a6ddb720e2096e9441fa1e6657ace7c1a3dd4496362d7aba51a85adb98d00262

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2023 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Size

216KB
MD5

434701085cb18e57687009b54751fc5a
SHA1

6468c71ba3604bc7cf255cd9857e9c2b1edaf5cd
SHA256

a6ddb720e2096e9441fa1e6657ace7c1a3dd4496362d7aba51a85adb98d00262
SHA512

55940f64f91ebb2d9d2dab08ec84b7f2e3e13d85ded55c77b08ee5bab8f28ae1dc00067fe0e30701136866773613e5ecedb05314559eda57cbe2f1b06cf7ae7f
SSDEEP

3072:jEGh0odl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG/lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}\stubpath = "C:\\Windows\\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe"	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE2A35D-B57F-4e93-9F36-5544300348BD}\stubpath = "C:\\Windows\\{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe"	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}\stubpath = "C:\\Windows\\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe"	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347542B6-ED54-444b-BAED-8861176CC7BB}	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}\stubpath = "C:\\Windows\\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe"	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}\stubpath = "C:\\Windows\\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe"	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45AD1296-EA83-46cc-BE5F-F70696721867}	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45AD1296-EA83-46cc-BE5F-F70696721867}\stubpath = "C:\\Windows\\{45AD1296-EA83-46cc-BE5F-F70696721867}.exe"	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347542B6-ED54-444b-BAED-8861176CC7BB}\stubpath = "C:\\Windows\\{347542B6-ED54-444b-BAED-8861176CC7BB}.exe"	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}\stubpath = "C:\\Windows\\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe"	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E58C30E-6492-47a5-AD11-72F5C3873357}	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E58C30E-6492-47a5-AD11-72F5C3873357}\stubpath = "C:\\Windows\\{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe"	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}\stubpath = "C:\\Windows\\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe"	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE2A35D-B57F-4e93-9F36-5544300348BD}	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}\stubpath = "C:\\Windows\\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}.exe"	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe

Executes dropped EXE 11 IoCs

pid	Process
3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe
4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe
3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe
436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe
3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe
4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe
3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe
2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe
3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe
3788	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe
2488	{F21C5F5B-F505-49aa-92BF-EBFB07624A92}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe
File created	C:\Windows\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe
File created	C:\Windows\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe
File created	C:\Windows\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe
File created	C:\Windows\{347542B6-ED54-444b-BAED-8861176CC7BB}.exe	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe
File created	C:\Windows\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe
File created	C:\Windows\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe
File created	C:\Windows\{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe
File created	C:\Windows\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}.exe	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe
File created	C:\Windows\{45AD1296-EA83-46cc-BE5F-F70696721867}.exe	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
File created	C:\Windows\{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4524	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe
Token: SeIncBasePriorityPrivilege	4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe
Token: SeIncBasePriorityPrivilege	3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe
Token: SeIncBasePriorityPrivilege	436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe
Token: SeIncBasePriorityPrivilege	3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe
Token: SeIncBasePriorityPrivilege	4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe
Token: SeIncBasePriorityPrivilege	3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe
Token: SeIncBasePriorityPrivilege	2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe
Token: SeIncBasePriorityPrivilege	3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe
Token: SeIncBasePriorityPrivilege	3788	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 3640	4524	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	86
PID 4524 wrote to memory of 3640	4524	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	86
PID 4524 wrote to memory of 3640	4524	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	86
PID 4524 wrote to memory of 3652	4524	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	87
PID 4524 wrote to memory of 3652	4524	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	87
PID 4524 wrote to memory of 3652	4524	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	87
PID 3640 wrote to memory of 4328	3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe	92
PID 3640 wrote to memory of 4328	3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe	92
PID 3640 wrote to memory of 4328	3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe	92
PID 3640 wrote to memory of 2112	3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe	93
PID 3640 wrote to memory of 2112	3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe	93
PID 3640 wrote to memory of 2112	3640	{45AD1296-EA83-46cc-BE5F-F70696721867}.exe	93
PID 4328 wrote to memory of 3688	4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe	95
PID 4328 wrote to memory of 3688	4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe	95
PID 4328 wrote to memory of 3688	4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe	95
PID 4328 wrote to memory of 3952	4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe	94
PID 4328 wrote to memory of 3952	4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe	94
PID 4328 wrote to memory of 3952	4328	{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe	94
PID 3688 wrote to memory of 436	3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe	96
PID 3688 wrote to memory of 436	3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe	96
PID 3688 wrote to memory of 436	3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe	96
PID 3688 wrote to memory of 1148	3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe	97
PID 3688 wrote to memory of 1148	3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe	97
PID 3688 wrote to memory of 1148	3688	{347542B6-ED54-444b-BAED-8861176CC7BB}.exe	97
PID 436 wrote to memory of 3176	436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe	98
PID 436 wrote to memory of 3176	436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe	98
PID 436 wrote to memory of 3176	436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe	98
PID 436 wrote to memory of 4768	436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe	99
PID 436 wrote to memory of 4768	436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe	99
PID 436 wrote to memory of 4768	436	{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe	99
PID 3176 wrote to memory of 4992	3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe	100
PID 3176 wrote to memory of 4992	3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe	100
PID 3176 wrote to memory of 4992	3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe	100
PID 3176 wrote to memory of 832	3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe	101
PID 3176 wrote to memory of 832	3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe	101
PID 3176 wrote to memory of 832	3176	{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe	101
PID 4992 wrote to memory of 3008	4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe	102
PID 4992 wrote to memory of 3008	4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe	102
PID 4992 wrote to memory of 3008	4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe	102
PID 4992 wrote to memory of 2596	4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe	103
PID 4992 wrote to memory of 2596	4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe	103
PID 4992 wrote to memory of 2596	4992	{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe	103
PID 3008 wrote to memory of 2808	3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe	104
PID 3008 wrote to memory of 2808	3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe	104
PID 3008 wrote to memory of 2808	3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe	104
PID 3008 wrote to memory of 932	3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe	105
PID 3008 wrote to memory of 932	3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe	105
PID 3008 wrote to memory of 932	3008	{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe	105
PID 2808 wrote to memory of 3100	2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe	107
PID 2808 wrote to memory of 3100	2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe	107
PID 2808 wrote to memory of 3100	2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe	107
PID 2808 wrote to memory of 2024	2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe	106
PID 2808 wrote to memory of 2024	2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe	106
PID 2808 wrote to memory of 2024	2808	{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe	106
PID 3100 wrote to memory of 3788	3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe	108
PID 3100 wrote to memory of 3788	3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe	108
PID 3100 wrote to memory of 3788	3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe	108
PID 3100 wrote to memory of 4208	3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe	109
PID 3100 wrote to memory of 4208	3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe	109
PID 3100 wrote to memory of 4208	3100	{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe	109
PID 3788 wrote to memory of 2488	3788	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe	110
PID 3788 wrote to memory of 2488	3788	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe	110
PID 3788 wrote to memory of 2488	3788	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe	110
PID 3788 wrote to memory of 1828	3788	{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe	111

C:\Users\Admin\AppData\Local\Temp\434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\434701085cb18e57687009b54751fc5a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\{45AD1296-EA83-46cc-BE5F-F70696721867}.exe
  C:\Windows\{45AD1296-EA83-46cc-BE5F-F70696721867}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe
    C:\Windows\{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E58C~1.EXE > nul
      4⤵
      PID:3952
  - - C:\Windows\{347542B6-ED54-444b-BAED-8861176CC7BB}.exe
      C:\Windows\{347542B6-ED54-444b-BAED-8861176CC7BB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe
        
        C:\Windows\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe
        
        C:\Windows\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe
        
        C:\Windows\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe
        
        C:\Windows\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe
        
        C:\Windows\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A29A1~1.EXE > nul
        10⤵
        
        PID:2024
        
        C:\Windows\{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe
        
        C:\Windows\{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe
        
        C:\Windows\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}.exe
        
        C:\Windows\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}.exe
        12⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B1BD~1.EXE > nul
        12⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE2A~1.EXE > nul
        11⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19A90~1.EXE > nul
        9⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4557F~1.EXE > nul
        8⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C67~1.EXE > nul
        7⤵
        
        PID:832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1165~1.EXE > nul
        6⤵
        
        PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34754~1.EXE > nul
        5⤵
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{45AD1~1.EXE > nul
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\434701~1.EXE > nul
  2⤵
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe

Filesize
216KB

MD5
b2334b51bc5912e43d13c2364d6ba35a

SHA1
bfeb753d4d8133bc679af849e635cb4001932998

SHA256
f9cabf3c0faf752ef59041a85ae0af4ef49a4ff8768c3f50d4f74db925ba822f

SHA512
daecd00fde6eaf717d9df2709aac1e9382ee74bf89bf1ac3ca584c7166d4d574320c8b68d5bebad13e35364c666eaf95336b0c78f0ad8e31cd0400a206b4c733

Download Submit
C:\Windows\{19A90703-41DC-4edf-8BB2-F31AEAA1B9D9}.exe

Filesize
216KB

MD5
b2334b51bc5912e43d13c2364d6ba35a

SHA1
bfeb753d4d8133bc679af849e635cb4001932998

SHA256
f9cabf3c0faf752ef59041a85ae0af4ef49a4ff8768c3f50d4f74db925ba822f

SHA512
daecd00fde6eaf717d9df2709aac1e9382ee74bf89bf1ac3ca584c7166d4d574320c8b68d5bebad13e35364c666eaf95336b0c78f0ad8e31cd0400a206b4c733

Download Submit
C:\Windows\{347542B6-ED54-444b-BAED-8861176CC7BB}.exe

Filesize
216KB

MD5
e167f17ffb3d771c0874e91ab4f6dcd1

SHA1
9c3f334ff2c60e390d8eecbd2a1742638afa8738

SHA256
edb21fb90b6ca77a1cb48fc25afc17e892be786aad780029755e46895a6252e0

SHA512
4ead1db4fedbb88ca579926c2b89edd4f34cdb0ef8b3062b929351e882d8225af4c13b509af541f46451902f6378078f4bb21e6af9d631e448bed92c9474d086

Download Submit
C:\Windows\{347542B6-ED54-444b-BAED-8861176CC7BB}.exe

Filesize
216KB

MD5
e167f17ffb3d771c0874e91ab4f6dcd1

SHA1
9c3f334ff2c60e390d8eecbd2a1742638afa8738

SHA256
edb21fb90b6ca77a1cb48fc25afc17e892be786aad780029755e46895a6252e0

SHA512
4ead1db4fedbb88ca579926c2b89edd4f34cdb0ef8b3062b929351e882d8225af4c13b509af541f46451902f6378078f4bb21e6af9d631e448bed92c9474d086

Download Submit
C:\Windows\{347542B6-ED54-444b-BAED-8861176CC7BB}.exe

Filesize
216KB

MD5
e167f17ffb3d771c0874e91ab4f6dcd1

SHA1
9c3f334ff2c60e390d8eecbd2a1742638afa8738

SHA256
edb21fb90b6ca77a1cb48fc25afc17e892be786aad780029755e46895a6252e0

SHA512
4ead1db4fedbb88ca579926c2b89edd4f34cdb0ef8b3062b929351e882d8225af4c13b509af541f46451902f6378078f4bb21e6af9d631e448bed92c9474d086

Download Submit
C:\Windows\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe

Filesize
216KB

MD5
abf0f78e78763a0ce7c40e1833f7a5ee

SHA1
c203f0a7613b6e2430e9cdbb2abbbdbfc2b08fae

SHA256
e8639ffa65dcb25fd344a384b34ace0fe976a6d18d501cdcaa22b53dcc2b4dfc

SHA512
5fefaa59ce8d76a761c124bc1ebbfa93d0c417eff445c9372103540d52dc12a872de3fd0841103d5865412409cf8d308cd17df286a97e46c453b31d94b3a4df1

Download Submit
C:\Windows\{4557F1AE-287E-47f4-A963-AD2DEF354BFB}.exe

Filesize
216KB

MD5
abf0f78e78763a0ce7c40e1833f7a5ee

SHA1
c203f0a7613b6e2430e9cdbb2abbbdbfc2b08fae

SHA256
e8639ffa65dcb25fd344a384b34ace0fe976a6d18d501cdcaa22b53dcc2b4dfc

SHA512
5fefaa59ce8d76a761c124bc1ebbfa93d0c417eff445c9372103540d52dc12a872de3fd0841103d5865412409cf8d308cd17df286a97e46c453b31d94b3a4df1

Download Submit
C:\Windows\{45AD1296-EA83-46cc-BE5F-F70696721867}.exe

Filesize
216KB

MD5
401bb490881b96e2194611cf85ee7b7f

SHA1
e22f48be7c1a45f2643648a3c0e5c2f8c7007fb3

SHA256
acf55af16ab5008a51baf9c440c811375bcedf8150bb5f509ffe1e3ef9f0d3f7

SHA512
90078e6972dc369d9b9e35231a95eb443fd9a610429ea9c31595df5750d343b4916d26bed2a870bba92863c6884e3972a88ec9327430631645392c0810ca86c0

Download Submit
C:\Windows\{45AD1296-EA83-46cc-BE5F-F70696721867}.exe

Filesize
216KB

MD5
401bb490881b96e2194611cf85ee7b7f

SHA1
e22f48be7c1a45f2643648a3c0e5c2f8c7007fb3

SHA256
acf55af16ab5008a51baf9c440c811375bcedf8150bb5f509ffe1e3ef9f0d3f7

SHA512
90078e6972dc369d9b9e35231a95eb443fd9a610429ea9c31595df5750d343b4916d26bed2a870bba92863c6884e3972a88ec9327430631645392c0810ca86c0

Download Submit
C:\Windows\{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe

Filesize
216KB

MD5
88ab7387d7ffbf5d9db8192d7d242ddf

SHA1
299644a660ace4d44efbfd52240da96913ac6e7e

SHA256
99e85c8116cf6f8ca38074aba1f91bfe363ad9fed05cd52d042af51f2ed089d6

SHA512
5cd67a7b39ff26b5d9dd915fd9a4cac1e7828948b4a84d548a7760248c26c6da40d634363f66ab86ef42e4e38c2cd267f3660a2c289f69e2997323168b13dc08

Download Submit
C:\Windows\{4E58C30E-6492-47a5-AD11-72F5C3873357}.exe

Filesize
216KB

MD5
88ab7387d7ffbf5d9db8192d7d242ddf

SHA1
299644a660ace4d44efbfd52240da96913ac6e7e

SHA256
99e85c8116cf6f8ca38074aba1f91bfe363ad9fed05cd52d042af51f2ed089d6

SHA512
5cd67a7b39ff26b5d9dd915fd9a4cac1e7828948b4a84d548a7760248c26c6da40d634363f66ab86ef42e4e38c2cd267f3660a2c289f69e2997323168b13dc08

Download Submit
C:\Windows\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe

Filesize
216KB

MD5
afb22e1186a8521da1a80fd41dd6c3b0

SHA1
5e3c02d877137fdb0adccfddbd1877dd1aa84917

SHA256
b95da9c59bc7e559de0672da656ff1704b4350fa155e7c34e8d569324cff9af5

SHA512
b0272219b6a7d700fa77f08c9f4a7677599341b0715f026adbb5042c08191f2c7eac900d92ef64c8b9ae69d90bdfd3cdf20890e397fda286d016e06bb692205e

Download Submit
C:\Windows\{6B1BDD8F-AC63-4540-A509-4161A2527E0C}.exe

Filesize
216KB

MD5
afb22e1186a8521da1a80fd41dd6c3b0

SHA1
5e3c02d877137fdb0adccfddbd1877dd1aa84917

SHA256
b95da9c59bc7e559de0672da656ff1704b4350fa155e7c34e8d569324cff9af5

SHA512
b0272219b6a7d700fa77f08c9f4a7677599341b0715f026adbb5042c08191f2c7eac900d92ef64c8b9ae69d90bdfd3cdf20890e397fda286d016e06bb692205e

Download Submit
C:\Windows\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe

Filesize
216KB

MD5
4861e6a0114b1f98dcb23299af34be30

SHA1
607b6c08d2bbae9fa0a893cdd4f13a4be3968df8

SHA256
83a890a579e2675f3e1847dd1a765e14cf7c7ef76e5a57dd621584f8cd061460

SHA512
aaf4f9f213442eef517ef7a5839b313cf85f49350288e02c3cb839f91ad48b5038f7a6180f708f0abbfaeff9949b3ea42a3013bfbeea60e2d35f9007d70019d5

Download Submit
C:\Windows\{A29A1A6C-D353-4cd5-B5EF-5CD4761ADF64}.exe

Filesize
216KB

MD5
4861e6a0114b1f98dcb23299af34be30

SHA1
607b6c08d2bbae9fa0a893cdd4f13a4be3968df8

SHA256
83a890a579e2675f3e1847dd1a765e14cf7c7ef76e5a57dd621584f8cd061460

SHA512
aaf4f9f213442eef517ef7a5839b313cf85f49350288e02c3cb839f91ad48b5038f7a6180f708f0abbfaeff9949b3ea42a3013bfbeea60e2d35f9007d70019d5

Download Submit
C:\Windows\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe

Filesize
216KB

MD5
4a1539a805e2f5bcd769cfd741499d79

SHA1
a2d911466d379b85f7c9032a23926ad7b86eda73

SHA256
700f21a6a066f66b9fd394d4e85a4f6857149745e635cbb5203a3a4e29764d2f

SHA512
e4137216ca42d6dcf94ea7751b6ce481c762f6f9913ed76a2cf213cf2c2207a71bea55b151fd500fa6def5fa5147ffddb9f1d78a54767ed493a50bb9cf11ea4d

Download Submit
C:\Windows\{A2C67CAA-A724-48f4-B7FF-5E2D7019A4E8}.exe

Filesize
216KB

MD5
4a1539a805e2f5bcd769cfd741499d79

SHA1
a2d911466d379b85f7c9032a23926ad7b86eda73

SHA256
700f21a6a066f66b9fd394d4e85a4f6857149745e635cbb5203a3a4e29764d2f

SHA512
e4137216ca42d6dcf94ea7751b6ce481c762f6f9913ed76a2cf213cf2c2207a71bea55b151fd500fa6def5fa5147ffddb9f1d78a54767ed493a50bb9cf11ea4d

Download Submit
C:\Windows\{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe

Filesize
216KB

MD5
ed90e1d1615939e0f2dfe0ab4812dd31

SHA1
108a873e7ceacde67cdfa880bae9e73644cdbdb8

SHA256
cfab714e75e4c166f6ff76d87cd49908b0a63eaee331017fc79620c3a150b303

SHA512
1809f5c42826295b0cc61bd7e17282acf584330fdebe8c1cb56094805c73b80831b4eb5a0454aa0a9220f36e0fa67acdac62ad7348ff6d5dd6868d75c5fc1cf3

Download Submit
C:\Windows\{ADE2A35D-B57F-4e93-9F36-5544300348BD}.exe

Filesize
216KB

MD5
ed90e1d1615939e0f2dfe0ab4812dd31

SHA1
108a873e7ceacde67cdfa880bae9e73644cdbdb8

SHA256
cfab714e75e4c166f6ff76d87cd49908b0a63eaee331017fc79620c3a150b303

SHA512
1809f5c42826295b0cc61bd7e17282acf584330fdebe8c1cb56094805c73b80831b4eb5a0454aa0a9220f36e0fa67acdac62ad7348ff6d5dd6868d75c5fc1cf3

Download Submit
C:\Windows\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe

Filesize
216KB

MD5
4ee84696f8808d3cbe5f7a52d80a7e75

SHA1
aef2c4a4824e83045217f0898270d39152664d96

SHA256
6b4656e071cc7eefe1c54223f2dc7dfeb0b79949adad156ca1859745c3fa25c9

SHA512
a4293b906a428ff0f50c8aab9670f923c664113ee1bfaaeebff9758297cbc88125b0e10e131409ff93c760a2c40c5f61c52f780c5f94ab24cdb68a5d77ffb7ae

Download Submit
C:\Windows\{B1165974-3A1D-457f-8C7E-F355FDFF38D7}.exe

Filesize
216KB

MD5
4ee84696f8808d3cbe5f7a52d80a7e75

SHA1
aef2c4a4824e83045217f0898270d39152664d96

SHA256
6b4656e071cc7eefe1c54223f2dc7dfeb0b79949adad156ca1859745c3fa25c9

SHA512
a4293b906a428ff0f50c8aab9670f923c664113ee1bfaaeebff9758297cbc88125b0e10e131409ff93c760a2c40c5f61c52f780c5f94ab24cdb68a5d77ffb7ae

Download Submit
C:\Windows\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}.exe

Filesize
216KB

MD5
96d75e855df903ecff1daf95a8c1be3c

SHA1
7160798a2e39faf9e64f029b42d5652452e36226

SHA256
3ac6afb05093f4e06900ace16259042fc2763a8250daa3a0ca16316b0921d37e

SHA512
4e82990f210b1d12e6a1e63539b436d5683a97582cf28db3f12481eb429c7c3ab998b68121887812cf3758fdb36504a17c45b812b1601503add3ad0a35f6a3b5

Download Submit
C:\Windows\{F21C5F5B-F505-49aa-92BF-EBFB07624A92}.exe

Filesize
216KB

MD5
96d75e855df903ecff1daf95a8c1be3c

SHA1
7160798a2e39faf9e64f029b42d5652452e36226

SHA256
3ac6afb05093f4e06900ace16259042fc2763a8250daa3a0ca16316b0921d37e

SHA512
4e82990f210b1d12e6a1e63539b436d5683a97582cf28db3f12481eb429c7c3ab998b68121887812cf3758fdb36504a17c45b812b1601503add3ad0a35f6a3b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads