ccf83cc0902faf459f2ea1d50ef6790f408014dab489f38603346458322a53cb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Size

192KB
MD5

edb8b3a91d60a8be436b90cc7a2ae624
SHA1

60eda678b72bb66778c9908b80a239fecd338699
SHA256

ccf83cc0902faf459f2ea1d50ef6790f408014dab489f38603346458322a53cb
SHA512

eda1f2d30f690fc536d3d96732e5e28e3886b6df632aedc9e8f14016e12fec52e9f3de00d2177597dffd8dc09cf1475c2b9cec5ed7411f8dc487b8d545227b9a
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A265957D-412A-44a3-8DCE-D8F2E27997F8}	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A265957D-412A-44a3-8DCE-D8F2E27997F8}\stubpath = "C:\\Windows\\{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe"	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}\stubpath = "C:\\Windows\\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe"	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}\stubpath = "C:\\Windows\\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe"	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}\stubpath = "C:\\Windows\\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe"	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}\stubpath = "C:\\Windows\\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe"	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225B51F3-CD1F-499a-B882-2A06E8580A64}\stubpath = "C:\\Windows\\{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe"	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1779EAFD-F96D-4832-917B-41482D5F4D8E}\stubpath = "C:\\Windows\\{1779EAFD-F96D-4832-917B-41482D5F4D8E}.exe"	{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225B51F3-CD1F-499a-B882-2A06E8580A64}	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A05309-EB1D-4bdb-8889-304CD5728A86}\stubpath = "C:\\Windows\\{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe"	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{874912D2-716E-43c8-9CF3-4325D3E141E3}	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{874912D2-716E-43c8-9CF3-4325D3E141E3}\stubpath = "C:\\Windows\\{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe"	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A05309-EB1D-4bdb-8889-304CD5728A86}	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}\stubpath = "C:\\Windows\\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe"	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}\stubpath = "C:\\Windows\\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe"	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}\stubpath = "C:\\Windows\\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe"	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1779EAFD-F96D-4832-917B-41482D5F4D8E}	{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe

Executes dropped EXE 12 IoCs

pid	Process
2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe
2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe
1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe
4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe
4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe
4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe
3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe
2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe
1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe
628	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe
5112	{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe
2052	{1779EAFD-F96D-4832-917B-41482D5F4D8E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe
File created	C:\Windows\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe
File created	C:\Windows\{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
File created	C:\Windows\{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe
File created	C:\Windows\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe
File created	C:\Windows\{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe
File created	C:\Windows\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe
File created	C:\Windows\{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe
File created	C:\Windows\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe
File created	C:\Windows\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe
File created	C:\Windows\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe
File created	C:\Windows\{1779EAFD-F96D-4832-917B-41482D5F4D8E}.exe	{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4604	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe
Token: SeIncBasePriorityPrivilege	2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe
Token: SeIncBasePriorityPrivilege	1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe
Token: SeIncBasePriorityPrivilege	4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe
Token: SeIncBasePriorityPrivilege	4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe
Token: SeIncBasePriorityPrivilege	4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe
Token: SeIncBasePriorityPrivilege	3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe
Token: SeIncBasePriorityPrivilege	2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe
Token: SeIncBasePriorityPrivilege	1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe
Token: SeIncBasePriorityPrivilege	628	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe
Token: SeIncBasePriorityPrivilege	5112	{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2092	4604	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	88
PID 4604 wrote to memory of 2092	4604	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	88
PID 4604 wrote to memory of 2092	4604	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	88
PID 4604 wrote to memory of 4428	4604	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	89
PID 4604 wrote to memory of 4428	4604	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	89
PID 4604 wrote to memory of 4428	4604	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	89
PID 2092 wrote to memory of 2820	2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe	90
PID 2092 wrote to memory of 2820	2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe	90
PID 2092 wrote to memory of 2820	2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe	90
PID 2092 wrote to memory of 408	2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe	91
PID 2092 wrote to memory of 408	2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe	91
PID 2092 wrote to memory of 408	2092	{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe	91
PID 2820 wrote to memory of 1108	2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe	93
PID 2820 wrote to memory of 1108	2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe	93
PID 2820 wrote to memory of 1108	2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe	93
PID 2820 wrote to memory of 1348	2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe	94
PID 2820 wrote to memory of 1348	2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe	94
PID 2820 wrote to memory of 1348	2820	{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe	94
PID 1108 wrote to memory of 4008	1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe	95
PID 1108 wrote to memory of 4008	1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe	95
PID 1108 wrote to memory of 4008	1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe	95
PID 1108 wrote to memory of 2312	1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe	96
PID 1108 wrote to memory of 2312	1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe	96
PID 1108 wrote to memory of 2312	1108	{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe	96
PID 4008 wrote to memory of 4324	4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe	97
PID 4008 wrote to memory of 4324	4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe	97
PID 4008 wrote to memory of 4324	4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe	97
PID 4008 wrote to memory of 4232	4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe	98
PID 4008 wrote to memory of 4232	4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe	98
PID 4008 wrote to memory of 4232	4008	{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe	98
PID 4324 wrote to memory of 4028	4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe	99
PID 4324 wrote to memory of 4028	4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe	99
PID 4324 wrote to memory of 4028	4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe	99
PID 4324 wrote to memory of 4780	4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe	100
PID 4324 wrote to memory of 4780	4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe	100
PID 4324 wrote to memory of 4780	4324	{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe	100
PID 4028 wrote to memory of 3844	4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe	101
PID 4028 wrote to memory of 3844	4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe	101
PID 4028 wrote to memory of 3844	4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe	101
PID 4028 wrote to memory of 2968	4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe	102
PID 4028 wrote to memory of 2968	4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe	102
PID 4028 wrote to memory of 2968	4028	{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe	102
PID 3844 wrote to memory of 2044	3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe	103
PID 3844 wrote to memory of 2044	3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe	103
PID 3844 wrote to memory of 2044	3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe	103
PID 3844 wrote to memory of 644	3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe	104
PID 3844 wrote to memory of 644	3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe	104
PID 3844 wrote to memory of 644	3844	{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe	104
PID 2044 wrote to memory of 1260	2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe	105
PID 2044 wrote to memory of 1260	2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe	105
PID 2044 wrote to memory of 1260	2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe	105
PID 2044 wrote to memory of 4292	2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe	106
PID 2044 wrote to memory of 4292	2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe	106
PID 2044 wrote to memory of 4292	2044	{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe	106
PID 1260 wrote to memory of 628	1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe	107
PID 1260 wrote to memory of 628	1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe	107
PID 1260 wrote to memory of 628	1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe	107
PID 1260 wrote to memory of 5104	1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe	108
PID 1260 wrote to memory of 5104	1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe	108
PID 1260 wrote to memory of 5104	1260	{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe	108
PID 628 wrote to memory of 5112	628	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe	109
PID 628 wrote to memory of 5112	628	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe	109
PID 628 wrote to memory of 5112	628	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe	109
PID 628 wrote to memory of 4756	628	{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe	110

C:\Users\Admin\AppData\Local\Temp\edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe
  C:\Windows\{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe
    C:\Windows\{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe
      C:\Windows\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe
        
        C:\Windows\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Windows\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe
        
        C:\Windows\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe
        
        C:\Windows\{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe
        
        C:\Windows\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe
        
        C:\Windows\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe
        
        C:\Windows\{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe
        
        C:\Windows\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe
        
        C:\Windows\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\{1779EAFD-F96D-4832-917B-41482D5F4D8E}.exe
        
        C:\Windows\{1779EAFD-F96D-4832-917B-41482D5F4D8E}.exe
        13⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B28E9~1.EXE > nul
        13⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C1E2~1.EXE > nul
        12⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87491~1.EXE > nul
        11⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFDE7~1.EXE > nul
        10⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1312D~1.EXE > nul
        9⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73A05~1.EXE > nul
        8⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB00~1.EXE > nul
        7⤵
        
        PID:4780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E0A2~1.EXE > nul
        6⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79FC1~1.EXE > nul
        5⤵
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2659~1.EXE > nul
      4⤵
      PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{225B5~1.EXE > nul
    3⤵
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EDB8B3~1.EXE > nul
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe

Filesize
192KB

MD5
eabf80edb089dd376fdaf414b23118a7

SHA1
b3c67360b1825a99d99ff0c896cda9f3b5a54815

SHA256
666e488c33a844c861bedfcc7bca5e9ce93b00eeecbc5c8e548c8becdc502bd9

SHA512
7ed886e632c73457c77f35cf1ec4c66015b411443274a29e7b76e23d3f501670d5a7165cb3efb6e7947fd4d6fdc39e5aa46c8cd3c912d9fc769d1977d0eea5b5

Download Submit
C:\Windows\{1312D4BF-E590-46fe-8CC1-5F2A2905C0BB}.exe

Filesize
192KB

MD5
eabf80edb089dd376fdaf414b23118a7

SHA1
b3c67360b1825a99d99ff0c896cda9f3b5a54815

SHA256
666e488c33a844c861bedfcc7bca5e9ce93b00eeecbc5c8e548c8becdc502bd9

SHA512
7ed886e632c73457c77f35cf1ec4c66015b411443274a29e7b76e23d3f501670d5a7165cb3efb6e7947fd4d6fdc39e5aa46c8cd3c912d9fc769d1977d0eea5b5

Download Submit
C:\Windows\{1779EAFD-F96D-4832-917B-41482D5F4D8E}.exe

Filesize
192KB

MD5
c55d797dfbfc0a85ee36060360d733c5

SHA1
7f2f0521c7bd579a3017c9182d8bdd66b4d21636

SHA256
599ad9aa060b33509d7aaee819832d0ed3bb0269cc986577c3725343a165d116

SHA512
9e698107803d6d10ea7c39dccaf275fea6570cecacadc95eb84cdbad922b5f7460b82f2057a7f144e982722c53fb9c647a24a74f7b57b75115c097ff3e6403cb

Download Submit
C:\Windows\{1779EAFD-F96D-4832-917B-41482D5F4D8E}.exe

Filesize
192KB

MD5
c55d797dfbfc0a85ee36060360d733c5

SHA1
7f2f0521c7bd579a3017c9182d8bdd66b4d21636

SHA256
599ad9aa060b33509d7aaee819832d0ed3bb0269cc986577c3725343a165d116

SHA512
9e698107803d6d10ea7c39dccaf275fea6570cecacadc95eb84cdbad922b5f7460b82f2057a7f144e982722c53fb9c647a24a74f7b57b75115c097ff3e6403cb

Download Submit
C:\Windows\{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe

Filesize
192KB

MD5
9f712967a7b5fad22c4b15171671db0e

SHA1
9b4854677c5c8ba5806f8b52ffef6c3c8c08b1b2

SHA256
79483e747d2602d0ea603a3446e8a15d044d4fe221dda3db06fafb885b41323c

SHA512
bb0513af0305cdbba32933b982f663560f2dd6859df0cebb106512ecb02a577ec269ba0953dcb2e865e7f29ffdd07a10971a6765eadae1b0ad4e441f634e9c3e

Download Submit
C:\Windows\{225B51F3-CD1F-499a-B882-2A06E8580A64}.exe

Filesize
192KB

MD5
9f712967a7b5fad22c4b15171671db0e

SHA1
9b4854677c5c8ba5806f8b52ffef6c3c8c08b1b2

SHA256
79483e747d2602d0ea603a3446e8a15d044d4fe221dda3db06fafb885b41323c

SHA512
bb0513af0305cdbba32933b982f663560f2dd6859df0cebb106512ecb02a577ec269ba0953dcb2e865e7f29ffdd07a10971a6765eadae1b0ad4e441f634e9c3e

Download Submit
C:\Windows\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe

Filesize
192KB

MD5
05e420b40c020f0528483068eefd721c

SHA1
5ec2a7018bd4e272c869d190354b58fceb1fe660

SHA256
1ed837aac92bac94d884a28a0bad4b90b0c96228a450485648582d7090ff1b0e

SHA512
acbcb97413d8d511a2300989ab86d3805f47cb99375b2647cbea1e5c328978eb3896767e77bc8677b84b98c950947cc6a1bdd1263c9a7457374ab80e1a0d3db5

Download Submit
C:\Windows\{6EB00BFC-83F6-4b95-9BF6-920C356773F4}.exe

Filesize
192KB

MD5
05e420b40c020f0528483068eefd721c

SHA1
5ec2a7018bd4e272c869d190354b58fceb1fe660

SHA256
1ed837aac92bac94d884a28a0bad4b90b0c96228a450485648582d7090ff1b0e

SHA512
acbcb97413d8d511a2300989ab86d3805f47cb99375b2647cbea1e5c328978eb3896767e77bc8677b84b98c950947cc6a1bdd1263c9a7457374ab80e1a0d3db5

Download Submit
C:\Windows\{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe

Filesize
192KB

MD5
3e5e16ed2aac04757086460ebb1713a0

SHA1
4b168c474b8a6d12fe368bc3b96c12c52cc6d1d2

SHA256
19a850da99e0cc0c05d9c5235b713faf3e5c42994e179ec766983820608fc88b

SHA512
88009477995e10d3c9a91a77170916a5b6cde26cd1aeff51ec76762efe5d1c4c49cf1a0a1e450ae73a44f89f0801ab3a80f1c72cc0a87680af160c0fabd14cc9

Download Submit
C:\Windows\{73A05309-EB1D-4bdb-8889-304CD5728A86}.exe

Filesize
192KB

MD5
3e5e16ed2aac04757086460ebb1713a0

SHA1
4b168c474b8a6d12fe368bc3b96c12c52cc6d1d2

SHA256
19a850da99e0cc0c05d9c5235b713faf3e5c42994e179ec766983820608fc88b

SHA512
88009477995e10d3c9a91a77170916a5b6cde26cd1aeff51ec76762efe5d1c4c49cf1a0a1e450ae73a44f89f0801ab3a80f1c72cc0a87680af160c0fabd14cc9

Download Submit
C:\Windows\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe

Filesize
192KB

MD5
39eadea1a27c20829db1ba735b8b847a

SHA1
cf4e8db2ea2af4ae68818236975cc2cc73021f8b

SHA256
c04ab345a7912bf7d298f0d7b2dd2f8c26c45feb1da773ce6b6251cabae436e5

SHA512
d056a94e881a3cc3056693d1ea8da50b0ae61f2bddc0bda6d1fdc711eea92cf5fe95b22a4584817d4e9c6fa3581d60e17b998da5ef74da218ffbc8a51cb4ff9d

Download Submit
C:\Windows\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe

Filesize
192KB

MD5
39eadea1a27c20829db1ba735b8b847a

SHA1
cf4e8db2ea2af4ae68818236975cc2cc73021f8b

SHA256
c04ab345a7912bf7d298f0d7b2dd2f8c26c45feb1da773ce6b6251cabae436e5

SHA512
d056a94e881a3cc3056693d1ea8da50b0ae61f2bddc0bda6d1fdc711eea92cf5fe95b22a4584817d4e9c6fa3581d60e17b998da5ef74da218ffbc8a51cb4ff9d

Download Submit
C:\Windows\{79FC1DD1-0FC4-40f8-857C-5DDA758749ED}.exe

Filesize
192KB

MD5
39eadea1a27c20829db1ba735b8b847a

SHA1
cf4e8db2ea2af4ae68818236975cc2cc73021f8b

SHA256
c04ab345a7912bf7d298f0d7b2dd2f8c26c45feb1da773ce6b6251cabae436e5

SHA512
d056a94e881a3cc3056693d1ea8da50b0ae61f2bddc0bda6d1fdc711eea92cf5fe95b22a4584817d4e9c6fa3581d60e17b998da5ef74da218ffbc8a51cb4ff9d

Download Submit
C:\Windows\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe

Filesize
192KB

MD5
323d3d725ad5af9feefacb5f7ff81b32

SHA1
a071cffc16e505ace5c1215b696b2c3453ce5908

SHA256
4ad90a778c063d47ad1931835a17ee0f517c740b33d45a108416fa10d4542e76

SHA512
a09a14801d2a94a539d27a809f34db99df8c63f964058bab042ea592139c74fd263926805a9a592b9daebdd4ad13401c2f8d1580bd50ae9e234b6f0115827dc6

Download Submit
C:\Windows\{7C1E22CC-E33C-463b-87B2-F25E4DE79B10}.exe

Filesize
192KB

MD5
323d3d725ad5af9feefacb5f7ff81b32

SHA1
a071cffc16e505ace5c1215b696b2c3453ce5908

SHA256
4ad90a778c063d47ad1931835a17ee0f517c740b33d45a108416fa10d4542e76

SHA512
a09a14801d2a94a539d27a809f34db99df8c63f964058bab042ea592139c74fd263926805a9a592b9daebdd4ad13401c2f8d1580bd50ae9e234b6f0115827dc6

Download Submit
C:\Windows\{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe

Filesize
192KB

MD5
d010a9003c3f073823922793a9267eae

SHA1
a1be655f95d1ca13435a10637b5b1f3fd7ee11ac

SHA256
2f169cc2c1ba29791709c08a566726a29da3b1dc3da045211c3f411d85100e54

SHA512
0db63638daea05460f3e37b2a950b93d750e977302b48577103b18078084c6b759c72e58032d57a447824b4c10a507252d97a771922c1ecfea968ba47e4324f6

Download Submit
C:\Windows\{874912D2-716E-43c8-9CF3-4325D3E141E3}.exe

Filesize
192KB

MD5
d010a9003c3f073823922793a9267eae

SHA1
a1be655f95d1ca13435a10637b5b1f3fd7ee11ac

SHA256
2f169cc2c1ba29791709c08a566726a29da3b1dc3da045211c3f411d85100e54

SHA512
0db63638daea05460f3e37b2a950b93d750e977302b48577103b18078084c6b759c72e58032d57a447824b4c10a507252d97a771922c1ecfea968ba47e4324f6

Download Submit
C:\Windows\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe

Filesize
192KB

MD5
c39daa89a4475ec8fcd505876cfbf674

SHA1
3c342aec90aec3eb4ace8ed2467d62376f63024d

SHA256
2638ea08883b4c3f59b3e0779d393b7300e2cd9cff3fead44b78a4ff821a5844

SHA512
59509c215fdc1da985167820e0abcdfeea05e46e0dbaed0a5ff38b641c102b543b694d530171abc877893cafce8e1bdb834b6d162b2f6803a8545841ef8d78d3

Download Submit
C:\Windows\{8E0A2EA1-9876-46a4-A53C-CC15006B7C54}.exe

Filesize
192KB

MD5
c39daa89a4475ec8fcd505876cfbf674

SHA1
3c342aec90aec3eb4ace8ed2467d62376f63024d

SHA256
2638ea08883b4c3f59b3e0779d393b7300e2cd9cff3fead44b78a4ff821a5844

SHA512
59509c215fdc1da985167820e0abcdfeea05e46e0dbaed0a5ff38b641c102b543b694d530171abc877893cafce8e1bdb834b6d162b2f6803a8545841ef8d78d3

Download Submit
C:\Windows\{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe

Filesize
192KB

MD5
eb14acafd87df39b826a5d92a2637892

SHA1
74c37959d1bf1f25af24f466ec1b12fc295ac0df

SHA256
39b5b02075fe587a7fc842bf2a1126ae248175bb4f32d56436c2cd0b049be455

SHA512
c2382a7be39cb9152decd9a4562e4f85184d198b0846bb896612592bc3f30b54adc98e85793358f28bd71f8a033a1f2a8772ad39c895ef69c81fea572bb8c1fd

Download Submit
C:\Windows\{A265957D-412A-44a3-8DCE-D8F2E27997F8}.exe

Filesize
192KB

MD5
eb14acafd87df39b826a5d92a2637892

SHA1
74c37959d1bf1f25af24f466ec1b12fc295ac0df

SHA256
39b5b02075fe587a7fc842bf2a1126ae248175bb4f32d56436c2cd0b049be455

SHA512
c2382a7be39cb9152decd9a4562e4f85184d198b0846bb896612592bc3f30b54adc98e85793358f28bd71f8a033a1f2a8772ad39c895ef69c81fea572bb8c1fd

Download Submit
C:\Windows\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe

Filesize
192KB

MD5
34adb2ad5ba2fdb0358062dcfd166969

SHA1
7e99e876a78735ef83b7452dc80292c965eb44eb

SHA256
cbb19fdd460a93b7220845ed832be6ef0f998d39c8aec366e07047351f86e997

SHA512
3d23fd7841427ca1a60fa979225c1bf59e60029d6b5694d1eccbf6882990fc5dc625a6457a1991e73de378971e12a8181d2c5b632ded8f7fc11717ca51a72c40

Download Submit
C:\Windows\{B28E9B9E-EAC3-4989-890C-52568CD1DFEA}.exe

Filesize
192KB

MD5
34adb2ad5ba2fdb0358062dcfd166969

SHA1
7e99e876a78735ef83b7452dc80292c965eb44eb

SHA256
cbb19fdd460a93b7220845ed832be6ef0f998d39c8aec366e07047351f86e997

SHA512
3d23fd7841427ca1a60fa979225c1bf59e60029d6b5694d1eccbf6882990fc5dc625a6457a1991e73de378971e12a8181d2c5b632ded8f7fc11717ca51a72c40

Download Submit
C:\Windows\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe

Filesize
192KB

MD5
58fb5ac0791ea87f8b47d934f1ede166

SHA1
1476383967fb4123837f0a0bfc496a986a5c0ae0

SHA256
7fb91e6779f0a5829c1d090f01e92b4f12cf9a2d1c6783dd71e752e2b4922944

SHA512
8e74f679e5dda4ae53bd7558de631e790167d71e1fefd8a064e9e252d4eb0a5edba995509f32f3e3d2b50021d1aa2c52a752b87d6c819e5295fbcc87e05250f7

Download Submit
C:\Windows\{CFDE758C-BD8A-4b5f-BD9F-B8CEEF58A535}.exe

Filesize
192KB

MD5
58fb5ac0791ea87f8b47d934f1ede166

SHA1
1476383967fb4123837f0a0bfc496a986a5c0ae0

SHA256
7fb91e6779f0a5829c1d090f01e92b4f12cf9a2d1c6783dd71e752e2b4922944

SHA512
8e74f679e5dda4ae53bd7558de631e790167d71e1fefd8a064e9e252d4eb0a5edba995509f32f3e3d2b50021d1aa2c52a752b87d6c819e5295fbcc87e05250f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads