a34e69d45ebc6d6c911d3abf6f6d90fb9088fc4c4256bcd60d817722decb02ce

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2023 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Size

372KB
MD5

4469d6d1558a553420db4e4511c7c968
SHA1

86f8c94dc9733b69aa52ac22508a265ec9c4e71e
SHA256

a34e69d45ebc6d6c911d3abf6f6d90fb9088fc4c4256bcd60d817722decb02ce
SHA512

72f02b5b8228098c7d6d01017f0b93dff6c55ccecd22f7369a6fff7332a9cf984ed18a798380061a5a0eeb38d7c5e112756635c7d0b013433f2d81e38a24413c
SSDEEP

3072:CEGh0odmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGCl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A154F22B-1E36-4910-A742-EE14F5726A52}	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D622AE-D442-4013-AFBD-38546D8226A6}	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}\stubpath = "C:\\Windows\\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe"	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81CAD333-2387-48e2-ADE9-F51640DEAC18}\stubpath = "C:\\Windows\\{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe"	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}\stubpath = "C:\\Windows\\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe"	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D622AE-D442-4013-AFBD-38546D8226A6}\stubpath = "C:\\Windows\\{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe"	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9224C61-54C5-4b59-BA7D-F803F463B822}\stubpath = "C:\\Windows\\{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe"	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}\stubpath = "C:\\Windows\\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe"	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}\stubpath = "C:\\Windows\\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe"	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81CAD333-2387-48e2-ADE9-F51640DEAC18}	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A154F22B-1E36-4910-A742-EE14F5726A52}\stubpath = "C:\\Windows\\{A154F22B-1E36-4910-A742-EE14F5726A52}.exe"	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74A8937-4F91-4f2f-8B66-74714387963D}	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9224C61-54C5-4b59-BA7D-F803F463B822}	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}\stubpath = "C:\\Windows\\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}.exe"	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74A8937-4F91-4f2f-8B66-74714387963D}\stubpath = "C:\\Windows\\{C74A8937-4F91-4f2f-8B66-74714387963D}.exe"	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}\stubpath = "C:\\Windows\\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe"	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe

Executes dropped EXE 11 IoCs

pid	Process
1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe
4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe
1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe
2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe
4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe
2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe
4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe
2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe
1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe
2444	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe
3588	{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A154F22B-1E36-4910-A742-EE14F5726A52}.exe	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe
File created	C:\Windows\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe
File created	C:\Windows\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe
File created	C:\Windows\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe
File created	C:\Windows\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
File created	C:\Windows\{C74A8937-4F91-4f2f-8B66-74714387963D}.exe	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe
File created	C:\Windows\{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe
File created	C:\Windows\{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe
File created	C:\Windows\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe
File created	C:\Windows\{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe
File created	C:\Windows\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}.exe	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4756	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe
Token: SeIncBasePriorityPrivilege	4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe
Token: SeIncBasePriorityPrivilege	1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe
Token: SeIncBasePriorityPrivilege	2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe
Token: SeIncBasePriorityPrivilege	4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe
Token: SeIncBasePriorityPrivilege	2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe
Token: SeIncBasePriorityPrivilege	4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe
Token: SeIncBasePriorityPrivilege	2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe
Token: SeIncBasePriorityPrivilege	1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe
Token: SeIncBasePriorityPrivilege	2444	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1640	4756	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	89
PID 4756 wrote to memory of 1640	4756	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	89
PID 4756 wrote to memory of 1640	4756	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	89
PID 4756 wrote to memory of 420	4756	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	90
PID 4756 wrote to memory of 420	4756	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	90
PID 4756 wrote to memory of 420	4756	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	90
PID 1640 wrote to memory of 4428	1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe	91
PID 1640 wrote to memory of 4428	1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe	91
PID 1640 wrote to memory of 4428	1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe	91
PID 1640 wrote to memory of 1140	1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe	92
PID 1640 wrote to memory of 1140	1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe	92
PID 1640 wrote to memory of 1140	1640	{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe	92
PID 4428 wrote to memory of 1780	4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe	94
PID 4428 wrote to memory of 1780	4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe	94
PID 4428 wrote to memory of 1780	4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe	94
PID 4428 wrote to memory of 2096	4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe	95
PID 4428 wrote to memory of 2096	4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe	95
PID 4428 wrote to memory of 2096	4428	{A154F22B-1E36-4910-A742-EE14F5726A52}.exe	95
PID 1780 wrote to memory of 2712	1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe	96
PID 1780 wrote to memory of 2712	1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe	96
PID 1780 wrote to memory of 2712	1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe	96
PID 1780 wrote to memory of 1256	1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe	97
PID 1780 wrote to memory of 1256	1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe	97
PID 1780 wrote to memory of 1256	1780	{C74A8937-4F91-4f2f-8B66-74714387963D}.exe	97
PID 2712 wrote to memory of 4284	2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe	98
PID 2712 wrote to memory of 4284	2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe	98
PID 2712 wrote to memory of 4284	2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe	98
PID 2712 wrote to memory of 2272	2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe	99
PID 2712 wrote to memory of 2272	2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe	99
PID 2712 wrote to memory of 2272	2712	{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe	99
PID 4284 wrote to memory of 2696	4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe	100
PID 4284 wrote to memory of 2696	4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe	100
PID 4284 wrote to memory of 2696	4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe	100
PID 4284 wrote to memory of 1712	4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe	101
PID 4284 wrote to memory of 1712	4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe	101
PID 4284 wrote to memory of 1712	4284	{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe	101
PID 2696 wrote to memory of 4548	2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe	102
PID 2696 wrote to memory of 4548	2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe	102
PID 2696 wrote to memory of 4548	2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe	102
PID 2696 wrote to memory of 2112	2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe	103
PID 2696 wrote to memory of 2112	2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe	103
PID 2696 wrote to memory of 2112	2696	{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe	103
PID 4548 wrote to memory of 2828	4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe	104
PID 4548 wrote to memory of 2828	4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe	104
PID 4548 wrote to memory of 2828	4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe	104
PID 4548 wrote to memory of 1264	4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe	105
PID 4548 wrote to memory of 1264	4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe	105
PID 4548 wrote to memory of 1264	4548	{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe	105
PID 2828 wrote to memory of 1596	2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe	106
PID 2828 wrote to memory of 1596	2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe	106
PID 2828 wrote to memory of 1596	2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe	106
PID 2828 wrote to memory of 4996	2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe	107
PID 2828 wrote to memory of 4996	2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe	107
PID 2828 wrote to memory of 4996	2828	{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe	107
PID 1596 wrote to memory of 2444	1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe	108
PID 1596 wrote to memory of 2444	1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe	108
PID 1596 wrote to memory of 2444	1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe	108
PID 1596 wrote to memory of 3808	1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe	109
PID 1596 wrote to memory of 3808	1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe	109
PID 1596 wrote to memory of 3808	1596	{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe	109
PID 2444 wrote to memory of 3588	2444	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe	110
PID 2444 wrote to memory of 3588	2444	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe	110
PID 2444 wrote to memory of 3588	2444	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe	110
PID 2444 wrote to memory of 1960	2444	{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe	111

C:\Users\Admin\AppData\Local\Temp\4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe
  C:\Windows\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\{A154F22B-1E36-4910-A742-EE14F5726A52}.exe
    C:\Windows\{A154F22B-1E36-4910-A742-EE14F5726A52}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\{C74A8937-4F91-4f2f-8B66-74714387963D}.exe
      C:\Windows\{C74A8937-4F91-4f2f-8B66-74714387963D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe
        
        C:\Windows\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe
        
        C:\Windows\{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe
        
        C:\Windows\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe
        
        C:\Windows\{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe
        
        C:\Windows\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe
        
        C:\Windows\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe
        
        C:\Windows\{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}.exe
        
        C:\Windows\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}.exe
        12⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81CAD~1.EXE > nul
        12⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F6A2~1.EXE > nul
        11⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33612~1.EXE > nul
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9224~1.EXE > nul
        9⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEA44~1.EXE > nul
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8D62~1.EXE > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C4F9~1.EXE > nul
        6⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C74A8~1.EXE > nul
        5⤵
        
        PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A154F~1.EXE > nul
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7588E~1.EXE > nul
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4469D6~1.EXE > nul
  2⤵
  PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe

Filesize
372KB

MD5
9eb6ca89ff05198b731c10f2bb474a5d

SHA1
49743032cbb23aad976273da7b3bc7056610b4af

SHA256
1999ef346015b9cc57c25b921ad0b5ea103d118d2c06753c52f0aae1eed95f1e

SHA512
3d3886fd7f1c71f169c1c1eb3a98bec36ec57a10c02a1ddaba3c740b3c8612112ca5275b3debdabc711de2fdb35f23b0ade0233186c8eb51f05a4ca672938d72

Download Submit
C:\Windows\{336126DF-5EEB-41c6-ABA9-FF12072FFCB2}.exe

Filesize
372KB

MD5
9eb6ca89ff05198b731c10f2bb474a5d

SHA1
49743032cbb23aad976273da7b3bc7056610b4af

SHA256
1999ef346015b9cc57c25b921ad0b5ea103d118d2c06753c52f0aae1eed95f1e

SHA512
3d3886fd7f1c71f169c1c1eb3a98bec36ec57a10c02a1ddaba3c740b3c8612112ca5275b3debdabc711de2fdb35f23b0ade0233186c8eb51f05a4ca672938d72

Download Submit
C:\Windows\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe

Filesize
372KB

MD5
891de3229c5afa3f2e734d151bfcdf9a

SHA1
e417ddb0f5249d654b0d6adc33f5fce7edf3cb51

SHA256
a8937c20fe034069cb2e6afdca05eeb704647d6c00a02a9788ec0451d3e69b29

SHA512
b6a3f77a57f3be69b890846d339fd7acb6197a506233b60f36545fc607088b56f1bda8765ed10fa789c94484f5cc0c094b063f4a53374db08605489434d1ecac

Download Submit
C:\Windows\{4C4F9881-CA02-408c-B355-03BCBEE69F1B}.exe

Filesize
372KB

MD5
891de3229c5afa3f2e734d151bfcdf9a

SHA1
e417ddb0f5249d654b0d6adc33f5fce7edf3cb51

SHA256
a8937c20fe034069cb2e6afdca05eeb704647d6c00a02a9788ec0451d3e69b29

SHA512
b6a3f77a57f3be69b890846d339fd7acb6197a506233b60f36545fc607088b56f1bda8765ed10fa789c94484f5cc0c094b063f4a53374db08605489434d1ecac

Download Submit
C:\Windows\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe

Filesize
372KB

MD5
844fc968b1a4586ac8f9a5bab24109e8

SHA1
ab814cc3004b1c24829029190d94f0ebb4995051

SHA256
e3ff63703eb86b91bb2b4676d17af517ae1c4da509fe5276cf7acf740e9db270

SHA512
adcb2097cc96821a9718d9f9b6a1363dc185c9e82b42df377cc54d1d740f27da80082a2cf0c3ff7d2681c4b315d6c9d439c8d6749eb7a2f97d27c0df2b741e77

Download Submit
C:\Windows\{6F6A283F-13C8-45b2-AD9D-574DC4AA4014}.exe

Filesize
372KB

MD5
844fc968b1a4586ac8f9a5bab24109e8

SHA1
ab814cc3004b1c24829029190d94f0ebb4995051

SHA256
e3ff63703eb86b91bb2b4676d17af517ae1c4da509fe5276cf7acf740e9db270

SHA512
adcb2097cc96821a9718d9f9b6a1363dc185c9e82b42df377cc54d1d740f27da80082a2cf0c3ff7d2681c4b315d6c9d439c8d6749eb7a2f97d27c0df2b741e77

Download Submit
C:\Windows\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe

Filesize
372KB

MD5
7dd5b0c8eb176d193e0ac4525f796438

SHA1
ba00e59db7c6da7527ceb65dde32d9ae2feeedca

SHA256
860b2a927b34e64878500d5a462cc14c8ca9b15ced121408ae6489f0c6c80d5a

SHA512
ef3a347e5ecfdccdfd50112dbe4894ac8d8925c786c705bee39a055dbf63c40008cc37bd1a07d61620ed518e6772bf2adb6c579397685d73296d8d606acac8cb

Download Submit
C:\Windows\{7588E77E-71BE-4b54-A7CB-1DB491506C7E}.exe

Filesize
372KB

MD5
7dd5b0c8eb176d193e0ac4525f796438

SHA1
ba00e59db7c6da7527ceb65dde32d9ae2feeedca

SHA256
860b2a927b34e64878500d5a462cc14c8ca9b15ced121408ae6489f0c6c80d5a

SHA512
ef3a347e5ecfdccdfd50112dbe4894ac8d8925c786c705bee39a055dbf63c40008cc37bd1a07d61620ed518e6772bf2adb6c579397685d73296d8d606acac8cb

Download Submit
C:\Windows\{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe

Filesize
372KB

MD5
1e69c48ec7d8e4932d36e3a1beef8256

SHA1
88faf7a4c15052e8a1abef818e0b57ee066e36ac

SHA256
16a4ae5c579028a4edf14c678552d025c3cfb7e9976be2dfa303bc412be708fc

SHA512
70c781eb0f49eeb1ea30896adb16f51a3b700ca284a3b8196c294c2296f3e61f034142ced64663c39cbb2f32d29b0ec5bb50ae2fbc4d496168ef84a3099bbfd1

Download Submit
C:\Windows\{81CAD333-2387-48e2-ADE9-F51640DEAC18}.exe

Filesize
372KB

MD5
1e69c48ec7d8e4932d36e3a1beef8256

SHA1
88faf7a4c15052e8a1abef818e0b57ee066e36ac

SHA256
16a4ae5c579028a4edf14c678552d025c3cfb7e9976be2dfa303bc412be708fc

SHA512
70c781eb0f49eeb1ea30896adb16f51a3b700ca284a3b8196c294c2296f3e61f034142ced64663c39cbb2f32d29b0ec5bb50ae2fbc4d496168ef84a3099bbfd1

Download Submit
C:\Windows\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}.exe

Filesize
372KB

MD5
e2d2ffb9cf9f61b6141a89ae760cda94

SHA1
a75db27b25237c9c1ce58529f2b6722653b8d77e

SHA256
749eb70853fbd80ec350bd037a158dbad0e0862f8e5f218f7c007efff4ac963f

SHA512
03cc8775350654264ea291e0ac418e0f2304a6e3aef3941e2a91fd6b063298ed7f42cfdd34337169766eb1b64126f44e0eddee3231162b6ee8a4bbc6af371205

Download Submit
C:\Windows\{9E55D024-9F6E-4b14-AEF9-4BF9A6DAEDE6}.exe

Filesize
372KB

MD5
e2d2ffb9cf9f61b6141a89ae760cda94

SHA1
a75db27b25237c9c1ce58529f2b6722653b8d77e

SHA256
749eb70853fbd80ec350bd037a158dbad0e0862f8e5f218f7c007efff4ac963f

SHA512
03cc8775350654264ea291e0ac418e0f2304a6e3aef3941e2a91fd6b063298ed7f42cfdd34337169766eb1b64126f44e0eddee3231162b6ee8a4bbc6af371205

Download Submit
C:\Windows\{A154F22B-1E36-4910-A742-EE14F5726A52}.exe

Filesize
372KB

MD5
3f39d45ba24d1cbe66e69a08c15c86ba

SHA1
9ce722e5b70c872d66bdbb7514b7be49fb349ffe

SHA256
5b23e70d29ffb5e8b46cff0f3b1136116d0f8c861700f8e62e215c697c1c16a3

SHA512
81f8033c7e6202e7e959800c71d5d43c2707c98ea7ce9eeeb58de6e409ce29a47b42f5d62ea30fc59df35d2c03a0ac6ac4a29cfd63b35382d555eb845d6b4a61

Download Submit
C:\Windows\{A154F22B-1E36-4910-A742-EE14F5726A52}.exe

Filesize
372KB

MD5
3f39d45ba24d1cbe66e69a08c15c86ba

SHA1
9ce722e5b70c872d66bdbb7514b7be49fb349ffe

SHA256
5b23e70d29ffb5e8b46cff0f3b1136116d0f8c861700f8e62e215c697c1c16a3

SHA512
81f8033c7e6202e7e959800c71d5d43c2707c98ea7ce9eeeb58de6e409ce29a47b42f5d62ea30fc59df35d2c03a0ac6ac4a29cfd63b35382d555eb845d6b4a61

Download Submit
C:\Windows\{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe

Filesize
372KB

MD5
1905453ecb5cac7e96e8dbbabcb81d72

SHA1
fdde6020dc801c388a3244c4bfc906682fa2d342

SHA256
2eae4ab53fa82d6203c8463f71f8703d4d02d75a54c327c907719a9418ca4646

SHA512
dfee161efa801fd9c97d7cb56bbc7113d2d848e5ab145b100643cf10d1336c3909640a2909860e27a7c13d52e5f93735dd7bfeb4e04cb5d27f49e9687305664b

Download Submit
C:\Windows\{B8D622AE-D442-4013-AFBD-38546D8226A6}.exe

Filesize
372KB

MD5
1905453ecb5cac7e96e8dbbabcb81d72

SHA1
fdde6020dc801c388a3244c4bfc906682fa2d342

SHA256
2eae4ab53fa82d6203c8463f71f8703d4d02d75a54c327c907719a9418ca4646

SHA512
dfee161efa801fd9c97d7cb56bbc7113d2d848e5ab145b100643cf10d1336c3909640a2909860e27a7c13d52e5f93735dd7bfeb4e04cb5d27f49e9687305664b

Download Submit
C:\Windows\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe

Filesize
372KB

MD5
115dcf470ab56dd6b4b1aba526185135

SHA1
10158ae7f17960adcaa8820fdf225b86d1d289b5

SHA256
ca18bb77bbb3d31e471d1be11cd1c430e16ab04e1cee73f726bba45e9ec35d0e

SHA512
8cf6eec845e0b85bab8cb4ebd54f544270a1db9f1acda343cfe6e446298c4001bc4c08c1cdce301eb216c6acad447b13db5926836258527e544ccda6027d265c

Download Submit
C:\Windows\{BEA44FAE-60D4-4c61-A2EC-0E194A2C693F}.exe

Filesize
372KB

MD5
115dcf470ab56dd6b4b1aba526185135

SHA1
10158ae7f17960adcaa8820fdf225b86d1d289b5

SHA256
ca18bb77bbb3d31e471d1be11cd1c430e16ab04e1cee73f726bba45e9ec35d0e

SHA512
8cf6eec845e0b85bab8cb4ebd54f544270a1db9f1acda343cfe6e446298c4001bc4c08c1cdce301eb216c6acad447b13db5926836258527e544ccda6027d265c

Download Submit
C:\Windows\{C74A8937-4F91-4f2f-8B66-74714387963D}.exe

Filesize
372KB

MD5
c2933626eba0f97d43f4073b80af49f6

SHA1
aeba70169a5167c7e4a03612599f7b62fb332327

SHA256
907243f6c8d6f80025e37f2cc8713ce44e4904def4afec3f484b4c6d430e4daa

SHA512
096c5379a5687ced0ece4fdc242234d6406779b50eb81e7a4f5ec7fdd31a505fd0e248137e902a0af4e00148c770e570a00b0fc461603a03581d8a8ac413a80d

Download Submit
C:\Windows\{C74A8937-4F91-4f2f-8B66-74714387963D}.exe

Filesize
372KB

MD5
c2933626eba0f97d43f4073b80af49f6

SHA1
aeba70169a5167c7e4a03612599f7b62fb332327

SHA256
907243f6c8d6f80025e37f2cc8713ce44e4904def4afec3f484b4c6d430e4daa

SHA512
096c5379a5687ced0ece4fdc242234d6406779b50eb81e7a4f5ec7fdd31a505fd0e248137e902a0af4e00148c770e570a00b0fc461603a03581d8a8ac413a80d

Download Submit
C:\Windows\{C74A8937-4F91-4f2f-8B66-74714387963D}.exe

Filesize
372KB

MD5
c2933626eba0f97d43f4073b80af49f6

SHA1
aeba70169a5167c7e4a03612599f7b62fb332327

SHA256
907243f6c8d6f80025e37f2cc8713ce44e4904def4afec3f484b4c6d430e4daa

SHA512
096c5379a5687ced0ece4fdc242234d6406779b50eb81e7a4f5ec7fdd31a505fd0e248137e902a0af4e00148c770e570a00b0fc461603a03581d8a8ac413a80d

Download Submit
C:\Windows\{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe

Filesize
372KB

MD5
7ca8d542f3b32bd01f2b4fa4e9a80b88

SHA1
84caa4bacda31dd9f104eba5748f20190990f1e7

SHA256
a22a49eb6b545c84b53d39290644db9fc3cab89daee805ec919bb3e04c28c555

SHA512
10aaeba28100e6f71e6dd6adb4fadb0aea2b8233d9b7d49f35a662e038e8a3ddea3da967085c9b9da363a04867936550f55db84d92287f49e8d52d166d06eb6f

Download Submit
C:\Windows\{F9224C61-54C5-4b59-BA7D-F803F463B822}.exe

Filesize
372KB

MD5
7ca8d542f3b32bd01f2b4fa4e9a80b88

SHA1
84caa4bacda31dd9f104eba5748f20190990f1e7

SHA256
a22a49eb6b545c84b53d39290644db9fc3cab89daee805ec919bb3e04c28c555

SHA512
10aaeba28100e6f71e6dd6adb4fadb0aea2b8233d9b7d49f35a662e038e8a3ddea3da967085c9b9da363a04867936550f55db84d92287f49e8d52d166d06eb6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads