289f83800bb1e2f52206d578c2ca4a91c31d33fcf16f11cbd1e0c310cbf8244c

Analysis

max time kernel
137s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe
Size

344KB
MD5

80514956bab8f389c6a0d3c334cb2940
SHA1

8dc50f22f2fe41a14fba83e61cb748595863298a
SHA256

289f83800bb1e2f52206d578c2ca4a91c31d33fcf16f11cbd1e0c310cbf8244c
SHA512

57f78a8c10a9721b99d4f8e9c0e8f8cd043636cc6ef3ca5d21901a43445f606e6e84fbe1f9b442960b3caee1567085b262a43563a4158c6f27939bc6d3aa80d0
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}\stubpath = "C:\\Windows\\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe"	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}\stubpath = "C:\\Windows\\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe"	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}\stubpath = "C:\\Windows\\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe"	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99242BAA-0A00-4590-8B61-F66AD8DAB121}	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}\stubpath = "C:\\Windows\\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe"	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}\stubpath = "C:\\Windows\\{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}.exe"	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}\stubpath = "C:\\Windows\\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe"	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D73D8D53-0942-49f7-A83F-AB1348DF12FB}	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D73D8D53-0942-49f7-A83F-AB1348DF12FB}\stubpath = "C:\\Windows\\{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe"	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}\stubpath = "C:\\Windows\\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe"	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99242BAA-0A00-4590-8B61-F66AD8DAB121}\stubpath = "C:\\Windows\\{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe"	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}\stubpath = "C:\\Windows\\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe"	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}\stubpath = "C:\\Windows\\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe"	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe

Executes dropped EXE 11 IoCs

pid	Process
392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe
4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe
1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe
4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe
3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe
3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe
1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe
1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe
4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe
4472	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe
1076	{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}.exe	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe
File created	C:\Windows\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe
File created	C:\Windows\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe
File created	C:\Windows\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe
File created	C:\Windows\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe
File created	C:\Windows\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe
File created	C:\Windows\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe
File created	C:\Windows\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe
File created	C:\Windows\{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe
File created	C:\Windows\{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe
File created	C:\Windows\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1692	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe
Token: SeIncBasePriorityPrivilege	392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe
Token: SeIncBasePriorityPrivilege	4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe
Token: SeIncBasePriorityPrivilege	1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe
Token: SeIncBasePriorityPrivilege	4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe
Token: SeIncBasePriorityPrivilege	3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe
Token: SeIncBasePriorityPrivilege	3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe
Token: SeIncBasePriorityPrivilege	1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe
Token: SeIncBasePriorityPrivilege	1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe
Token: SeIncBasePriorityPrivilege	4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe
Token: SeIncBasePriorityPrivilege	4472	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 392	1692	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe	100
PID 1692 wrote to memory of 392	1692	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe	100
PID 1692 wrote to memory of 392	1692	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe	100
PID 1692 wrote to memory of 1132	1692	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe	99
PID 1692 wrote to memory of 1132	1692	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe	99
PID 1692 wrote to memory of 1132	1692	2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe	99
PID 392 wrote to memory of 4464	392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe	101
PID 392 wrote to memory of 4464	392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe	101
PID 392 wrote to memory of 4464	392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe	101
PID 392 wrote to memory of 4984	392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe	102
PID 392 wrote to memory of 4984	392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe	102
PID 392 wrote to memory of 4984	392	{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe	102
PID 4464 wrote to memory of 1260	4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe	106
PID 4464 wrote to memory of 1260	4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe	106
PID 4464 wrote to memory of 1260	4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe	106
PID 4464 wrote to memory of 4844	4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe	105
PID 4464 wrote to memory of 4844	4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe	105
PID 4464 wrote to memory of 4844	4464	{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe	105
PID 1260 wrote to memory of 4624	1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe	108
PID 1260 wrote to memory of 4624	1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe	108
PID 1260 wrote to memory of 4624	1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe	108
PID 1260 wrote to memory of 2188	1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe	107
PID 1260 wrote to memory of 2188	1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe	107
PID 1260 wrote to memory of 2188	1260	{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe	107
PID 4624 wrote to memory of 3768	4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe	110
PID 4624 wrote to memory of 3768	4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe	110
PID 4624 wrote to memory of 3768	4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe	110
PID 4624 wrote to memory of 1756	4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe	109
PID 4624 wrote to memory of 1756	4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe	109
PID 4624 wrote to memory of 1756	4624	{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe	109
PID 3768 wrote to memory of 3100	3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe	112
PID 3768 wrote to memory of 3100	3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe	112
PID 3768 wrote to memory of 3100	3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe	112
PID 3768 wrote to memory of 4172	3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe	113
PID 3768 wrote to memory of 4172	3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe	113
PID 3768 wrote to memory of 4172	3768	{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe	113
PID 3100 wrote to memory of 1280	3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe	116
PID 3100 wrote to memory of 1280	3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe	116
PID 3100 wrote to memory of 1280	3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe	116
PID 3100 wrote to memory of 4144	3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe	115
PID 3100 wrote to memory of 4144	3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe	115
PID 3100 wrote to memory of 4144	3100	{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe	115
PID 1280 wrote to memory of 1016	1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe	118
PID 1280 wrote to memory of 1016	1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe	118
PID 1280 wrote to memory of 1016	1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe	118
PID 1280 wrote to memory of 4456	1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe	117
PID 1280 wrote to memory of 4456	1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe	117
PID 1280 wrote to memory of 4456	1280	{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe	117
PID 1016 wrote to memory of 4172	1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe	122
PID 1016 wrote to memory of 4172	1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe	122
PID 1016 wrote to memory of 4172	1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe	122
PID 1016 wrote to memory of 1320	1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe	121
PID 1016 wrote to memory of 1320	1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe	121
PID 1016 wrote to memory of 1320	1016	{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe	121
PID 4172 wrote to memory of 4472	4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe	123
PID 4172 wrote to memory of 4472	4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe	123
PID 4172 wrote to memory of 4472	4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe	123
PID 4172 wrote to memory of 4140	4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe	124
PID 4172 wrote to memory of 4140	4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe	124
PID 4172 wrote to memory of 4140	4172	{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe	124
PID 4472 wrote to memory of 1076	4472	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe	128
PID 4472 wrote to memory of 1076	4472	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe	128
PID 4472 wrote to memory of 1076	4472	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe	128
PID 4472 wrote to memory of 4020	4472	{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_80514956bab8f389c6a0d3c334cb2940_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1132
- C:\Windows\{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe
  C:\Windows\{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe
    C:\Windows\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B0751~1.EXE > nul
      4⤵
      PID:4844
  - - C:\Windows\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe
      C:\Windows\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DAE6~1.EXE > nul
        5⤵
        
        PID:2188
    - - C:\Windows\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe
        
        C:\Windows\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B18~1.EXE > nul
        6⤵
        
        PID:1756
      - C:\Windows\{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe
        
        C:\Windows\{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe
        
        C:\Windows\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F31D2~1.EXE > nul
        8⤵
        
        PID:4144
        
        C:\Windows\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe
        
        C:\Windows\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94CD8~1.EXE > nul
        9⤵
        
        PID:4456
        
        C:\Windows\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe
        
        C:\Windows\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA69~1.EXE > nul
        10⤵
        
        PID:1320
        
        C:\Windows\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe
        
        C:\Windows\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe
        
        C:\Windows\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62015~1.EXE > nul
        12⤵
        
        PID:4020
        
        C:\Windows\{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}.exe
        
        C:\Windows\{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58FAF~1.EXE > nul
        11⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D73D8~1.EXE > nul
        7⤵
        
        PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{99242~1.EXE > nul
    3⤵
    PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe

Filesize
72KB

MD5
ce55f1bfd660012bd67003956ab53d3e

SHA1
f1f242bc9e2f18d2ac1a00c8ff3fd7529582726a

SHA256
0f49a0417549ea307cc4dfc36ae01121a012ff0ef8bd72aae0a30c3163dac3d2

SHA512
131cf6405367f7897b24f7abc716d072cd5fd109bbe8a9e9b2a67d485e33cad68ea24efebdbbd14eeeb08edb67638a095ff51a8c7ab58a002702738d58fc5329

Download Submit
C:\Windows\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe

Filesize
11KB

MD5
53fb731b42bc1b8b25d69d8124ae1175

SHA1
83d95c46b511d66d4b267710a0b8aac55d2fc231

SHA256
1c4fefcb1fedce261f324984f8ce077c3fc7bc438ad5658cdb9472c0517232b5

SHA512
628562f726860273eec3bf187c5994254b0eb1e4028417b64b3b69a573b7a671dabc434e046e0ee3432bf0407700227779bc8f04e8480f885bba8507b1fe0e62

Download Submit
C:\Windows\{2DAE66A2-E61F-47fb-ADDF-5188B1209462}.exe

Filesize
89KB

MD5
49da658b73b27049af0ac81bceae6696

SHA1
2a0ba1f24372e9ed39b8bc8a580df324161c6877

SHA256
f60d5ccca8548779934a3ec832f412fa8edf74914befcee0abac3e3dd82f59a6

SHA512
2ce0d736ad8151beaa6cc4a2679cd99ec542d545f043fa385df75aedc2a082d5a1053376d2576a988ec2962ba7d22a7ded711ced4d831d2e14b906380a47528f

Download Submit
C:\Windows\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe

Filesize
344KB

MD5
f8953878aa889e26a2f473b740353e15

SHA1
b124bb26041334232ebdaa0e8a162da3de1a58df

SHA256
fd3cf2b7717baf872e4bf90d3b4aa0ea3bfcf2e32b1d8d5ec6b7e7298c8671bc

SHA512
281d6d1c91f27113438511e514828d585286683c5c93e07e54d77eac4e2d7a9595d5ec677ec52442c3738061d824cc4c0d3ae60b663ea0e8379261f1bf368394

Download Submit
C:\Windows\{58FAF70B-4CFC-46a0-9D23-8F3107EC1766}.exe

Filesize
162KB

MD5
d52048bb2a4789b8ccc731608c240ee6

SHA1
e866ad66d70495b19a1a21201084a0eb69d2e610

SHA256
737f14d4389865c78f618fa83d6565f268df12e908cc2975f4c631f5d122cba5

SHA512
476df36ca7ca74f5d55f3dcba7393b7afa68ea3a590dad996c4d034a4b8be333d3f5564e00af8a40d741c2ab0d92dce5a4aa19999cb4ab876563fe189eb5b362

Download Submit
C:\Windows\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe

Filesize
198KB

MD5
5ecfe4973d508e63cb3ff834d667640b

SHA1
d8b80c66681179b5c4f1068b33630f115eab294b

SHA256
e41d81428cfe45fee7df4c07386a8271456058af045b8a6bdcac0fc0d0ebbccc

SHA512
3922bc5080867671c8a21902acce54b064f3bdbcdd12307a41d3b9bbabed1211655fa01a4fa558d9288c469e1db6fa11cf30e4e69d7c7c71fc02b8d87b48deb9

Download Submit
C:\Windows\{62015AAC-DAFE-4cc0-B16B-9F810A22A862}.exe

Filesize
322KB

MD5
7a7efe342a7ce3bf1c15024d951a193e

SHA1
729b03bd7d1b7547c68591fb5694b5451ca4a4cf

SHA256
1c1f9160a28eae9280128d5073993adbbf183aab06ec8f3e8c2828623e4d7046

SHA512
c4834c04880b4939d0d16dc589992736860e0a9399abdd1bbc2643589a3188f966624b5641a0d9ba8140b267320a1c41be4f6bc63db32c76361869085b9937d1

Download Submit
C:\Windows\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe

Filesize
164KB

MD5
c1e2f9d511899b77ef47e04880b831ee

SHA1
ca71bd10937c86f7bd4445c0fd97ed6a25f41902

SHA256
81fc6525904faeb4d1713da707409c726ddd4259703a7bcc444618cc3d42d55d

SHA512
28b392ce8b9938eb7de40d28fd224d750ee880d96424e22ad4a350d23842e69952fad7b52d9c3ac76022fe5ac2c0573a1d605dbe0f92470e5cb8d3fc483b819e

Download Submit
C:\Windows\{94CD8E7F-C083-4bca-B80E-BCA5631323C7}.exe

Filesize
267KB

MD5
13172f3634cb9ab86d5e07a896c9cd36

SHA1
35961af6cba5d5943f6c00bcc6f27202451fb26f

SHA256
745acf96a6cfb69b646c3b1f534c28039de22de90f3675c37b6228ac835e3ad6

SHA512
2895075e611e781eb857531657303b5b4ec758fb0bb5976ba3790d9265960a0104b21f0dccf981349d4d6f5839b6e6749410684e684b3ee5f58c6d5a54a17aad

Download Submit
C:\Windows\{98B46BDD-CD88-4c61-A3F0-D7F44B39C0BF}.exe

Filesize
344KB

MD5
d5b9640d8c8624b6b574c5a7580a8be4

SHA1
9939a4679ec47bf5edb69eaa0383c992136c9574

SHA256
9fd67614ab604c25410a38678eba07e494869bf51e59d1c9d04cb8341d054c92

SHA512
d623a12a3340f6d0a68518e33b266c75208b225fd05fad0bc6fccb23af9576a9da20077c4b3fbed83d0f3ad836c8b5aa8c548bf3eee5b8c8c8ddc1e25eabbcd5

Download Submit
C:\Windows\{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe

Filesize
5KB

MD5
7abf111b64b03bbfcd210fa5a37aa99a

SHA1
bf3a72dbf39a1047e2c342f9f081d2b9827f23c1

SHA256
ef781da348674bd66efe2eff3f1bbd7a4b0f577379029699a25eef65efe23bff

SHA512
90ec00e937a223c35adce1928f2893cfd7c6a8d9e7f8f5d4596ecdc3a65eefb42d964051b45f958fcc17186d53df4bfdbe50739d50d871b5b8705923360c6142

Download Submit
C:\Windows\{99242BAA-0A00-4590-8B61-F66AD8DAB121}.exe

Filesize
344KB

MD5
28dd01518c5a6f8aa9132086226c9657

SHA1
f78c2f63ae97ecb80b1d628615726f30b1053147

SHA256
b53f608dd99392ffe3e91722b225690f22125ad3cbf36b71d8d6d742f93e0452

SHA512
23850b9fa2642f1c38685a8b41a8125149e7a5253e0c75792c3b2f4d7f8c9b7d19b4bae1110e6e0ba72ea768d71f0e7631d20535a9b0b72f3e4e31ac0eb98f93

Download Submit
C:\Windows\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe

Filesize
45KB

MD5
94a609ba2fc717cbe78cdde0820e23f0

SHA1
6d555ae782b9dcaec9c59af7658379af206c06f0

SHA256
57f0ffe1b6c8f298d345fef999292cbe8b4a2ca8d3fd51e6bc1d06f9d87ecb72

SHA512
b2c664714373eb33875bdd342959eff1fa76852067a8f921da4dd21c583858ae0df5c6275203ad5815d0d6e6b2dac7197a0a3949b4296e9b80b2daafeebafc0b

Download Submit
C:\Windows\{B0751C0E-5E49-43ef-974D-AFD408B3F6BF}.exe

Filesize
35KB

MD5
6c6137e32c3d4ca4ea5991c5cca0212a

SHA1
bd8ea654893fc8dde4e990cf10b2c27e6cb8b909

SHA256
d330a57c9ec5ec1bb79ede316d4af60bb8d461f898c6d553f27d4f514a77fad4

SHA512
06e0ba4670cbfad3428d1dd87c55ea6afcea43f78692651569084b4849f0874dd88e5ccf88cb16449e72d8b36ea58758799838b44e02f563ac454e83b4182ec2

Download Submit
C:\Windows\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe

Filesize
319KB

MD5
43eb5de3ad6ed04fa15f81b7967a6b41

SHA1
ff063c755bfbb2fe812971eb0c3563adcfbbe587

SHA256
1897df0065cee01372f7d983cf12aeafcadc741872cef0979d618b4104c40915

SHA512
c46ddd3f9a1dd674dc015a21db6e882ec6e1c4b9a73b32b6da35e131ea8dcafa1b7d8d4b3e1cc989ca1f7037745d880f32948b9944d68fd8110e0989f6b59a60

Download Submit
C:\Windows\{BCA699A8-9481-4a62-86BD-2E26FCEA92B8}.exe

Filesize
257KB

MD5
12300a42a8be44a348757bd37b7ed601

SHA1
b1f6d865578528cf52895d812790c27ebc7e2e45

SHA256
52c343334374b73d437479534445ea3ba27e9e75c5341e83d32cf6a325acaeb2

SHA512
7d82a9bdfff3e4399f70e97f8eea273140f09820b99413827e9c23ed6af42ab8b4c4052580d3acc0652045d0dcc046c2c43714027a53efcd7615f88c965621e5

Download Submit
C:\Windows\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe

Filesize
338KB

MD5
aad3d13ffc7265a87b76d9709647c785

SHA1
3656bab3edbe3504b2f6d10ec0a9e4a3b21e32dc

SHA256
70462ebd59852204de24734678f948ca057a9d85de8ef4544a6dd0ac40122e09

SHA512
b6f7a34cfb22b44381d53bc9d26faeeff601e1563f3b0e7e3ec47db49b23decb97184141cea08cd13da00cc1fc5d65b6db1b241262ec77591fed501e411a06d9

Download Submit
C:\Windows\{C9B18E82-2039-4a08-9E21-BECFC3674EDA}.exe

Filesize
344KB

MD5
f78c1351991fe4f3347c51993ea1fd3d

SHA1
e3379d6926cd9626819426bd3712bcb42ff457a4

SHA256
793fa32cde813a24fe92e5a6027fe3dfe8c9157a3aff3bd143b6c4fac997e827

SHA512
62d74518ac5dcf5d0645b70d3bdc44c509d6b5785885c3ea30a386e9e858e031293fcc61c5826582ddf8a02366f2d6aa6f3dd6367a1858bd1ff83e7a8488c5fc

Download Submit
C:\Windows\{D73D8D53-0942-49f7-A83F-AB1348DF12FB}.exe

Filesize
344KB

MD5
6adac3dffd750909f3ad3a2beaa0b18e

SHA1
4a7f438f75d55f674bd2625e25ba53a1eb2207b6

SHA256
cd6cf1769ad98e2cbc5efc9db93a42d4232b1a88d9b177c6ec04e17da6ba7b36

SHA512
418c85bf42329cc213338f2b7a3fa37b69be3bbb66350c3de643278e6ca8d48b087ce70dd3bc9afd1b945ae292546a2ba1e6552e8529e3bc0a57083b27e2a500

Download Submit
C:\Windows\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe

Filesize
191KB

MD5
e7e5ab8b6945982551f8bd8e2010591f

SHA1
29f631b0ed813b520cf06528b4827ebd976d7a69

SHA256
d3d6a1dad6c343d54cad289739d9c17933ee17b47edf64daf580f4bc8ed91e27

SHA512
4e0bb424c62ffe81ed31ab229934f2c875e457e1321bbbba2d08e9f7b12de63dcfe081e011314b9484739493ce494c5a5ec8bdfbcbca6de55414c73eabf5ad24

Download Submit
C:\Windows\{F31D2913-57DC-4669-A9FA-A4E2D11D69E9}.exe

Filesize
160KB

MD5
a19ed8907424697cddfb15f439eaadca

SHA1
c3ce59df1448a882d9390143b5da156acfa4ba18

SHA256
b6cd9b475d35ebbc462b4570a7a8676f656b31faf6b0e5da6a7847d266bbbd59

SHA512
1e83715b972c2d78e1fc01755cfb4d1e14f6afbb97e05162c36f2520b62320d21cef9d32fc92b84c867cb4d58f6205c0cd6fabe8624a613fd2e21f84dc28db20

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads