6a63262fd79bde1378c47addf0f2b914c433fa34faa790b91f472de4d830ebbf

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2023 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
Size

216KB
MD5

034092f2028e5bc59a7c124adab9dbc3
SHA1

dd5b9f5f7b97a2f3b7923f64e4f52f0f5c367442
SHA256

6a63262fd79bde1378c47addf0f2b914c433fa34faa790b91f472de4d830ebbf
SHA512

0cb2cde859dc12e0786dccdc3ffe8b8579d0a99e4470c636868f669f52560ce0e80be9ceae56438b948da8a0ed535c47ef075db3c6dc625156da352cd510e707
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG2lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEA9EABC-182B-4766-A718-75CED51D67E2}	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEA9EABC-182B-4766-A718-75CED51D67E2}\stubpath = "C:\\Windows\\{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe"	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A75F2A8D-7C30-4698-9E15-041903715F0D}	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D8F21EA-7C12-4751-B558-7BAB49275281}\stubpath = "C:\\Windows\\{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe"	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB82190-84FA-40b6-B1E4-C05B78223403}\stubpath = "C:\\Windows\\{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe"	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}\stubpath = "C:\\Windows\\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe"	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5583FB-6982-43e5-B214-17C801DE2302}	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0805CD-691E-4928-B625-7462DD353312}\stubpath = "C:\\Windows\\{1C0805CD-691E-4928-B625-7462DD353312}.exe"	{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}\stubpath = "C:\\Windows\\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe"	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{554EFC16-F339-4ede-8532-C693A1CCFF53}\stubpath = "C:\\Windows\\{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe"	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A75F2A8D-7C30-4698-9E15-041903715F0D}\stubpath = "C:\\Windows\\{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe"	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5583FB-6982-43e5-B214-17C801DE2302}\stubpath = "C:\\Windows\\{8F5583FB-6982-43e5-B214-17C801DE2302}.exe"	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}\stubpath = "C:\\Windows\\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe"	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB82190-84FA-40b6-B1E4-C05B78223403}	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}\stubpath = "C:\\Windows\\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe"	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{554EFC16-F339-4ede-8532-C693A1CCFF53}	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0805CD-691E-4928-B625-7462DD353312}	{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D8F21EA-7C12-4751-B558-7BAB49275281}	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}\stubpath = "C:\\Windows\\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe"	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe

Executes dropped EXE 12 IoCs

pid	Process
2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe
3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe
4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe
4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe
1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe
3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe
4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe
4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe
4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe
3592	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe
5116	{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe
1644	{1C0805CD-691E-4928-B625-7462DD353312}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe
File created	C:\Windows\{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe
File created	C:\Windows\{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe
File created	C:\Windows\{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe
File created	C:\Windows\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe
File created	C:\Windows\{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe
File created	C:\Windows\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
File created	C:\Windows\{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe
File created	C:\Windows\{8F5583FB-6982-43e5-B214-17C801DE2302}.exe	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe
File created	C:\Windows\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe
File created	C:\Windows\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe
File created	C:\Windows\{1C0805CD-691E-4928-B625-7462DD353312}.exe	{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2064	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe
Token: SeIncBasePriorityPrivilege	3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe
Token: SeIncBasePriorityPrivilege	4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe
Token: SeIncBasePriorityPrivilege	4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe
Token: SeIncBasePriorityPrivilege	1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe
Token: SeIncBasePriorityPrivilege	3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe
Token: SeIncBasePriorityPrivilege	4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe
Token: SeIncBasePriorityPrivilege	4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe
Token: SeIncBasePriorityPrivilege	4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe
Token: SeIncBasePriorityPrivilege	3592	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe
Token: SeIncBasePriorityPrivilege	5116	{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2960	2064	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	88
PID 2064 wrote to memory of 2960	2064	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	88
PID 2064 wrote to memory of 2960	2064	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	88
PID 2064 wrote to memory of 4852	2064	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	89
PID 2064 wrote to memory of 4852	2064	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	89
PID 2064 wrote to memory of 4852	2064	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	89
PID 2960 wrote to memory of 3832	2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe	90
PID 2960 wrote to memory of 3832	2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe	90
PID 2960 wrote to memory of 3832	2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe	90
PID 2960 wrote to memory of 1768	2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe	91
PID 2960 wrote to memory of 1768	2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe	91
PID 2960 wrote to memory of 1768	2960	{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe	91
PID 3832 wrote to memory of 4780	3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe	94
PID 3832 wrote to memory of 4780	3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe	94
PID 3832 wrote to memory of 4780	3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe	94
PID 3832 wrote to memory of 3024	3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe	93
PID 3832 wrote to memory of 3024	3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe	93
PID 3832 wrote to memory of 3024	3832	{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe	93
PID 4780 wrote to memory of 4468	4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe	95
PID 4780 wrote to memory of 4468	4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe	95
PID 4780 wrote to memory of 4468	4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe	95
PID 4780 wrote to memory of 1696	4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe	96
PID 4780 wrote to memory of 1696	4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe	96
PID 4780 wrote to memory of 1696	4780	{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe	96
PID 4468 wrote to memory of 1240	4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe	97
PID 4468 wrote to memory of 1240	4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe	97
PID 4468 wrote to memory of 1240	4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe	97
PID 4468 wrote to memory of 4796	4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe	98
PID 4468 wrote to memory of 4796	4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe	98
PID 4468 wrote to memory of 4796	4468	{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe	98
PID 1240 wrote to memory of 3756	1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe	99
PID 1240 wrote to memory of 3756	1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe	99
PID 1240 wrote to memory of 3756	1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe	99
PID 1240 wrote to memory of 4208	1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe	100
PID 1240 wrote to memory of 4208	1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe	100
PID 1240 wrote to memory of 4208	1240	{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe	100
PID 3756 wrote to memory of 4708	3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe	101
PID 3756 wrote to memory of 4708	3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe	101
PID 3756 wrote to memory of 4708	3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe	101
PID 3756 wrote to memory of 4816	3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe	102
PID 3756 wrote to memory of 4816	3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe	102
PID 3756 wrote to memory of 4816	3756	{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe	102
PID 4708 wrote to memory of 4416	4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe	103
PID 4708 wrote to memory of 4416	4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe	103
PID 4708 wrote to memory of 4416	4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe	103
PID 4708 wrote to memory of 4864	4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe	104
PID 4708 wrote to memory of 4864	4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe	104
PID 4708 wrote to memory of 4864	4708	{8F5583FB-6982-43e5-B214-17C801DE2302}.exe	104
PID 4416 wrote to memory of 4380	4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe	105
PID 4416 wrote to memory of 4380	4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe	105
PID 4416 wrote to memory of 4380	4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe	105
PID 4416 wrote to memory of 4036	4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe	106
PID 4416 wrote to memory of 4036	4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe	106
PID 4416 wrote to memory of 4036	4416	{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe	106
PID 4380 wrote to memory of 3592	4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe	107
PID 4380 wrote to memory of 3592	4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe	107
PID 4380 wrote to memory of 3592	4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe	107
PID 4380 wrote to memory of 872	4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe	108
PID 4380 wrote to memory of 872	4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe	108
PID 4380 wrote to memory of 872	4380	{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe	108
PID 3592 wrote to memory of 5116	3592	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe	109
PID 3592 wrote to memory of 5116	3592	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe	109
PID 3592 wrote to memory of 5116	3592	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe	109
PID 3592 wrote to memory of 4940	3592	{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe	110

C:\Users\Admin\AppData\Local\Temp\034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe
  C:\Windows\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe
    C:\Windows\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{335A0~1.EXE > nul
      4⤵
      PID:3024
  - - C:\Windows\{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe
      C:\Windows\{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe
        
        C:\Windows\{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Windows\{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe
        
        C:\Windows\{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe
        
        C:\Windows\{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\{8F5583FB-6982-43e5-B214-17C801DE2302}.exe
        
        C:\Windows\{8F5583FB-6982-43e5-B214-17C801DE2302}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe
        
        C:\Windows\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe
        
        C:\Windows\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe
        
        C:\Windows\{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe
        
        C:\Windows\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\{1C0805CD-691E-4928-B625-7462DD353312}.exe
        
        C:\Windows\{1C0805CD-691E-4928-B625-7462DD353312}.exe
        13⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{847E6~1.EXE > nul
        13⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BB82~1.EXE > nul
        12⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25CD5~1.EXE > nul
        11⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E203B~1.EXE > nul
        10⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F558~1.EXE > nul
        9⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D8F2~1.EXE > nul
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A75F2~1.EXE > nul
        7⤵
        
        PID:4208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEA9E~1.EXE > nul
        6⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{554EF~1.EXE > nul
        5⤵
        
        PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{88C3C~1.EXE > nul
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\034092~1.EXE > nul
  2⤵
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C0805CD-691E-4928-B625-7462DD353312}.exe

Filesize
216KB

MD5
2db8d601fa1200f6e72b6d24e2195421

SHA1
81ad3dd4d6f3163cade32dcc210df10b814757dc

SHA256
ba4a9bb331c7c8b33036f8c4b796e50e30ee7457b6d3b985100bc0e738d49a49

SHA512
7056ff852f7afbb160baf39cd05bc3ba984e41a4ef5b4e904c9b7b5553971faa74f9baf481963a73db7ee674ca93efed5829078b014935d0e2ee4ae57028f74a

Download Submit
C:\Windows\{1C0805CD-691E-4928-B625-7462DD353312}.exe

Filesize
216KB

MD5
2db8d601fa1200f6e72b6d24e2195421

SHA1
81ad3dd4d6f3163cade32dcc210df10b814757dc

SHA256
ba4a9bb331c7c8b33036f8c4b796e50e30ee7457b6d3b985100bc0e738d49a49

SHA512
7056ff852f7afbb160baf39cd05bc3ba984e41a4ef5b4e904c9b7b5553971faa74f9baf481963a73db7ee674ca93efed5829078b014935d0e2ee4ae57028f74a

Download Submit
C:\Windows\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe

Filesize
216KB

MD5
339fe20b655cabaaff39195590804f81

SHA1
e85bc66f8480debcb459bc92bbd74486d8728883

SHA256
3b1ac51a3938c74eb77cfc564d380dfa6dfa6778f36779c649cf7aef0dd1aa72

SHA512
881879c9933423c4f0f56ab73eeaf913d70d47c1abee6fce1eaa3c1bc4d31ba17eb0596f95d8236294e0e859dc39a1a1d0153fdee2564f7f4391e154ca95346f

Download Submit
C:\Windows\{25CD5E6F-3774-404e-AA9C-6663596A2B3B}.exe

Filesize
216KB

MD5
339fe20b655cabaaff39195590804f81

SHA1
e85bc66f8480debcb459bc92bbd74486d8728883

SHA256
3b1ac51a3938c74eb77cfc564d380dfa6dfa6778f36779c649cf7aef0dd1aa72

SHA512
881879c9933423c4f0f56ab73eeaf913d70d47c1abee6fce1eaa3c1bc4d31ba17eb0596f95d8236294e0e859dc39a1a1d0153fdee2564f7f4391e154ca95346f

Download Submit
C:\Windows\{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe

Filesize
216KB

MD5
2ec751ab865cc6bfad379a99ea5163b7

SHA1
50ade2ba035177069e34ebae6d9c8c86fb97990c

SHA256
95be1f4b1e41cc4f36e70383cc43ed7758e5f392b3f719e062215d55891301df

SHA512
1ccfb55ac032e5b3c6fff2a6e9ab04fc68095564e193537569eda15d5456a676819c07c6776a3cdd8d4aa399bb8cc5c6b5f8b3bb78e255dcbfc3f98a2f01c946

Download Submit
C:\Windows\{2D8F21EA-7C12-4751-B558-7BAB49275281}.exe

Filesize
216KB

MD5
2ec751ab865cc6bfad379a99ea5163b7

SHA1
50ade2ba035177069e34ebae6d9c8c86fb97990c

SHA256
95be1f4b1e41cc4f36e70383cc43ed7758e5f392b3f719e062215d55891301df

SHA512
1ccfb55ac032e5b3c6fff2a6e9ab04fc68095564e193537569eda15d5456a676819c07c6776a3cdd8d4aa399bb8cc5c6b5f8b3bb78e255dcbfc3f98a2f01c946

Download Submit
C:\Windows\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe

Filesize
216KB

MD5
a1cc273d3e9fcc03685d4ea5e196908b

SHA1
254045d98f5da2b5b0268e0bb8646a4ed6edcce9

SHA256
7532058ec9ec8048909c5ea2625542d7a36b0245c41b364956545ce5d0437f2f

SHA512
0c48e7c58d0b788e2d39cd16b1e5daf205b60af0480c80404efc6201bea699d1ec2314da2026ed7c855e8be2bd44ccea6ccd676f3d0fb34e3cf4362933478d6a

Download Submit
C:\Windows\{335A01BB-42DE-46ec-9417-88D8F8B8EA23}.exe

Filesize
216KB

MD5
a1cc273d3e9fcc03685d4ea5e196908b

SHA1
254045d98f5da2b5b0268e0bb8646a4ed6edcce9

SHA256
7532058ec9ec8048909c5ea2625542d7a36b0245c41b364956545ce5d0437f2f

SHA512
0c48e7c58d0b788e2d39cd16b1e5daf205b60af0480c80404efc6201bea699d1ec2314da2026ed7c855e8be2bd44ccea6ccd676f3d0fb34e3cf4362933478d6a

Download Submit
C:\Windows\{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe

Filesize
216KB

MD5
788f046474c767548c19120208c35dd4

SHA1
68a40a56332fb5c25d0ccee12703d0dfac20bd50

SHA256
ca9fe5bc735466fdafadcb54d749d596947a9bfc7af2c52b511fe542b53451c1

SHA512
eef5c947823efcee9de2d9cb9c8cf0ef35ea0f19a045f3c2ae444afd345e094117fde392028315dd5b69fbcd22af578354cd2189b0ffea2939d10a57d26c0bd8

Download Submit
C:\Windows\{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe

Filesize
216KB

MD5
788f046474c767548c19120208c35dd4

SHA1
68a40a56332fb5c25d0ccee12703d0dfac20bd50

SHA256
ca9fe5bc735466fdafadcb54d749d596947a9bfc7af2c52b511fe542b53451c1

SHA512
eef5c947823efcee9de2d9cb9c8cf0ef35ea0f19a045f3c2ae444afd345e094117fde392028315dd5b69fbcd22af578354cd2189b0ffea2939d10a57d26c0bd8

Download Submit
C:\Windows\{554EFC16-F339-4ede-8532-C693A1CCFF53}.exe

Filesize
216KB

MD5
788f046474c767548c19120208c35dd4

SHA1
68a40a56332fb5c25d0ccee12703d0dfac20bd50

SHA256
ca9fe5bc735466fdafadcb54d749d596947a9bfc7af2c52b511fe542b53451c1

SHA512
eef5c947823efcee9de2d9cb9c8cf0ef35ea0f19a045f3c2ae444afd345e094117fde392028315dd5b69fbcd22af578354cd2189b0ffea2939d10a57d26c0bd8

Download Submit
C:\Windows\{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe

Filesize
216KB

MD5
f25672e998d500e399463c25c202f11f

SHA1
a4975ddce113702abb14bdd16dfb8aa4236ee2af

SHA256
8852763d5c4c1e702296cfe5124f393d31d98d0721d5d987d9136ae42c48e834

SHA512
4824fa9ced7db82efc0e88d8a29343c0355aa251814a55427f5d0fa66aa3e9b3fcc5947764c2a71a1dc8eca5a1ac70f5dd00d9442d7a2c510bc14c01f1a55117

Download Submit
C:\Windows\{6BB82190-84FA-40b6-B1E4-C05B78223403}.exe

Filesize
216KB

MD5
f25672e998d500e399463c25c202f11f

SHA1
a4975ddce113702abb14bdd16dfb8aa4236ee2af

SHA256
8852763d5c4c1e702296cfe5124f393d31d98d0721d5d987d9136ae42c48e834

SHA512
4824fa9ced7db82efc0e88d8a29343c0355aa251814a55427f5d0fa66aa3e9b3fcc5947764c2a71a1dc8eca5a1ac70f5dd00d9442d7a2c510bc14c01f1a55117

Download Submit
C:\Windows\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe

Filesize
216KB

MD5
58f7b80b690bc55a072b204555c51695

SHA1
24ffede444d43cceb336588391965e1f98cd0e4c

SHA256
daca0c911663461a817dd7bf6e29b9b284e8a3846e13914b1250da4ab50c03e8

SHA512
fa30d36057131539d093942148b7cafaa27b476a58f5671d5145ed4807567b989ba3c1ccf99b223d0b7e6111cce6859111e10bd5f51b4143b06328bff136505c

Download Submit
C:\Windows\{847E6254-ED9C-4e22-B125-07D8E8B33FB6}.exe

Filesize
216KB

MD5
58f7b80b690bc55a072b204555c51695

SHA1
24ffede444d43cceb336588391965e1f98cd0e4c

SHA256
daca0c911663461a817dd7bf6e29b9b284e8a3846e13914b1250da4ab50c03e8

SHA512
fa30d36057131539d093942148b7cafaa27b476a58f5671d5145ed4807567b989ba3c1ccf99b223d0b7e6111cce6859111e10bd5f51b4143b06328bff136505c

Download Submit
C:\Windows\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe

Filesize
216KB

MD5
05f8cf2627213258c34aa8707837af0a

SHA1
e674272752b1e7efbcd7118d2903b00ac9fc90ce

SHA256
3e95ef1afd5e4d7d6c2020202d520edd03a03a26d645e529a6a5da6d17de5342

SHA512
e1b84c2a574135240962111687e1068521e9b4475a619a03044300bd7861d30f58d85cd4011793a5941fe45556ea1c80195fcd151ab41ad1c559b6fb9db66e99

Download Submit
C:\Windows\{88C3CFA9-B58F-466e-8B71-BAFD3256027B}.exe

Filesize
216KB

MD5
05f8cf2627213258c34aa8707837af0a

SHA1
e674272752b1e7efbcd7118d2903b00ac9fc90ce

SHA256
3e95ef1afd5e4d7d6c2020202d520edd03a03a26d645e529a6a5da6d17de5342

SHA512
e1b84c2a574135240962111687e1068521e9b4475a619a03044300bd7861d30f58d85cd4011793a5941fe45556ea1c80195fcd151ab41ad1c559b6fb9db66e99

Download Submit
C:\Windows\{8F5583FB-6982-43e5-B214-17C801DE2302}.exe

Filesize
216KB

MD5
ccfefb1da35965c5fd6b32d368b2d462

SHA1
dc8f227d52a4b3c8d04054dc4fadd5a9af0500dc

SHA256
d9876d0cc34bd1c00554ade6f662a5fac95c09c6a4c8cff2126d0b0c6312d57f

SHA512
da5dea88f65bd9281e121a302894e3e33f34cdcb4301f4e82ee0480692a356902760e39acdf8bd109a5a1395a57612b340a8b710066ecfe15f71d0044139513b

Download Submit
C:\Windows\{8F5583FB-6982-43e5-B214-17C801DE2302}.exe

Filesize
216KB

MD5
ccfefb1da35965c5fd6b32d368b2d462

SHA1
dc8f227d52a4b3c8d04054dc4fadd5a9af0500dc

SHA256
d9876d0cc34bd1c00554ade6f662a5fac95c09c6a4c8cff2126d0b0c6312d57f

SHA512
da5dea88f65bd9281e121a302894e3e33f34cdcb4301f4e82ee0480692a356902760e39acdf8bd109a5a1395a57612b340a8b710066ecfe15f71d0044139513b

Download Submit
C:\Windows\{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe

Filesize
216KB

MD5
b742d3b54bea01bba11c111fe23a82a8

SHA1
84db13b035b15a6181dcafc2d4e5cf2902abef41

SHA256
535251ac2fa529ebe221c61c27adfb1b496dd973b2caff317d88006917bdf3ad

SHA512
7cced0666dad51ef7ce8480f73c38b37d763e580935e155eb13edbaeb6bf4a141a982a562b3008398f41f41df82d95a9d6a38a7494f0d60ca57b43335c99886f

Download Submit
C:\Windows\{A75F2A8D-7C30-4698-9E15-041903715F0D}.exe

Filesize
216KB

MD5
b742d3b54bea01bba11c111fe23a82a8

SHA1
84db13b035b15a6181dcafc2d4e5cf2902abef41

SHA256
535251ac2fa529ebe221c61c27adfb1b496dd973b2caff317d88006917bdf3ad

SHA512
7cced0666dad51ef7ce8480f73c38b37d763e580935e155eb13edbaeb6bf4a141a982a562b3008398f41f41df82d95a9d6a38a7494f0d60ca57b43335c99886f

Download Submit
C:\Windows\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe

Filesize
216KB

MD5
35bc50e9bf5cde0927007aea3d71e742

SHA1
4ca5c446f8da253f1bbb09da5c72920d612051b7

SHA256
6ad55c6ac0c761f477dc378d933d8b2cb8c0b29fdf02bf85ce4e13474aee9c78

SHA512
5b0a2da72f6dd8389602d21e8055e8bbb42cc2d4dcbfa09c5228873c5236d4476ad2ef2fcf648b79ddfff45310dde332b5d3d79059193efa5380844b7c96768f

Download Submit
C:\Windows\{E203B407-CF9F-45c7-B98E-C5884CB9E0B3}.exe

Filesize
216KB

MD5
35bc50e9bf5cde0927007aea3d71e742

SHA1
4ca5c446f8da253f1bbb09da5c72920d612051b7

SHA256
6ad55c6ac0c761f477dc378d933d8b2cb8c0b29fdf02bf85ce4e13474aee9c78

SHA512
5b0a2da72f6dd8389602d21e8055e8bbb42cc2d4dcbfa09c5228873c5236d4476ad2ef2fcf648b79ddfff45310dde332b5d3d79059193efa5380844b7c96768f

Download Submit
C:\Windows\{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe

Filesize
216KB

MD5
9d9bfb946a345f74814632aa54909519

SHA1
a174e9e8dfe0b606a956a136687b25030c68bd82

SHA256
a57f6c845cea30fa5b36531ac2ff9577c58be5e2d8584398c636a346bfe8ae93

SHA512
598ef1cb1a8ef01de9980dddf935a142e6406e39cf5f46fc1208c6da32b0498420ede5cba1a2e4662333bfbe2e480054399f30643533a774588f979348678581

Download Submit
C:\Windows\{FEA9EABC-182B-4766-A718-75CED51D67E2}.exe

Filesize
216KB

MD5
9d9bfb946a345f74814632aa54909519

SHA1
a174e9e8dfe0b606a956a136687b25030c68bd82

SHA256
a57f6c845cea30fa5b36531ac2ff9577c58be5e2d8584398c636a346bfe8ae93

SHA512
598ef1cb1a8ef01de9980dddf935a142e6406e39cf5f46fc1208c6da32b0498420ede5cba1a2e4662333bfbe2e480054399f30643533a774588f979348678581

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads