570d31518061af2b92a8bb384cb61337f372afea40f52d5d4b430f123c8f7df4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Size

372KB
MD5

670bb9aab03cc7e461497b32357433a5
SHA1

103b04de84891b422f6e207d2416d3c0bbf0fe39
SHA256

570d31518061af2b92a8bb384cb61337f372afea40f52d5d4b430f123c8f7df4
SHA512

80181423ad215e228199a0c6150cbc0f46687f538534b5f5585127635c136a9706ce80ce3a10660dc5d3c79f1a35b4577d3e11b7f22ba914dd18a4a7218be98b
SSDEEP

3072:CEGh0oalMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG8lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2213A34B-3784-42e4-9ED6-2ECC26EBED44}\stubpath = "C:\\Windows\\{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe"	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A691773-3814-4a26-9AC7-BE0F7812F370}	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}\stubpath = "C:\\Windows\\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe"	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37C35F02-6EFB-4107-A10E-2FBDA675EC56}\stubpath = "C:\\Windows\\{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe"	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57AE02C9-465D-4710-8F75-292A3DD3D5AC}\stubpath = "C:\\Windows\\{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe"	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8025E752-0144-465c-84C7-B8D5A4FBDB5E}\stubpath = "C:\\Windows\\{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe"	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3180EA58-CAC1-41b6-84A7-B31380719A38}\stubpath = "C:\\Windows\\{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe"	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2244BC2E-4467-46a8-BA16-6257D90FB0EB}\stubpath = "C:\\Windows\\{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe"	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}\stubpath = "C:\\Windows\\{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}.exe"	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A691773-3814-4a26-9AC7-BE0F7812F370}\stubpath = "C:\\Windows\\{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe"	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37C35F02-6EFB-4107-A10E-2FBDA675EC56}	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3180EA58-CAC1-41b6-84A7-B31380719A38}	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57AE02C9-465D-4710-8F75-292A3DD3D5AC}	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8025E752-0144-465c-84C7-B8D5A4FBDB5E}	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2213A34B-3784-42e4-9ED6-2ECC26EBED44}	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E25D32A-8175-4771-BF5E-B3058359DA5D}	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E25D32A-8175-4771-BF5E-B3058359DA5D}\stubpath = "C:\\Windows\\{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe"	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2244BC2E-4467-46a8-BA16-6257D90FB0EB}	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}\stubpath = "C:\\Windows\\{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe"	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe

Executes dropped EXE 11 IoCs

pid	Process
4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe
4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe
4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe
4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe
3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe
4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe
4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe
2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe
4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe
3928	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe
1084	{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}.exe	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe
File created	C:\Windows\{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe
File created	C:\Windows\{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe
File created	C:\Windows\{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe
File created	C:\Windows\{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe
File created	C:\Windows\{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe
File created	C:\Windows\{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe
File created	C:\Windows\{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe
File created	C:\Windows\{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
File created	C:\Windows\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe
File created	C:\Windows\{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4024	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe
Token: SeIncBasePriorityPrivilege	4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe
Token: SeIncBasePriorityPrivilege	4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe
Token: SeIncBasePriorityPrivilege	4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe
Token: SeIncBasePriorityPrivilege	3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe
Token: SeIncBasePriorityPrivilege	4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe
Token: SeIncBasePriorityPrivilege	4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe
Token: SeIncBasePriorityPrivilege	2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe
Token: SeIncBasePriorityPrivilege	4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe
Token: SeIncBasePriorityPrivilege	3928	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4132	4024	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	99
PID 4024 wrote to memory of 4132	4024	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	99
PID 4024 wrote to memory of 4132	4024	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	99
PID 4024 wrote to memory of 2136	4024	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	98
PID 4024 wrote to memory of 2136	4024	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	98
PID 4024 wrote to memory of 2136	4024	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	98
PID 4132 wrote to memory of 4776	4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe	103
PID 4132 wrote to memory of 4776	4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe	103
PID 4132 wrote to memory of 4776	4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe	103
PID 4132 wrote to memory of 4916	4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe	102
PID 4132 wrote to memory of 4916	4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe	102
PID 4132 wrote to memory of 4916	4132	{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe	102
PID 4776 wrote to memory of 4880	4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe	108
PID 4776 wrote to memory of 4880	4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe	108
PID 4776 wrote to memory of 4880	4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe	108
PID 4776 wrote to memory of 3180	4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe	107
PID 4776 wrote to memory of 3180	4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe	107
PID 4776 wrote to memory of 3180	4776	{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe	107
PID 4880 wrote to memory of 4132	4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe	110
PID 4880 wrote to memory of 4132	4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe	110
PID 4880 wrote to memory of 4132	4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe	110
PID 4880 wrote to memory of 4356	4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe	109
PID 4880 wrote to memory of 4356	4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe	109
PID 4880 wrote to memory of 4356	4880	{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe	109
PID 4132 wrote to memory of 3476	4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe	112
PID 4132 wrote to memory of 3476	4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe	112
PID 4132 wrote to memory of 3476	4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe	112
PID 4132 wrote to memory of 1936	4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe	111
PID 4132 wrote to memory of 1936	4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe	111
PID 4132 wrote to memory of 1936	4132	{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe	111
PID 3476 wrote to memory of 4480	3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe	114
PID 3476 wrote to memory of 4480	3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe	114
PID 3476 wrote to memory of 4480	3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe	114
PID 3476 wrote to memory of 1012	3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe	115
PID 3476 wrote to memory of 1012	3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe	115
PID 3476 wrote to memory of 1012	3476	{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe	115
PID 4480 wrote to memory of 4292	4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe	116
PID 4480 wrote to memory of 4292	4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe	116
PID 4480 wrote to memory of 4292	4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe	116
PID 4480 wrote to memory of 1684	4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe	117
PID 4480 wrote to memory of 1684	4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe	117
PID 4480 wrote to memory of 1684	4480	{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe	117
PID 4292 wrote to memory of 2812	4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe	118
PID 4292 wrote to memory of 2812	4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe	118
PID 4292 wrote to memory of 2812	4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe	118
PID 4292 wrote to memory of 1940	4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe	119
PID 4292 wrote to memory of 1940	4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe	119
PID 4292 wrote to memory of 1940	4292	{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe	119
PID 2812 wrote to memory of 4468	2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe	125
PID 2812 wrote to memory of 4468	2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe	125
PID 2812 wrote to memory of 4468	2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe	125
PID 2812 wrote to memory of 4496	2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe	124
PID 2812 wrote to memory of 4496	2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe	124
PID 2812 wrote to memory of 4496	2812	{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe	124
PID 4468 wrote to memory of 3928	4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe	127
PID 4468 wrote to memory of 3928	4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe	127
PID 4468 wrote to memory of 3928	4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe	127
PID 4468 wrote to memory of 4340	4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe	126
PID 4468 wrote to memory of 4340	4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe	126
PID 4468 wrote to memory of 4340	4468	{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe	126
PID 3928 wrote to memory of 1084	3928	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe	128
PID 3928 wrote to memory of 1084	3928	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe	128
PID 3928 wrote to memory of 1084	3928	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe	128
PID 3928 wrote to memory of 4488	3928	{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2136
- C:\Windows\{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe
  C:\Windows\{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2213A~1.EXE > nul
    3⤵
    PID:4916
- - C:\Windows\{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe
    C:\Windows\{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3A691~1.EXE > nul
      4⤵
      PID:3180
  - - C:\Windows\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe
      C:\Windows\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3BF3~1.EXE > nul
        5⤵
        
        PID:4356
    - - C:\Windows\{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe
        
        C:\Windows\{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E25D~1.EXE > nul
        6⤵
        
        PID:1936
      - C:\Windows\{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe
        
        C:\Windows\{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe
        
        C:\Windows\{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe
        
        C:\Windows\{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe
        
        C:\Windows\{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2244B~1.EXE > nul
        10⤵
        
        PID:4496
        
        C:\Windows\{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe
        
        C:\Windows\{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A3E1~1.EXE > nul
        11⤵
        
        PID:4340
        
        C:\Windows\{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe
        
        C:\Windows\{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}.exe
        
        C:\Windows\{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8025E~1.EXE > nul
        12⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57AE0~1.EXE > nul
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3180E~1.EXE > nul
        8⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37C35~1.EXE > nul
        7⤵
        
        PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E25D32A-8175-4771-BF5E-B3058359DA5D}.exe

Filesize
372KB

MD5
c2dac0ed77f151b7df9a370d69f09d3c

SHA1
1b00e677275502e599c614174f0552e444c0ad6d

SHA256
597d6766c6a6e2200084547ef4c6807ae3349c521010aef51475e46123822fc7

SHA512
e82fadba9a073e3020b9c78e882e96063e49fb70fcbb6ab19ea065c4a2e805920535ddd9a3a279e178c9fad8ebf0da17ea07349ccf1ff40cd9ea9c1d982c53c2

Download Submit
C:\Windows\{2213A34B-3784-42e4-9ED6-2ECC26EBED44}.exe

Filesize
372KB

MD5
a284ab63f64fb07358a6e903719cf6ef

SHA1
61fb5440e73ea7049e0045e6a977622d0278b91d

SHA256
fa234a3aafc5e455acd9297d7e70390772e51d63af568d666c87eb0513e8fb80

SHA512
f35623fb426edc1ab7b4441d31b9ee6eb937870835934c9fcbe38c8f77ff8a533da3db84f41b6b7f2c2e370b4f35eb0c2ec1e9341f731328f3587fff851ea6d6

Download Submit
C:\Windows\{2244BC2E-4467-46a8-BA16-6257D90FB0EB}.exe

Filesize
372KB

MD5
3fe26a2a225e8b0f46d3894858c7fadd

SHA1
3447c8c50a6a613e35680dc30105a24bf97099c5

SHA256
0e2e947e6287d691e87660fbd2a6054e84010e8c165373c7c1984b74c00cdb48

SHA512
88c22ac86ae6cbadfc41198afe100a21bfb695141747c2ddd733ca7b839374d47ee72b08dfead2aa6c8a441e3ad818184aa48b54bc4e5f9d32ff8f5b8eeaa977

Download Submit
C:\Windows\{3180EA58-CAC1-41b6-84A7-B31380719A38}.exe

Filesize
372KB

MD5
bcd0baf7d3a630c001b5d4e626c84ee2

SHA1
89dd7b7f56a1a75e177aae119b88777ddc0a8adb

SHA256
38f13d290baee2c0ef54cfc3ad4e42d19fbef47c58a8503c492cadd1c9f10bd7

SHA512
d7eb10dd1bc6518b23f3b697a8ca1ed602fea520d674644fada40eeb07c720935075cec5b7966ecaa73f4e9c9e0d93a58e5b6704fac1a667e7195eea1c0d0fc4

Download Submit
C:\Windows\{37C35F02-6EFB-4107-A10E-2FBDA675EC56}.exe

Filesize
372KB

MD5
fc0a05369a506fddec4ed6c578016660

SHA1
d2ed96deff6be932103d26f7247bc87eeee27277

SHA256
f56ec36d12d5ab2bfbde534cfc52af8f6ce50b4e895bc5381447dd90bdffc1b4

SHA512
dab4c0c7365dfd9427645a26e6306a2849e420788482e2a828dc5b10007f8be70470291b8cd337aad6352d6ac905f8c8d5f3e795be2b9e31d9001037d267f54b

Download Submit
C:\Windows\{3A691773-3814-4a26-9AC7-BE0F7812F370}.exe

Filesize
372KB

MD5
ac9de2506c80ce0e4dce3c9bbe08c744

SHA1
ea4158f6dcd8d5b04349317e7a9dff2e74faefc2

SHA256
c5e30101bc10b6ff9c628f4710e05ce7ade22fbdfefc873ca59638c3e6d495aa

SHA512
55e01d4419320d9ef4520539ad6026346a3e179306a858b260fe844dc7c7e5a670e58a15fff39d55a34a3cf879ec94376926efcf03935b304b413477074411c5

Download Submit
C:\Windows\{57AE02C9-465D-4710-8F75-292A3DD3D5AC}.exe

Filesize
372KB

MD5
9b8227d5ab411f01b6ebc756124c4673

SHA1
c50a8b816b7587849f2074236470cb75a6e97d6c

SHA256
f327419412034705cd6e5d884612504d427fba5a96d8832ca61bc71034e29320

SHA512
675c5a86e291209e72eeb00ad7f76b3843dff9ddeeb141476512508f0fad0ea9e07395c478996b0a3768e331074a16f7c1c4e7f2447123b0b822e60e2a1320b8

Download Submit
C:\Windows\{5A3E1718-EF49-4df5-B8EF-08F41F6FC702}.exe

Filesize
372KB

MD5
068a009a75ca83a1ad41e4b4b195815e

SHA1
ad2423f8b7add5e36865069d3637ffa96ff18c16

SHA256
f65e46688f58cf87797903d6e920bf9d0c52d4fe483608e504df0a1c5e7f1504

SHA512
28b62bc2cb65dc7bb7b1c3186aa3a20f43cd25a9930f968fd55dee0e74e97732ae6cd582e6ff02c9b41f96937f5b26a50268b2e0b301584ee6ef3765421e496a

Download Submit
C:\Windows\{7B7C0CC3-ECA8-4820-9655-E0A8EB51A1C8}.exe

Filesize
372KB

MD5
9d92820f97180328f9cbf250f4ab060b

SHA1
d7f6f8004da4369dfcc09a900864db22aa39fbf3

SHA256
82a971adb8d346b64cc750a0dc99d011fde1426eac42ca0ca581fd129cb779ff

SHA512
3ac191c84f8ab4a483a238bd5b2931b6124c984bde281381588c050200bfddac7b3566065d43ca0cde4e0a0b2cdac9bfb2c75896435a1950f944a7f936df9611

Download Submit
C:\Windows\{8025E752-0144-465c-84C7-B8D5A4FBDB5E}.exe

Filesize
372KB

MD5
46e69da75efaae36e4b26ff2361fda35

SHA1
2d47bf76728084a2d81cc1b57e508a172a409958

SHA256
a8d7e11d176895e50125866605565c3d466c80c05808a7004ed25217e8ed694e

SHA512
43d045489c2d40909de806a0bbc2f3185e888d1d2f6512ce62ef3e5e841056f4c87e4609190e81d3af31cfa6f29e88539b8d9d6be3f7b95f4d451c983e771113

Download Submit
C:\Windows\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe

Filesize
333KB

MD5
2d1c70b9976a75a1a9c2f432ce57271a

SHA1
287e787ca461a626d2de756dda8fde357345c745

SHA256
95dd815e118ea029b9ab1b41d77cf364a0ae042e9709429ec0a90a4aa59ba022

SHA512
aeeb5d0a6d63fb804bc8ddb1ade0f81d9b98e6845892d86b55d12963f81bba0e1dfba0c71e1091eacde4fb428cba618cef14c544e9170c6ae0ab04d2fc725d0c

Download Submit
C:\Windows\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe

Filesize
256KB

MD5
1689e54e80c5de5e85a50f1ccb7b5379

SHA1
8bda7e639ffd5e9067d9c0dbfa528a2e2eb77ade

SHA256
b2d4df7baba163e2a22d29759946b3f7b1614946d27d655d3e9b31e410bd1a02

SHA512
df9593c98dea2609248fd903dcdfef8531c85a16c8355ea39ccdc4636c756784de5ff31c0438d26325b607b116f28dc7c6632a76e3e8d86929434942ade1db93

Download Submit
C:\Windows\{C3BF3EDA-4D2C-4fe0-9263-59974D30C75E}.exe

Filesize
372KB

MD5
79ededff9c5098980bac3316538b35a1

SHA1
dea69bbea92a8167e423edb5a06e55486b4dc1fa

SHA256
b07778ffcc72d553141726e62964a46c6902938fb343c3426e86171ea26afab5

SHA512
ab22cd20896c6016158cf469b45d8ba0555f31d375120cbe6aee44b2aeef8462cd43d7c33d43658bfaede82d16246cf66de3dba63a04288dc108df248417eff5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads