2be240d5c4b6fef2ed50321831eec3cbd4efbcda0f4ab8924a205609923ad44b

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/08/2023, 16:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Size

408KB
MD5

33d4a6b04ae32fef5bb32ceca235318e
SHA1

75cf4f5e307db803a5f5719c37b59a62b9885d0b
SHA256

2be240d5c4b6fef2ed50321831eec3cbd4efbcda0f4ab8924a205609923ad44b
SHA512

462f6e23ef1a0a486cb5f5e5cb664ff8b665a2dce07dccf9f43557dfab69ae181ace1fbc12df2bb2f009c0f7099d0cb0eda46fbc9a745cedca639633b0c02bb3
SSDEEP

3072:CEGh0opl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}\stubpath = "C:\\Windows\\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe"	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EE44841-7B8B-476b-A6F0-48C46822260B}	{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{139EDB87-A949-44ad-960C-302C2EC9A21E}\stubpath = "C:\\Windows\\{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe"	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0453416-5D4C-439e-A511-207B8F9424AC}	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44801375-6801-4e77-8450-8F9E4E5EFC21}	{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44801375-6801-4e77-8450-8F9E4E5EFC21}\stubpath = "C:\\Windows\\{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe"	{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}\stubpath = "C:\\Windows\\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe"	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}\stubpath = "C:\\Windows\\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe"	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EE44841-7B8B-476b-A6F0-48C46822260B}\stubpath = "C:\\Windows\\{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe"	{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}\stubpath = "C:\\Windows\\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe"	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{139EDB87-A949-44ad-960C-302C2EC9A21E}	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}\stubpath = "C:\\Windows\\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe"	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0453416-5D4C-439e-A511-207B8F9424AC}\stubpath = "C:\\Windows\\{D0453416-5D4C-439e-A511-207B8F9424AC}.exe"	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}\stubpath = "C:\\Windows\\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe"	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}	{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}\stubpath = "C:\\Windows\\{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}.exe"	{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe
2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe
1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe
2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe
2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe
2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe
2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe
2652	{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe
288	{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe
1476	{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe
2868	{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe	{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe
File created	C:\Windows\{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe	{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe
File created	C:\Windows\{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}.exe	{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe
File created	C:\Windows\{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe
File created	C:\Windows\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe
File created	C:\Windows\{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe
File created	C:\Windows\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe
File created	C:\Windows\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
File created	C:\Windows\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe
File created	C:\Windows\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe
File created	C:\Windows\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe
Token: SeIncBasePriorityPrivilege	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe
Token: SeIncBasePriorityPrivilege	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe
Token: SeIncBasePriorityPrivilege	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe
Token: SeIncBasePriorityPrivilege	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe
Token: SeIncBasePriorityPrivilege	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe
Token: SeIncBasePriorityPrivilege	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe
Token: SeIncBasePriorityPrivilege	2652	{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe
Token: SeIncBasePriorityPrivilege	288	{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe
Token: SeIncBasePriorityPrivilege	1476	{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 860	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	28
PID 1832 wrote to memory of 860	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	28
PID 1832 wrote to memory of 860	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	28
PID 1832 wrote to memory of 860	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	28
PID 1832 wrote to memory of 2612	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	29
PID 1832 wrote to memory of 2612	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	29
PID 1832 wrote to memory of 2612	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	29
PID 1832 wrote to memory of 2612	1832	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	29
PID 860 wrote to memory of 2520	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	30
PID 860 wrote to memory of 2520	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	30
PID 860 wrote to memory of 2520	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	30
PID 860 wrote to memory of 2520	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	30
PID 860 wrote to memory of 2220	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	31
PID 860 wrote to memory of 2220	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	31
PID 860 wrote to memory of 2220	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	31
PID 860 wrote to memory of 2220	860	{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe	31
PID 2520 wrote to memory of 1356	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	35
PID 2520 wrote to memory of 1356	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	35
PID 2520 wrote to memory of 1356	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	35
PID 2520 wrote to memory of 1356	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	35
PID 2520 wrote to memory of 2812	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	34
PID 2520 wrote to memory of 2812	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	34
PID 2520 wrote to memory of 2812	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	34
PID 2520 wrote to memory of 2812	2520	{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe	34
PID 1356 wrote to memory of 2092	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	37
PID 1356 wrote to memory of 2092	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	37
PID 1356 wrote to memory of 2092	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	37
PID 1356 wrote to memory of 2092	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	37
PID 1356 wrote to memory of 2712	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	36
PID 1356 wrote to memory of 2712	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	36
PID 1356 wrote to memory of 2712	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	36
PID 1356 wrote to memory of 2712	1356	{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe	36
PID 2092 wrote to memory of 2780	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	39
PID 2092 wrote to memory of 2780	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	39
PID 2092 wrote to memory of 2780	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	39
PID 2092 wrote to memory of 2780	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	39
PID 2092 wrote to memory of 2844	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	38
PID 2092 wrote to memory of 2844	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	38
PID 2092 wrote to memory of 2844	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	38
PID 2092 wrote to memory of 2844	2092	{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe	38
PID 2780 wrote to memory of 2740	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	40
PID 2780 wrote to memory of 2740	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	40
PID 2780 wrote to memory of 2740	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	40
PID 2780 wrote to memory of 2740	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	40
PID 2780 wrote to memory of 2696	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	41
PID 2780 wrote to memory of 2696	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	41
PID 2780 wrote to memory of 2696	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	41
PID 2780 wrote to memory of 2696	2780	{D0453416-5D4C-439e-A511-207B8F9424AC}.exe	41
PID 2740 wrote to memory of 2752	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	42
PID 2740 wrote to memory of 2752	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	42
PID 2740 wrote to memory of 2752	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	42
PID 2740 wrote to memory of 2752	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	42
PID 2740 wrote to memory of 2252	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	43
PID 2740 wrote to memory of 2252	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	43
PID 2740 wrote to memory of 2252	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	43
PID 2740 wrote to memory of 2252	2740	{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe	43
PID 2752 wrote to memory of 2652	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	45
PID 2752 wrote to memory of 2652	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	45
PID 2752 wrote to memory of 2652	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	45
PID 2752 wrote to memory of 2652	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	45
PID 2752 wrote to memory of 764	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	44
PID 2752 wrote to memory of 764	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	44
PID 2752 wrote to memory of 764	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	44
PID 2752 wrote to memory of 764	2752	{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe	44

C:\Users\Admin\AppData\Local\Temp\33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe
  C:\Windows\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe
    C:\Windows\{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{139ED~1.EXE > nul
      4⤵
      PID:2812
  - - C:\Windows\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe
      C:\Windows\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33D4A~1.EXE > nul
        5⤵
        
        PID:2712
    - - C:\Windows\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe
        
        C:\Windows\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C96E~1.EXE > nul
        6⤵
        
        PID:2844
      - C:\Windows\{D0453416-5D4C-439e-A511-207B8F9424AC}.exe
        
        C:\Windows\{D0453416-5D4C-439e-A511-207B8F9424AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe
        
        C:\Windows\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe
        
        C:\Windows\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC62E~1.EXE > nul
        9⤵
        
        PID:764
        
        C:\Windows\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe
        
        C:\Windows\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C49FE~1.EXE > nul
        10⤵
        
        PID:2476
        
        C:\Windows\{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe
        
        C:\Windows\{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe
        
        C:\Windows\{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44801~1.EXE > nul
        12⤵
        
        PID:1784
        
        C:\Windows\{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}.exe
        
        C:\Windows\{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE44~1.EXE > nul
        11⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5BC8~1.EXE > nul
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0453~1.EXE > nul
        7⤵
        
        PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73BBE~1.EXE > nul
    3⤵
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\33D4A6~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe

Filesize
408KB

MD5
9dfd427633a45e57c3659a391b836f47

SHA1
094fe5ebb2eee5377bc7d79d2ca7727a6b88f4f6

SHA256
bab8f1577ed89438a5ee8b54b535637690053a0a594c60fd95eee9421f8c89cb

SHA512
c917167d8c9243e0430f7e55beca65a894e70bc93c20a634e366401e6d987573261f369548c045ccef1c652e265c5c093fd47d19054fb0c9e8b39268de19ea74

Download Submit
C:\Windows\{0C96E193-A3D8-40ce-BE0D-40FDBE3A890D}.exe

Filesize
408KB

MD5
9dfd427633a45e57c3659a391b836f47

SHA1
094fe5ebb2eee5377bc7d79d2ca7727a6b88f4f6

SHA256
bab8f1577ed89438a5ee8b54b535637690053a0a594c60fd95eee9421f8c89cb

SHA512
c917167d8c9243e0430f7e55beca65a894e70bc93c20a634e366401e6d987573261f369548c045ccef1c652e265c5c093fd47d19054fb0c9e8b39268de19ea74

Download Submit
C:\Windows\{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe

Filesize
408KB

MD5
c54dae94630932b8f75d03b77c781c1c

SHA1
a340020766441919cb1d1ccc4bf407c6888cfcc6

SHA256
83f43a5b2581bdd43903d8329c181ee07571c9bf6f9c80846bb0c1f014720d90

SHA512
1b675a6e2984ee2587440e645b8d14e2803ec52eace2f79ebbf7623e2d9f83995957cd18b6133933ebacf753fc7d9a7c90a2688735126685fb849de702c8619e

Download Submit
C:\Windows\{139EDB87-A949-44ad-960C-302C2EC9A21E}.exe

Filesize
408KB

MD5
c54dae94630932b8f75d03b77c781c1c

SHA1
a340020766441919cb1d1ccc4bf407c6888cfcc6

SHA256
83f43a5b2581bdd43903d8329c181ee07571c9bf6f9c80846bb0c1f014720d90

SHA512
1b675a6e2984ee2587440e645b8d14e2803ec52eace2f79ebbf7623e2d9f83995957cd18b6133933ebacf753fc7d9a7c90a2688735126685fb849de702c8619e

Download Submit
C:\Windows\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe

Filesize
408KB

MD5
e4e38b281ee81610abb32e45f2049d9e

SHA1
0e5295560bc2b17c82d2b93b863ad1e3e367913b

SHA256
3c3ec0073647d4956ca5543181fa202d434a3aeb415103cbf49b094197632f99

SHA512
f8663ca08c762a82495ed58f749728287e4252e5822633947e4978d231f58ff652478870cd22e2963a9068513df3338806ad0f4e4b662f2d856a313bb97ea315

Download Submit
C:\Windows\{33D4AD59-7612-4173-86E8-EC49DAEAE34E}.exe

Filesize
408KB

MD5
e4e38b281ee81610abb32e45f2049d9e

SHA1
0e5295560bc2b17c82d2b93b863ad1e3e367913b

SHA256
3c3ec0073647d4956ca5543181fa202d434a3aeb415103cbf49b094197632f99

SHA512
f8663ca08c762a82495ed58f749728287e4252e5822633947e4978d231f58ff652478870cd22e2963a9068513df3338806ad0f4e4b662f2d856a313bb97ea315

Download Submit
C:\Windows\{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe

Filesize
408KB

MD5
a510c1780ef2bfa92fb2541c15c03998

SHA1
56147cbf08faa3d60215d10fccaf51bbf950efac

SHA256
581d9e16b126e83742182042460e934e9afafce0a338158dfc2676f467a03f50

SHA512
597af49a849135cd831d0a95f4c45a3d26380b6167d24e3aa95f3b16d5ec735d1fd95ce88717681d8ecea6f30f7774e643d97b69cf5cb8cf0e9303e2282b2725

Download Submit
C:\Windows\{44801375-6801-4e77-8450-8F9E4E5EFC21}.exe

Filesize
408KB

MD5
a510c1780ef2bfa92fb2541c15c03998

SHA1
56147cbf08faa3d60215d10fccaf51bbf950efac

SHA256
581d9e16b126e83742182042460e934e9afafce0a338158dfc2676f467a03f50

SHA512
597af49a849135cd831d0a95f4c45a3d26380b6167d24e3aa95f3b16d5ec735d1fd95ce88717681d8ecea6f30f7774e643d97b69cf5cb8cf0e9303e2282b2725

Download Submit
C:\Windows\{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe

Filesize
408KB

MD5
c30088c38330d1199afb3d97755ddd95

SHA1
2cb3810232be58c16b125ad18a469184422e0570

SHA256
5fcba927d9a9e5291908e0f5a32b028a8ad2c70c101d60909b91471ba82a1294

SHA512
0e0f8de64f52167c1fdb40bb0c253cbc0deec04ec648b2d8654aee14ffd983eaffb7a35cad89f3dade87a3d1b16583069e20017542a01cb6663849fb8c5d0108

Download Submit
C:\Windows\{4EE44841-7B8B-476b-A6F0-48C46822260B}.exe

Filesize
408KB

MD5
c30088c38330d1199afb3d97755ddd95

SHA1
2cb3810232be58c16b125ad18a469184422e0570

SHA256
5fcba927d9a9e5291908e0f5a32b028a8ad2c70c101d60909b91471ba82a1294

SHA512
0e0f8de64f52167c1fdb40bb0c253cbc0deec04ec648b2d8654aee14ffd983eaffb7a35cad89f3dade87a3d1b16583069e20017542a01cb6663849fb8c5d0108

Download Submit
C:\Windows\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe

Filesize
408KB

MD5
60c3c2fe063b4105797abf23e6341d25

SHA1
1372f6f8a30fffd163a5c7e517bf91c888da26af

SHA256
2fbfe1fae7feed3aa1dd983cb7169166fa30b531b10c533ed0880bafbc852ad2

SHA512
0face73571a5571f1f4204a2f842c260e2a39deebb2c1735fe7b475d09dfb473b944a4cc6a990e7777660b7d025b14c2d2a4ddcfebc4c142acfbae023a89df99

Download Submit
C:\Windows\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe

Filesize
408KB

MD5
60c3c2fe063b4105797abf23e6341d25

SHA1
1372f6f8a30fffd163a5c7e517bf91c888da26af

SHA256
2fbfe1fae7feed3aa1dd983cb7169166fa30b531b10c533ed0880bafbc852ad2

SHA512
0face73571a5571f1f4204a2f842c260e2a39deebb2c1735fe7b475d09dfb473b944a4cc6a990e7777660b7d025b14c2d2a4ddcfebc4c142acfbae023a89df99

Download Submit
C:\Windows\{73BBEFA2-95BF-478e-8C59-4FFAEAC1C3EF}.exe

Filesize
408KB

MD5
60c3c2fe063b4105797abf23e6341d25

SHA1
1372f6f8a30fffd163a5c7e517bf91c888da26af

SHA256
2fbfe1fae7feed3aa1dd983cb7169166fa30b531b10c533ed0880bafbc852ad2

SHA512
0face73571a5571f1f4204a2f842c260e2a39deebb2c1735fe7b475d09dfb473b944a4cc6a990e7777660b7d025b14c2d2a4ddcfebc4c142acfbae023a89df99

Download Submit
C:\Windows\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe

Filesize
408KB

MD5
a8bde42a307ce3a90d73e65e664fef74

SHA1
384687b97abaf8cea8aa693ed24b4401f7b941ef

SHA256
50b98d3c36a0c2063d59285d684132c7b9531f02178a949e3eaf58772cf0cd9e

SHA512
6e5fc482c0306257b7b01795f191ddd93007fc2af933789a0dfc4025236e63b8fe12a52a577e6617c94763b03d506a26a9442429faee05a53890a77a65b92117

Download Submit
C:\Windows\{A5BC85D7-2598-4989-B90A-0EB9C709B1F8}.exe

Filesize
408KB

MD5
a8bde42a307ce3a90d73e65e664fef74

SHA1
384687b97abaf8cea8aa693ed24b4401f7b941ef

SHA256
50b98d3c36a0c2063d59285d684132c7b9531f02178a949e3eaf58772cf0cd9e

SHA512
6e5fc482c0306257b7b01795f191ddd93007fc2af933789a0dfc4025236e63b8fe12a52a577e6617c94763b03d506a26a9442429faee05a53890a77a65b92117

Download Submit
C:\Windows\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe

Filesize
408KB

MD5
c9b2daf2eef49a88cdada272a2cc109f

SHA1
56b3a4190695701849ffc193f3e7dfdc6774ead9

SHA256
8ebaccaa1a098d1d189b5c56f5ee95bc9f5899096f291d2e366a976220963cd9

SHA512
05ea7ee5b9170622c301cfd905ac979381faa7a65ef12cdddbd24ed9febb0d55f5b45be84e07583f8ebc119cfb502ff039c05bdc70d4651694985e65931a0fad

Download Submit
C:\Windows\{C49FE8AE-552E-4c8b-A66A-D9B01AF85F0C}.exe

Filesize
408KB

MD5
c9b2daf2eef49a88cdada272a2cc109f

SHA1
56b3a4190695701849ffc193f3e7dfdc6774ead9

SHA256
8ebaccaa1a098d1d189b5c56f5ee95bc9f5899096f291d2e366a976220963cd9

SHA512
05ea7ee5b9170622c301cfd905ac979381faa7a65ef12cdddbd24ed9febb0d55f5b45be84e07583f8ebc119cfb502ff039c05bdc70d4651694985e65931a0fad

Download Submit
C:\Windows\{CBFD557F-B0B5-48bd-B2FC-3385BC28A7FA}.exe

Filesize
408KB

MD5
3bdaca31c55ffbbd2a78bf6c00e6508e

SHA1
24cc0fd9a18cd170ff7ec8303b95ce8db587c56f

SHA256
27ee958517d7528736670f572251c4b580253614e44a53f7f22dbb9b1eab938e

SHA512
61388ede085ce2c130a1c4fe3ec2d8780322ac91f1b428ffb991d03c958a99a5cbdc435be759aeb35248ee29ebfd64e068c37b51d278a8773bf9c04c9f9ff7da

Download Submit
C:\Windows\{D0453416-5D4C-439e-A511-207B8F9424AC}.exe

Filesize
408KB

MD5
c18839e1cc36a5f9fe71029118e9cf51

SHA1
2763863523ff579840a8ac01f08ea5b96e74a423

SHA256
972a9ffea79c2ad8baa6e4152adb98dccae8534a7d485d8b3a62346d45e2b281

SHA512
25c62bb5c3569e4579d4c8492b9aaf7ca60fae1b4c5c571c37db16616d958bb1fb9bb1a14df53b7aab143954a4699395f7a22b2ec10fb25b9b26f96169becae8

Download Submit
C:\Windows\{D0453416-5D4C-439e-A511-207B8F9424AC}.exe

Filesize
408KB

MD5
c18839e1cc36a5f9fe71029118e9cf51

SHA1
2763863523ff579840a8ac01f08ea5b96e74a423

SHA256
972a9ffea79c2ad8baa6e4152adb98dccae8534a7d485d8b3a62346d45e2b281

SHA512
25c62bb5c3569e4579d4c8492b9aaf7ca60fae1b4c5c571c37db16616d958bb1fb9bb1a14df53b7aab143954a4699395f7a22b2ec10fb25b9b26f96169becae8

Download Submit
C:\Windows\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe

Filesize
408KB

MD5
63dd3593308df3dde6a5ff5cca5a1d92

SHA1
b4a9982ff09708f84a3a0398b08acf270c5c8378

SHA256
cd35c9bea01e10f983350df2bbd864cfd88b399474679cb175d010973b8aea4a

SHA512
cfdc9a469ae446630eb7e2062e04569ab42c6662a2dc2f78832d97b81d32ed91ef6e0c68f514dc9aeea19da257f12cea333b9acc637192086f4e1c374cfcd12f

Download Submit
C:\Windows\{FC62EF10-E636-43d9-A4CE-B68A80E16C1B}.exe

Filesize
408KB

MD5
63dd3593308df3dde6a5ff5cca5a1d92

SHA1
b4a9982ff09708f84a3a0398b08acf270c5c8378

SHA256
cd35c9bea01e10f983350df2bbd864cfd88b399474679cb175d010973b8aea4a

SHA512
cfdc9a469ae446630eb7e2062e04569ab42c6662a2dc2f78832d97b81d32ed91ef6e0c68f514dc9aeea19da257f12cea333b9acc637192086f4e1c374cfcd12f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads