows\{071B8FB9-330C-4077-A0BB-6E4A60258183}.exe

Filesize
216KB

MD5
665c233bee5eda3e4ea921fe72f1f3b7

SHA1
ed39f733c94266af15d5c39554a534490ee60531

SHA256
b8898963cf93f3919df1fed0a172a4274040c6e37a90e1ef85f820e05d518569

SHA512
70a71c1dcc2b06845a2d157e5ecb840f2c1d1636587d874b49c8c863b16d7604c06a2055f71812ea5c5d63804d838dee718d15acd5e0442d66b7228a54f12584

Download Submit
C:\Windows\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe

Filesize
216KB

MD5
4a886d2676554f48fae0f0f5f2748542

SHA1
fd2f741421a6429654c68b85eb2bcc7646e88efe

SHA256
28663531f9e5b7ee424b723f9d1e8532bd436fa6d55d581cb49cce66305d0e0a

SHA512
b11a2c7b12ae6959c7b6cff4e5b9607a53055090b4957e48e441f1db2cf1f58c01c7b2a1ac829c43e519409af50b4094269e47783783650480b6ffe904b5c13b

Download Submit
C:\Windows\{21E7B28D-4008-4c78-9C77-F2C566EA71A7}.exe

Filesize
216KB

MD5
4a886d2676554f48fae0f0f5f2748542

SHA1
fd2f741421a6429654c68b85eb2bcc7646e88efe

SHA256
28663531f9e5b7ee424b723f9d1e8532bd436fa6d55d581cb49cce66305d0e0a

SHA512
b11a2c7b12ae6959c7b6cff4e5b9607a53055090b4957e48e441f1db2cf1f58c01c7b2a1ac829c43e519409af50b4094269e47783783650480b6ffe904b5c13b

Download Submit
C:\Windows\{61473BAB-5556-4bf9-B250-30DFB113D865}.exe

Filesize
216KB

MD5
77cfe9b1a0b48881b08a92e5f7e62648

SHA1
e84f9c939af78233d7755d9256516023d2bd5ebe

SHA256
9a6945f04b8091d34f71a3a4a10e852c12f1db461751414728af5d11f37ce9c6

SHA512
fa79010727511258e4b476bf614fe006f71e4fb642ed3e47cb507ec4b89a91f73e7e7c054a6481adad36a4211b7493fbbfe587fa6ba7a7ad166bdab7e1d25c8b

Download Submit
C:\Windows\{61473BAB-5556-4bf9-B250-30DFB113D865}.exe

Filesize
216KB

MD5
77cfe9b1a0b48881b08a92e5f7e62648

SHA1
e84f9c939af78233d7755d9256516023d2bd5ebe

SHA256
9a6945f04b8091d34f71a3a4a10e852c12f1db461751414728af5d11f37ce9c6

SHA512
fa79010727511258e4b476bf614fe006f71e4fb642ed3e47cb507ec4b89a91f73e7e7c054a6481adad36a4211b7493fbbfe587fa6ba7a7ad166bdab7e1d25c8b

Download Submit
C:\Windows\{61473BAB-5556-4bf9-B250-30DFB113D865}.exe

Filesize
216KB

MD5
77cfe9b1a0b48881b08a92e5f7e62648

SHA1
e84f9c939af78233d7755d9256516023d2bd5ebe

SHA256
9a6945f04b8091d34f71a3a4a10e852c12f1db461751414728af5d11f37ce9c6

SHA512
fa79010727511258e4b476bf614fe006f71e4fb642ed3e47cb507ec4b89a91f73e7e7c054a6481adad36a4211b7493fbbfe587fa6ba7a7ad166bdab7e1d25c8b

Download Submit
C:\Windows\{65F41A87-C2CA-4a20-AFAC-BC049836C088}.exe

Filesize
216KB

MD5
0e969151bb919d5d2f3f14f17a14fbac

SHA1
31bdf496fb6e1010e5f325f238f362ff649e8372

SHA256
1416b720ceb71773b5618c3903a90d6fa226911c9c37d6b3014963105ff8d41e

SHA512
e9a2dd6e65a0c13e983816b97d7cdfbb7a5136d2ae1bfb941f6bef64ae7e5b208812a84d56f7e5d3e74da34aed352d54bef7cce560197e293eb25c2467d5bfcc

Download Submit
C:\Windows\{65F41A87-C2CA-4a20-AFAC-BC049836C088}.exe

Filesize
216KB

MD5
0e969151bb919d5d2f3f14f17a14fbac

SHA1
31bdf496fb6e1010e5f325f238f362ff649e8372

SHA256
1416b720ceb71773b5618c3903a90d6fa226911c9c37d6b3014963105ff8d41e

SHA512
e9a2dd6e65a0c13e983816b97d7cdfbb7a5136d2ae1bfb941f6bef64ae7e5b208812a84d56f7e5d3e74da34aed352d54bef7cce560197e293eb25c2467d5bfcc

Download Submit
C:\Windows\{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe

Filesize
216KB

MD5
f220211ee18837f515ed991861225a76

SHA1
fe5bf7969199d2245207c4378021b964a9c973e2

SHA256
a58ebef652c7b8d7af43c20476b1784ae3e693dede024bef6222804615f7e703

SHA512
ecf335029ac9eacbd3981b08fe47ff310d18fd83035735c3a9b9c472c808b48309cc0cae88e07051d7e35a371c4afbce397ea394d806609285dc8c3259af8b06

Download Submit
C:\Windows\{7AE7A638-DD51-4994-8B39-099E399F37A3}.exe

Filesize
216KB

MD5
f220211ee18837f515ed991861225a76

SHA1
fe5bf7969199d2245207c4378021b964a9c973e2

SHA256
a58ebef652c7b8d7af43c20476b1784ae3e693dede024bef6222804615f7e703

SHA512
ecf335029ac9eacbd3981b08fe47ff310d18fd83035735c3a9b9c472c808b48309cc0cae88e07051d7e35a371c4afbce397ea394d806609285dc8c3259af8b06

Download Submit
C:\Windows\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe

Filesize
216KB

MD5
87de70f8c5781c2c292834e0d83089c3

SHA1
0544870106acc9690ce9b4c93462acb99a187415

SHA256
16ee8d22c59faef7b3d83c776dbdc03d1834a9197527a50807530638d93c0bb4

SHA512
dcc05b05aaa8223e97ed91f16a304e603dd13ca8ba770b766e2c199e26c67a088c482098202df56c087d45d4ed80ab58c2306c7e0e5e5dc621f59256eae124b2

Download Submit
C:\Windows\{B0A28F91-DAAC-49d5-8EA0-CFDDDF5C4DBE}.exe

Filesize
216KB

MD5
87de70f8c5781c2c292834e0d83089c3

SHA1
0544870106acc9690ce9b4c93462acb99a187415

SHA256
16ee8d22c59faef7b3d83c776dbdc03d1834a9197527a50807530638d93c0bb4

SHA512
dcc05b05aaa8223e97ed91f16a304e603dd13ca8ba770b766e2c199e26c67a088c482098202df56c087d45d4ed80ab58c2306c7e0e5e5dc621f59256eae124b2

Download Submit
C:\Windows\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe

Filesize
216KB

MD5
56ba96b102b92b8865f77a2cb666915b

SHA1
7ab4010aef95ffd1ee3090f5241e1ac4f08db199

SHA256
951772b4eb3941690c63fe6357e5edaf096820530bc7b9986259fbbdbb3222cd

SHA512
d4f26fa4a8c6be494f81eeb99bda2e23f7432f913cdb01619cec554138093261d25f4f5a00622c34b9d192160a22caac4e9a8e38fb07728001ca12c18faa275f

Download Submit
C:\Windows\{B0B0F66D-C544-4a6a-958D-235F8E25BB27}.exe

Filesize
216KB

MD5
56ba96b102b92b8865f77a2cb666915b

SHA1
7ab4010aef95ffd1ee3090f5241e1ac4f08db199

SHA256
951772b4eb3941690c63fe6357e5edaf096820530bc7b9986259fbbdbb3222cd

SHA512
d4f26fa4a8c6be494f81eeb99bda2e23f7432f913cdb01619cec554138093261d25f4f5a00622c34b9d192160a22caac4e9a8e38fb07728001ca12c18faa275f

Download Submit
C:\Windows\{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe

Filesize
216KB

MD5
93db9ca107281936dc8db43dcd274c9c

SHA1
a731b959ecdd2b31db6ad71ff3d68d701d211d8c

SHA256
16a7b1277cc7d0a1238216de80b4d91af23cae20ec7fe76f2dcb78ea8575b866

SHA512
97f9a4800d5359c0232cb4e6194b069af2e78a30ebe6ff2bc135a45550bc30e050a7b4be9d9a9882b26c6e8cfae426cf956d92d09435dca571580be3672f9339

Download Submit
C:\Windows\{B0B9334C-7AFF-49fc-9468-14290FF4E507}.exe

Filesize
216KB

MD5
93db9ca107281936dc8db43dcd274c9c

SHA1
a731b959ecdd2b31db6ad71ff3d68d701d211d8c

SHA256
16a7b1277cc7d0a1238216de80b4d91af23cae20ec7fe76f2dcb78ea8575b866

SHA512
97f9a4800d5359c0232cb4e6194b069af2e78a30ebe6ff2bc135a45550bc30e050a7b4be9d9a9882b26c6e8cfae426cf956d92d09435dca571580be3672f9339

Download Submit
C:\Windows\{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe

Filesize
216KB

MD5
4e30e50fef6cf9794fbb24f28654cb99

SHA1
bc64c5cc995b4284588d31adc341c32edb08ca47

SHA256
326fcfbf1b373d56a16575a8bae30b4996d19890a9006e01ba513e768bfc835f

SHA512
2eee3c8497b2a5c296f71f835a21dd14066397e2fd24fc0573defe61aac4cf18ca1b1501d04c639f9c16ed5765ec2096ce85146b56f2695861323d1ab7fe6489

Download Submit
C:\Windows\{C8E99A39-55A8-4863-9631-7FE9284D0C57}.exe

Filesize
216KB

MD5
4e30e50fef6cf9794fbb24f28654cb99

SHA1
bc64c5cc995b4284588d31adc341c32edb08ca47

SHA256
326fcfbf1b373d56a16575a8bae30b4996d19890a9006e01ba513e768bfc835f

SHA512
2eee3c8497b2a5c296f71f835a21dd14066397e2fd24fc0573defe61aac4cf18ca1b1501d04c639f9c16ed5765ec2096ce85146b56f2695861323d1ab7fe6489

Download Submit
C:\Windows\{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe

Filesize
216KB

MD5
2d82fc8559840a93dff2266556e69d4a

SHA1
ec3512d7ee0244bcf366a38b071a623a91010497

SHA256
1d11a52fd78d2eb87bb471315426296d69572e1dde0e7fdd48dd644a5bbf0cd9

SHA512
cd443088bf224aae6b92fb502cbea0888d559d52fd8c89774cc7f8229743b9f6b84223ec1e7f3316650ce7bce64de28d142264ed81527cb988192746920c9f6b

Download Submit
C:\Windows\{D07CA324-604D-486c-A62B-20EE67AC2A74}.exe

Filesize
216KB

MD5
2d82fc8559840a93dff2266556e69d4a

SHA1
ec3512d7ee0244bcf366a38b071a623a91010497

SHA256
1d11a52fd78d2eb87bb471315426296d69572e1dde0e7fdd48dd644a5bbf0cd9

SHA512
cd443088bf224aae6b92fb502cbea0888d559d52fd8c89774cc7f8229743b9f6b84223ec1e7f3316650ce7bce64de28d142264ed81527cb988192746920c9f6b

Download Submit
C:\Windows\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe

Filesize
216KB

MD5
0d07df12befef497aaed2bce6ea505b5

SHA1
6676b9df01c144299957698ee58db04aced0f477

SHA256
5690cb7171e5e68d10e59001d3e336ef8974fc3b7e7bcdebfc908046377d83ba

SHA512
385cbc802d96efcefc151ec904f90694956a4d35c50265257a94ecac0cf9c106608e8abcb218839abc29027acf225d5b6dd5cbde5584e1606042e6f8b3c7f300

Download Submit
C:\Windows\{E5BB8C50-AD1B-4712-B2FE-9BFE178BBE6A}.exe

Filesize
216KB

MD5
0d07df12befef497aaed2bce6ea505b5

SHA1
6676b9df01c144299957698ee58db04aced0f477

SHA256
5690cb7171e5e68d10e59001d3e336ef8974fc3b7e7bcdebfc908046377d83ba

SHA512
385cbc802d96efcefc151ec904f90694956a4d35c50265257a94ecac0cf9c106608e8abcb218839abc29027acf225d5b6dd5cbde5584e1606042e6f8b3c7f300

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads