f90ed7ee37fd19bbed7de0aa2bf80074e3fe1601b6fd9c31a839a6579866c6c3

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Size

180KB
MD5

5023229841ba263b955304597eaf84a5
SHA1

7e697e347b97da10a329fbab4044c59aa90399f0
SHA256

f90ed7ee37fd19bbed7de0aa2bf80074e3fe1601b6fd9c31a839a6579866c6c3
SHA512

487e469f4bfc1695b1ecf1b6923b0caac07043f893956815492fec1e51987a7d3bec903f4fc62b4acfdf38a8eab2ac6ccbb230ba2c8b4d939c6c8c568e615479
SSDEEP

3072:jEGh0oylfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGMl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BEFCD9-8BBF-42be-A08D-05206BF50D07}\stubpath = "C:\\Windows\\{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe"	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0021997-4A8D-44e7-8BE6-254806906791}	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}\stubpath = "C:\\Windows\\{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe"	{F0021997-4A8D-44e7-8BE6-254806906791}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}\stubpath = "C:\\Windows\\{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe"	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8FB0715-9306-4f65-91D3-9B40483D604B}	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8FB0715-9306-4f65-91D3-9B40483D604B}\stubpath = "C:\\Windows\\{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe"	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C6E7240-024E-4e2d-B265-16BD474F1EC4}	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55252F35-DABA-4071-A3C9-9BB57F72D61A}\stubpath = "C:\\Windows\\{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe"	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA6FEB51-66D3-4917-B0E9-42738E21C154}\stubpath = "C:\\Windows\\{FA6FEB51-66D3-4917-B0E9-42738E21C154}.exe"	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0021997-4A8D-44e7-8BE6-254806906791}\stubpath = "C:\\Windows\\{F0021997-4A8D-44e7-8BE6-254806906791}.exe"	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3033A34E-9546-41c2-A693-C124EADB9566}	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3033A34E-9546-41c2-A693-C124EADB9566}\stubpath = "C:\\Windows\\{3033A34E-9546-41c2-A693-C124EADB9566}.exe"	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}\stubpath = "C:\\Windows\\{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe"	{3033A34E-9546-41c2-A693-C124EADB9566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BEFCD9-8BBF-42be-A08D-05206BF50D07}	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C6E7240-024E-4e2d-B265-16BD474F1EC4}\stubpath = "C:\\Windows\\{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe"	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}\stubpath = "C:\\Windows\\{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe"	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA6FEB51-66D3-4917-B0E9-42738E21C154}	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}	{3033A34E-9546-41c2-A693-C124EADB9566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}	{F0021997-4A8D-44e7-8BE6-254806906791}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55252F35-DABA-4071-A3C9-9BB57F72D61A}	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe

Executes dropped EXE 11 IoCs

pid	Process
3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe
3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe
1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe
1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe
4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe
2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe
4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe
3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe
4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe
3260	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe
2392	{FA6FEB51-66D3-4917-B0E9-42738E21C154}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe
File created	C:\Windows\{3033A34E-9546-41c2-A693-C124EADB9566}.exe	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe
File created	C:\Windows\{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe
File created	C:\Windows\{F0021997-4A8D-44e7-8BE6-254806906791}.exe	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe
File created	C:\Windows\{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe	{F0021997-4A8D-44e7-8BE6-254806906791}.exe
File created	C:\Windows\{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe
File created	C:\Windows\{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
File created	C:\Windows\{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe
File created	C:\Windows\{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe
File created	C:\Windows\{FA6FEB51-66D3-4917-B0E9-42738E21C154}.exe	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe
File created	C:\Windows\{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe	{3033A34E-9546-41c2-A693-C124EADB9566}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1640	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe
Token: SeIncBasePriorityPrivilege	3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe
Token: SeIncBasePriorityPrivilege	1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe
Token: SeIncBasePriorityPrivilege	1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe
Token: SeIncBasePriorityPrivilege	4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe
Token: SeIncBasePriorityPrivilege	2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe
Token: SeIncBasePriorityPrivilege	4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe
Token: SeIncBasePriorityPrivilege	3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe
Token: SeIncBasePriorityPrivilege	4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe
Token: SeIncBasePriorityPrivilege	3260	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3764	1640	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	100
PID 1640 wrote to memory of 3764	1640	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	100
PID 1640 wrote to memory of 3764	1640	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	100
PID 1640 wrote to memory of 2108	1640	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	99
PID 1640 wrote to memory of 2108	1640	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	99
PID 1640 wrote to memory of 2108	1640	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	99
PID 3764 wrote to memory of 3272	3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe	102
PID 3764 wrote to memory of 3272	3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe	102
PID 3764 wrote to memory of 3272	3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe	102
PID 3764 wrote to memory of 2732	3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe	101
PID 3764 wrote to memory of 2732	3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe	101
PID 3764 wrote to memory of 2732	3764	{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe	101
PID 3272 wrote to memory of 1128	3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe	105
PID 3272 wrote to memory of 1128	3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe	105
PID 3272 wrote to memory of 1128	3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe	105
PID 3272 wrote to memory of 2972	3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe	104
PID 3272 wrote to memory of 2972	3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe	104
PID 3272 wrote to memory of 2972	3272	{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe	104
PID 1128 wrote to memory of 1680	1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe	108
PID 1128 wrote to memory of 1680	1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe	108
PID 1128 wrote to memory of 1680	1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe	108
PID 1128 wrote to memory of 3092	1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe	109
PID 1128 wrote to memory of 3092	1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe	109
PID 1128 wrote to memory of 3092	1128	{3033A34E-9546-41c2-A693-C124EADB9566}.exe	109
PID 1680 wrote to memory of 4452	1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe	110
PID 1680 wrote to memory of 4452	1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe	110
PID 1680 wrote to memory of 4452	1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe	110
PID 1680 wrote to memory of 4688	1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe	111
PID 1680 wrote to memory of 4688	1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe	111
PID 1680 wrote to memory of 4688	1680	{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe	111
PID 4452 wrote to memory of 2924	4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe	113
PID 4452 wrote to memory of 2924	4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe	113
PID 4452 wrote to memory of 2924	4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe	113
PID 4452 wrote to memory of 3952	4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe	114
PID 4452 wrote to memory of 3952	4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe	114
PID 4452 wrote to memory of 3952	4452	{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe	114
PID 2924 wrote to memory of 4252	2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe	115
PID 2924 wrote to memory of 4252	2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe	115
PID 2924 wrote to memory of 4252	2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe	115
PID 2924 wrote to memory of 2132	2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe	116
PID 2924 wrote to memory of 2132	2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe	116
PID 2924 wrote to memory of 2132	2924	{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe	116
PID 4252 wrote to memory of 3076	4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe	118
PID 4252 wrote to memory of 3076	4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe	118
PID 4252 wrote to memory of 3076	4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe	118
PID 4252 wrote to memory of 5036	4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe	117
PID 4252 wrote to memory of 5036	4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe	117
PID 4252 wrote to memory of 5036	4252	{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe	117
PID 3076 wrote to memory of 4712	3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe	124
PID 3076 wrote to memory of 4712	3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe	124
PID 3076 wrote to memory of 4712	3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe	124
PID 3076 wrote to memory of 4776	3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe	123
PID 3076 wrote to memory of 4776	3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe	123
PID 3076 wrote to memory of 4776	3076	{F0021997-4A8D-44e7-8BE6-254806906791}.exe	123
PID 4712 wrote to memory of 3260	4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe	125
PID 4712 wrote to memory of 3260	4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe	125
PID 4712 wrote to memory of 3260	4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe	125
PID 4712 wrote to memory of 1264	4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe	126
PID 4712 wrote to memory of 1264	4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe	126
PID 4712 wrote to memory of 1264	4712	{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe	126
PID 3260 wrote to memory of 2392	3260	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe	128
PID 3260 wrote to memory of 2392	3260	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe	128
PID 3260 wrote to memory of 2392	3260	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe	128
PID 3260 wrote to memory of 2160	3260	{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2108
- C:\Windows\{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe
  C:\Windows\{AE4ABF91-AB42-47dd-A17E-52C315C2FAB8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AE4AB~1.EXE > nul
    3⤵
    PID:2732
- - C:\Windows\{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe
    C:\Windows\{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8FB0~1.EXE > nul
      4⤵
      PID:2972
  - - C:\Windows\{3033A34E-9546-41c2-A693-C124EADB9566}.exe
      C:\Windows\{3033A34E-9546-41c2-A693-C124EADB9566}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe
        
        C:\Windows\{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe
        
        C:\Windows\{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe
        
        C:\Windows\{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe
        
        C:\Windows\{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6960E~1.EXE > nul
        9⤵
        
        PID:5036
        
        C:\Windows\{F0021997-4A8D-44e7-8BE6-254806906791}.exe
        
        C:\Windows\{F0021997-4A8D-44e7-8BE6-254806906791}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0021~1.EXE > nul
        10⤵
        
        PID:4776
        
        C:\Windows\{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe
        
        C:\Windows\{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe
        
        C:\Windows\{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55252~1.EXE > nul
        12⤵
        
        PID:2160
        
        C:\Windows\{FA6FEB51-66D3-4917-B0E9-42738E21C154}.exe
        
        C:\Windows\{FA6FEB51-66D3-4917-B0E9-42738E21C154}.exe
        12⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{553DD~1.EXE > nul
        11⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C6E7~1.EXE > nul
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29BEF~1.EXE > nul
        7⤵
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBEDD~1.EXE > nul
        6⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3033A~1.EXE > nul
        5⤵
        
        PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C6E7240-024E-4e2d-B265-16BD474F1EC4}.exe

Filesize
180KB

MD5
61074b4702e44b6d0a46662980e081c3

SHA1
cd1db856283e5e858c6e8b33669e1a086e20134b

SHA256
01f66072785ae11e607a22c50d7807bbcf43221a9e3c3b1b2d886391872c2837

SHA512
87fcec9ced85c8b6ea11e2e9c8a2db880ed3c1b444c0b2a474b317d0dfbffec59fe735eb9af6688818a73c4c1521cf46375b789a13e9b3537539bcc2f55a82bd

Download Submit
C:\Windows\{29BEFCD9-8BBF-42be-A08D-05206BF50D07}.exe

Filesize
180KB

MD5
f32b306543764e877ce757288ffc8996

SHA1
599baf9cef591ad964a0c4937a10226c4b17c76a

SHA256
48ddeab86ad48b7c453440d16790466ffd24a135b41d3678e22395d559d35504

SHA512
953a5033b4f24a1a417faa8b605b695ed809286cd7d029d36d39447ff6445a4371758578240c8f72036ba9d597c22027ea9db6e39931e88475b1eb3b31faf407

Download Submit
C:\Windows\{3033A34E-9546-41c2-A693-C124EADB9566}.exe

Filesize
180KB

MD5
15d6e25e90e98daedfb7e20fa475e8df

SHA1
18b3ac34c0818e78309ed275e614f03d9dc65bd6

SHA256
bd952b7706be7174907bd8baa46056fc53ce6cfdff16e1b4c0ea8cfc1b989234

SHA512
c768b5662fb96e989e088fcc9d612d1ff2090386ade4e22c62128bd951eb6fb8dfefd99da1a7bb92b0b6ba539ee79f0e97e2e465682c369f1faf955c904ecc89

Download Submit
C:\Windows\{55252F35-DABA-4071-A3C9-9BB57F72D61A}.exe

Filesize
180KB

MD5
ac158d91c0b9dda48bc6c51dba18f12c

SHA1
7f99e462ae924ea3d5ce14cf0e01f49455a6d01e

SHA256
b8cb96fce3d15c5a98a7ca400085716e93634a4a57cffe1b21c4f46eea8032d0

SHA512
e4e2da741d3508fdef24250b7af5596baeb29301225ff3c8ae868bb56ec93b82438b19d18ea2819092308b8a9a3e20b70bdc399125dc7bd224e5523929f8f60f

Download Submit
C:\Windows\{553DD9B8-5996-4a2a-AAE5-9A3A56B0F8A4}.exe

Filesize
180KB

MD5
b1563fe8499c778dd0e709186cb3743f

SHA1
662e166c4588be9cc9b242459d07a136ba48895b

SHA256
ecd479518ff1b31224f37a355ea5d5774b9bfa964e72a9f8ff496d1f67a10457

SHA512
b4de4e81010fb66ffe7d9f19f97fb3e6b1c8cc95c905bfc98b82813e19998817ceefe76c1c89b2df5a2f273b6722294b0ca235c02ba62f46c43a0d6b859b236b

Download Submit
C:\Windows\{6960E2A1-E7A9-45d5-AE72-F83DAB9E07F7}.exe

Filesize
180KB

MD5
860e9721f17382834b456f8b3389523c

SHA1
d3d30b8e44a13ad377e04ac5317e62ce69e3f868

SHA256
f0a200e6d7e0c368d32f8e0ece22402de320709eeb98820f8b97c8a4a7ca344d

SHA512
babb995d63c607a5717a2c6a1790af0dcaff1f3caa541b37d7f0adcf2accb5933cf63aef293436992a333a294fb465facacc4b4c5a99c5e7a40602fc7120d7ea

Download Submit
C:\Windows\{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe

Filesize
40KB

MD5
ae8cd29b32980815d39e072239a24109

SHA1
c467d4d0997551fce088f05a1bc648400219d6dc

SHA256
b3f597222dc5135bb9fdd5967ba61addbfa8ae409ecfb6495ce93d329abfa9bd

SHA512
54cb8252fa41aa4410cfacd778992c59dc90785f62fdfeb51f63288ffe6639aed78bbd7bb845c6f32694934f103a978af582de09d81ae75848ba8dbca47f459d

Download Submit
C:\Windows\{B8FB0715-9306-4f65-91D3-9B40483D604B}.exe

Filesize
8KB

MD5
657274caa89a6a7da9c5326c9ef68080

SHA1
3f1ae946db9039c162a86799506a332919811cfb

SHA256
949dada04ab4191a9402341481cb053b899521772e1932372d18afbb057f53c5

SHA512
3466ca97021523f1abc9e90eeb4c8da8ee63a96e5bd1ab27e4b2debb178905425bf0fd3e9eb62c837cc02a4e2a8c36ac3b4053f856ea3d20cf373e2a02edcfb6

Download Submit
C:\Windows\{EBEDDCE0-3B9D-48ed-9E96-CA9FD0477A19}.exe

Filesize
180KB

MD5
6ece542b68d801cc58156c067da9e7df

SHA1
16eeaa5ab3e0a50f362f197660c2ded0a705e4ba

SHA256
33c47eb7f1debad3829ed64f3da0530c9e89d7157d785eee919af03a577b0fec

SHA512
a3f1bde122ceab2ca27896c0e13704abc742a97c9bac76b4772e02bd8eb9729ef574ea66e3c4b47f73641af95700f83e855460e92142eaac5d583d67aa53322d

Download Submit
C:\Windows\{F0021997-4A8D-44e7-8BE6-254806906791}.exe

Filesize
180KB

MD5
1ea27078c32a1a6ad5d9c3f8c2a47c6b

SHA1
6b6a24d86d0ad4e48a24fc6fd6bb4399e2ae764b

SHA256
ca86e0e242f035567d204eee2756d04973c02ff311221864fe4120cf477095d8

SHA512
6be416a26e1759d1f800e980e3aaf9a4f3062e3154fa8cdd33cebe23300e94f1dd8b623da655579ec9f6df144cb3644ac4de823381419e16db4525d366dc0500

Download Submit
C:\Windows\{FA6FEB51-66D3-4917-B0E9-42738E21C154}.exe

Filesize
180KB

MD5
10f06f50eee7c10444ee92e8804ab3b1

SHA1
a047984aaf58888b111a8a5ce628d8424e64b28e

SHA256
23b3932ac64c1a619df1077d099df503d4222755ee2e9e53b32525180fb3b651

SHA512
b793384f04ad12f8683149aedf2fde8dd28b7687dca432da5032c926a4e1768637e091b57296ab11ae9df5e67b823e18bbd16669693c7fd5842f1806d1cffeb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads