43f4eb673f818a9033d80838793d8fceb9e82358a2d8f23d7a49d198b298dd30

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2023, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Size

204KB
MD5

4e3a4dab1107babb8a340e5929eef324
SHA1

eb31afff833bdaad03332d1c3d60a3dc01fa1144
SHA256

43f4eb673f818a9033d80838793d8fceb9e82358a2d8f23d7a49d198b298dd30
SHA512

1d8c082710be88407b2557ac86ae37e49cb5ca740c1ae4c83ff219861b36b1eeb80b882c5488c4095b53417d09a921507758ccdc4127d91e24f9fddbff4df78f
SSDEEP

1536:1EGh0o3l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o3l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1347EDA7-1570-4108-A289-87E796FD95FB}	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1347EDA7-1570-4108-A289-87E796FD95FB}\stubpath = "C:\\Windows\\{1347EDA7-1570-4108-A289-87E796FD95FB}.exe"	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2765872-6109-4142-80B3-E61B26405D89}	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2765872-6109-4142-80B3-E61B26405D89}\stubpath = "C:\\Windows\\{E2765872-6109-4142-80B3-E61B26405D89}.exe"	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55C18C2E-C737-4cd5-8D17-1A55D262799A}	{E2765872-6109-4142-80B3-E61B26405D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55C18C2E-C737-4cd5-8D17-1A55D262799A}\stubpath = "C:\\Windows\\{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe"	{E2765872-6109-4142-80B3-E61B26405D89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7040F8D-039D-4882-8F21-EC2AEBC74888}	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7040F8D-039D-4882-8F21-EC2AEBC74888}\stubpath = "C:\\Windows\\{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe"	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3387A210-48D6-4f3f-8236-817E717DFB02}	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737841D7-AE0A-4b35-8F21-65F3F06443E3}	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737841D7-AE0A-4b35-8F21-65F3F06443E3}\stubpath = "C:\\Windows\\{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe"	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}\stubpath = "C:\\Windows\\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe"	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}\stubpath = "C:\\Windows\\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe"	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}\stubpath = "C:\\Windows\\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe"	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3387A210-48D6-4f3f-8236-817E717DFB02}\stubpath = "C:\\Windows\\{3387A210-48D6-4f3f-8236-817E717DFB02}.exe"	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0075F04A-2BE2-4fdb-800B-B806D222F591}\stubpath = "C:\\Windows\\{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe"	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0075F04A-2BE2-4fdb-800B-B806D222F591}	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}\stubpath = "C:\\Windows\\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe"	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe

Executes dropped EXE 11 IoCs

pid	Process
2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe
464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe
1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe
1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe
232	{E2765872-6109-4142-80B3-E61B26405D89}.exe
764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe
4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe
5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe
4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe
3232	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe
4868	{3387A210-48D6-4f3f-8236-817E717DFB02}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe	{E2765872-6109-4142-80B3-E61B26405D89}.exe
File created	C:\Windows\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe
File created	C:\Windows\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe
File created	C:\Windows\{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe
File created	C:\Windows\{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
File created	C:\Windows\{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe
File created	C:\Windows\{1347EDA7-1570-4108-A289-87E796FD95FB}.exe	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe
File created	C:\Windows\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe
File created	C:\Windows\{E2765872-6109-4142-80B3-E61B26405D89}.exe	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe
File created	C:\Windows\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe
File created	C:\Windows\{3387A210-48D6-4f3f-8236-817E717DFB02}.exe	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	8	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe
Token: SeIncBasePriorityPrivilege	464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe
Token: SeIncBasePriorityPrivilege	1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe
Token: SeIncBasePriorityPrivilege	1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe
Token: SeIncBasePriorityPrivilege	232	{E2765872-6109-4142-80B3-E61B26405D89}.exe
Token: SeIncBasePriorityPrivilege	764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe
Token: SeIncBasePriorityPrivilege	4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe
Token: SeIncBasePriorityPrivilege	5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe
Token: SeIncBasePriorityPrivilege	4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe
Token: SeIncBasePriorityPrivilege	3232	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 2120	8	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	89
PID 8 wrote to memory of 2120	8	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	89
PID 8 wrote to memory of 2120	8	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	89
PID 8 wrote to memory of 2036	8	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	90
PID 8 wrote to memory of 2036	8	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	90
PID 8 wrote to memory of 2036	8	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	90
PID 2120 wrote to memory of 464	2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe	91
PID 2120 wrote to memory of 464	2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe	91
PID 2120 wrote to memory of 464	2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe	91
PID 2120 wrote to memory of 4904	2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe	92
PID 2120 wrote to memory of 4904	2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe	92
PID 2120 wrote to memory of 4904	2120	{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe	92
PID 464 wrote to memory of 1768	464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe	95
PID 464 wrote to memory of 1768	464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe	95
PID 464 wrote to memory of 1768	464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe	95
PID 464 wrote to memory of 4952	464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe	94
PID 464 wrote to memory of 4952	464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe	94
PID 464 wrote to memory of 4952	464	{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe	94
PID 1768 wrote to memory of 1280	1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe	96
PID 1768 wrote to memory of 1280	1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe	96
PID 1768 wrote to memory of 1280	1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe	96
PID 1768 wrote to memory of 4480	1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe	97
PID 1768 wrote to memory of 4480	1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe	97
PID 1768 wrote to memory of 4480	1768	{1347EDA7-1570-4108-A289-87E796FD95FB}.exe	97
PID 1280 wrote to memory of 232	1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe	98
PID 1280 wrote to memory of 232	1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe	98
PID 1280 wrote to memory of 232	1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe	98
PID 1280 wrote to memory of 4644	1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe	99
PID 1280 wrote to memory of 4644	1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe	99
PID 1280 wrote to memory of 4644	1280	{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe	99
PID 232 wrote to memory of 764	232	{E2765872-6109-4142-80B3-E61B26405D89}.exe	100
PID 232 wrote to memory of 764	232	{E2765872-6109-4142-80B3-E61B26405D89}.exe	100
PID 232 wrote to memory of 764	232	{E2765872-6109-4142-80B3-E61B26405D89}.exe	100
PID 232 wrote to memory of 4580	232	{E2765872-6109-4142-80B3-E61B26405D89}.exe	101
PID 232 wrote to memory of 4580	232	{E2765872-6109-4142-80B3-E61B26405D89}.exe	101
PID 232 wrote to memory of 4580	232	{E2765872-6109-4142-80B3-E61B26405D89}.exe	101
PID 764 wrote to memory of 4552	764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe	102
PID 764 wrote to memory of 4552	764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe	102
PID 764 wrote to memory of 4552	764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe	102
PID 764 wrote to memory of 3656	764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe	103
PID 764 wrote to memory of 3656	764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe	103
PID 764 wrote to memory of 3656	764	{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe	103
PID 4552 wrote to memory of 5108	4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe	104
PID 4552 wrote to memory of 5108	4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe	104
PID 4552 wrote to memory of 5108	4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe	104
PID 4552 wrote to memory of 2312	4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe	105
PID 4552 wrote to memory of 2312	4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe	105
PID 4552 wrote to memory of 2312	4552	{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe	105
PID 5108 wrote to memory of 4780	5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe	106
PID 5108 wrote to memory of 4780	5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe	106
PID 5108 wrote to memory of 4780	5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe	106
PID 5108 wrote to memory of 1632	5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe	107
PID 5108 wrote to memory of 1632	5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe	107
PID 5108 wrote to memory of 1632	5108	{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe	107
PID 4780 wrote to memory of 3232	4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe	108
PID 4780 wrote to memory of 3232	4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe	108
PID 4780 wrote to memory of 3232	4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe	108
PID 4780 wrote to memory of 4360	4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe	109
PID 4780 wrote to memory of 4360	4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe	109
PID 4780 wrote to memory of 4360	4780	{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe	109
PID 3232 wrote to memory of 4868	3232	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe	110
PID 3232 wrote to memory of 4868	3232	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe	110
PID 3232 wrote to memory of 4868	3232	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe	110
PID 3232 wrote to memory of 4532	3232	{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe	111

C:\Users\Admin\AppData\Local\Temp\4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe
  C:\Windows\{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe
    C:\Windows\{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0075F~1.EXE > nul
      4⤵
      PID:4952
  - - C:\Windows\{1347EDA7-1570-4108-A289-87E796FD95FB}.exe
      C:\Windows\{1347EDA7-1570-4108-A289-87E796FD95FB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe
        
        C:\Windows\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Windows\{E2765872-6109-4142-80B3-E61B26405D89}.exe
        
        C:\Windows\{E2765872-6109-4142-80B3-E61B26405D89}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe
        
        C:\Windows\{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe
        
        C:\Windows\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe
        
        C:\Windows\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe
        
        C:\Windows\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe
        
        C:\Windows\{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{3387A210-48D6-4f3f-8236-817E717DFB02}.exe
        
        C:\Windows\{3387A210-48D6-4f3f-8236-817E717DFB02}.exe
        12⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7040~1.EXE > nul
        12⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{773F8~1.EXE > nul
        11⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09FF7~1.EXE > nul
        10⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB95~1.EXE > nul
        9⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55C18~1.EXE > nul
        8⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2765~1.EXE > nul
        7⤵
        
        PID:4580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1AF7~1.EXE > nul
        6⤵
        
        PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1347E~1.EXE > nul
        5⤵
        
        PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73784~1.EXE > nul
    3⤵
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4E3A4D~1.EXE > nul
  2⤵
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe

Filesize
204KB

MD5
457c2d67833868e422afa2e9c6dd7ec6

SHA1
c190ca239c0089bf588ffded4da9472689efe817

SHA256
28cd4cf1ce386b06c91456dd97485b1e15caba4876858f97622578ecdb65470c

SHA512
4d1c5fb3252c82c4d8ed1f099bf845df1564325883b8d9188982f37fac0692a7ddc9dd08316b0f2285bd599f65af0fd23045bdde8b155473e692ff6b838e1cc1

Download Submit
C:\Windows\{0075F04A-2BE2-4fdb-800B-B806D222F591}.exe

Filesize
204KB

MD5
457c2d67833868e422afa2e9c6dd7ec6

SHA1
c190ca239c0089bf588ffded4da9472689efe817

SHA256
28cd4cf1ce386b06c91456dd97485b1e15caba4876858f97622578ecdb65470c

SHA512
4d1c5fb3252c82c4d8ed1f099bf845df1564325883b8d9188982f37fac0692a7ddc9dd08316b0f2285bd599f65af0fd23045bdde8b155473e692ff6b838e1cc1

Download Submit
C:\Windows\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe

Filesize
204KB

MD5
52322fbafd1cfc08f1d20574da46c374

SHA1
9392c3fa3e4dc2a32973c206d81339f4f64ef87d

SHA256
eeec779032bd2b274a24c0796a229f983208d65f926266117f1ffa0e87c0d7f4

SHA512
46f7dc756fff1ea44b66495b2da0928ddc31e9aa05b6ec37f9251613cbc47cbc8b094255497dbd8fe9070e57246a43657e5432a50914714b24a6b703c8b90984

Download Submit
C:\Windows\{09FF7F4A-96A7-4dad-9FB5-1861E0E03278}.exe

Filesize
204KB

MD5
52322fbafd1cfc08f1d20574da46c374

SHA1
9392c3fa3e4dc2a32973c206d81339f4f64ef87d

SHA256
eeec779032bd2b274a24c0796a229f983208d65f926266117f1ffa0e87c0d7f4

SHA512
46f7dc756fff1ea44b66495b2da0928ddc31e9aa05b6ec37f9251613cbc47cbc8b094255497dbd8fe9070e57246a43657e5432a50914714b24a6b703c8b90984

Download Submit
C:\Windows\{1347EDA7-1570-4108-A289-87E796FD95FB}.exe

Filesize
204KB

MD5
78062aa966404b337c1835576437be82

SHA1
3d1424be6c15d9f238d55b1407ee3e091e4d123d

SHA256
4ec09a054fd9c543accb9a0ad226ed321d6a58d114dfd1269047ffe32bee7f09

SHA512
7f0d26e45b55a9cf989e6e909d3ea70f6402a5e9ea45fbb1806eb336264232809fec8ef1f72a9080dede76abfaa8ceaf72b483ffa1924a8e2f308fc4fe128438

Download Submit
C:\Windows\{1347EDA7-1570-4108-A289-87E796FD95FB}.exe

Filesize
204KB

MD5
78062aa966404b337c1835576437be82

SHA1
3d1424be6c15d9f238d55b1407ee3e091e4d123d

SHA256
4ec09a054fd9c543accb9a0ad226ed321d6a58d114dfd1269047ffe32bee7f09

SHA512
7f0d26e45b55a9cf989e6e909d3ea70f6402a5e9ea45fbb1806eb336264232809fec8ef1f72a9080dede76abfaa8ceaf72b483ffa1924a8e2f308fc4fe128438

Download Submit
C:\Windows\{1347EDA7-1570-4108-A289-87E796FD95FB}.exe

Filesize
204KB

MD5
78062aa966404b337c1835576437be82

SHA1
3d1424be6c15d9f238d55b1407ee3e091e4d123d

SHA256
4ec09a054fd9c543accb9a0ad226ed321d6a58d114dfd1269047ffe32bee7f09

SHA512
7f0d26e45b55a9cf989e6e909d3ea70f6402a5e9ea45fbb1806eb336264232809fec8ef1f72a9080dede76abfaa8ceaf72b483ffa1924a8e2f308fc4fe128438

Download Submit
C:\Windows\{3387A210-48D6-4f3f-8236-817E717DFB02}.exe

Filesize
204KB

MD5
a2bd27efd7e8b90e94dc98ffae981af1

SHA1
38ff53ae0caf1e6421f05445d3a89226d56ac175

SHA256
4caa02c096efeaba6f5e0e23fa63f4f91cadf5d472381c3825d4e4e4dfb4ac45

SHA512
a8cfdcda1eab20943e28ba417f500aebc6bf20b19507c300ee6010d9a7c27afd36ca572788068bd6f62d07444d01e086e0f524908f2a6e82a8259beea05b55e0

Download Submit
C:\Windows\{3387A210-48D6-4f3f-8236-817E717DFB02}.exe

Filesize
204KB

MD5
a2bd27efd7e8b90e94dc98ffae981af1

SHA1
38ff53ae0caf1e6421f05445d3a89226d56ac175

SHA256
4caa02c096efeaba6f5e0e23fa63f4f91cadf5d472381c3825d4e4e4dfb4ac45

SHA512
a8cfdcda1eab20943e28ba417f500aebc6bf20b19507c300ee6010d9a7c27afd36ca572788068bd6f62d07444d01e086e0f524908f2a6e82a8259beea05b55e0

Download Submit
C:\Windows\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe

Filesize
204KB

MD5
998c12cbc05cd369165786aae67c7c21

SHA1
b0b816acf59d09f231d8417a4588dad1b69f2304

SHA256
5b1880efe1daf7c4f44f1772dd366539aa7cf9605d96bb24609d85f740e9d729

SHA512
f81e4c6c3af77570cecc4bc352c0a5e5794d0906984afc675daaa7bf1ebad0a247c3ac9e8871b9bf3e69d4d13e3382d04693b48696ba92757b11408bbf847446

Download Submit
C:\Windows\{4FB95386-DCB9-416b-A0D2-2698EDD7AEA9}.exe

Filesize
204KB

MD5
998c12cbc05cd369165786aae67c7c21

SHA1
b0b816acf59d09f231d8417a4588dad1b69f2304

SHA256
5b1880efe1daf7c4f44f1772dd366539aa7cf9605d96bb24609d85f740e9d729

SHA512
f81e4c6c3af77570cecc4bc352c0a5e5794d0906984afc675daaa7bf1ebad0a247c3ac9e8871b9bf3e69d4d13e3382d04693b48696ba92757b11408bbf847446

Download Submit
C:\Windows\{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe

Filesize
204KB

MD5
522b477404bdecfd9dc4dca6fbd150fc

SHA1
ef54ac94eea96b1bf1eb822e256a54445fcbc282

SHA256
32cc6c6e34f83eb596a58dcea7adaa45759322a38f96515f3dfbf039528990b3

SHA512
b41b9deda1c88e7756da116c28e34d615b53264b017ed88bc7acaec12fd202df85f4784a889c7022cb7d2fdd86e3282ee0064af1422f5c6bf55d7bb658a772a6

Download Submit
C:\Windows\{55C18C2E-C737-4cd5-8D17-1A55D262799A}.exe

Filesize
204KB

MD5
522b477404bdecfd9dc4dca6fbd150fc

SHA1
ef54ac94eea96b1bf1eb822e256a54445fcbc282

SHA256
32cc6c6e34f83eb596a58dcea7adaa45759322a38f96515f3dfbf039528990b3

SHA512
b41b9deda1c88e7756da116c28e34d615b53264b017ed88bc7acaec12fd202df85f4784a889c7022cb7d2fdd86e3282ee0064af1422f5c6bf55d7bb658a772a6

Download Submit
C:\Windows\{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe

Filesize
204KB

MD5
a5912beb4553e47fa8fd2c1d0ddc2cf7

SHA1
2cf4187c295386f331a3ba45844f4f7791ed83b0

SHA256
f700e6b6a2e67bf6cd673d22f14f040cda7078aa7a0cab1c65e0dbc54d529952

SHA512
c12def22895dbb102d5170ffd234efc48ba6a2224ad31b19cc8d1145365aa5c6120bf8bef271917f1d05f918f5dea00a118eb54b2605a665e05eec52e3c76f32

Download Submit
C:\Windows\{737841D7-AE0A-4b35-8F21-65F3F06443E3}.exe

Filesize
204KB

MD5
a5912beb4553e47fa8fd2c1d0ddc2cf7

SHA1
2cf4187c295386f331a3ba45844f4f7791ed83b0

SHA256
f700e6b6a2e67bf6cd673d22f14f040cda7078aa7a0cab1c65e0dbc54d529952

SHA512
c12def22895dbb102d5170ffd234efc48ba6a2224ad31b19cc8d1145365aa5c6120bf8bef271917f1d05f918f5dea00a118eb54b2605a665e05eec52e3c76f32

Download Submit
C:\Windows\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe

Filesize
204KB

MD5
6854a73734589196376d2a4db239eefa

SHA1
02109b768909a0e24978e731754cc05397c5381c

SHA256
0e4d8cc53f9a328d02b6a993a8191146d3b95383d149d8c405e4d8d2554c7aa1

SHA512
f4a61bf87362ddf97fa3279334e567e96dc2e519d0b974800f611f8f0727db1b0db0ee327b044d6b51855078ec425d9fd4bd59598a4dfaf9ba467a6eb2e531f5

Download Submit
C:\Windows\{773F8FF6-8E0B-4c94-969C-6705FD73EFB7}.exe

Filesize
204KB

MD5
6854a73734589196376d2a4db239eefa

SHA1
02109b768909a0e24978e731754cc05397c5381c

SHA256
0e4d8cc53f9a328d02b6a993a8191146d3b95383d149d8c405e4d8d2554c7aa1

SHA512
f4a61bf87362ddf97fa3279334e567e96dc2e519d0b974800f611f8f0727db1b0db0ee327b044d6b51855078ec425d9fd4bd59598a4dfaf9ba467a6eb2e531f5

Download Submit
C:\Windows\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe

Filesize
204KB

MD5
e00a1f37c4c9e6dbd3a17548eb711138

SHA1
8e1ba4f3937c67cabfe09b5a384972ed17e4ed6f

SHA256
80d366608599c910ebe83a5ea491541d5349eb360b117443859be63e3375656b

SHA512
a81f8ff133bde19bfcc06b02b23382b85abb7467d42be7373528ee12c884357687c9e664d8dca6b3cee3783b80943bee48fe25f658260ac46ce39a26f2375239

Download Submit
C:\Windows\{C1AF7C91-E32A-4d8d-B4A6-E0146C460B05}.exe

Filesize
204KB

MD5
e00a1f37c4c9e6dbd3a17548eb711138

SHA1
8e1ba4f3937c67cabfe09b5a384972ed17e4ed6f

SHA256
80d366608599c910ebe83a5ea491541d5349eb360b117443859be63e3375656b

SHA512
a81f8ff133bde19bfcc06b02b23382b85abb7467d42be7373528ee12c884357687c9e664d8dca6b3cee3783b80943bee48fe25f658260ac46ce39a26f2375239

Download Submit
C:\Windows\{E2765872-6109-4142-80B3-E61B26405D89}.exe

Filesize
204KB

MD5
29414b1570107696f6cdc3dcd6e75179

SHA1
3a5047dc23341bcc9e2adfa9b963681d62035b17

SHA256
ac1c349b59ed688f9607b0e024cc629ee792b8d97d9d9cb0256325905dac5b60

SHA512
4aafeaa15410df0769d7cdb660fe842b8d5617abb718264f5ccbbaa736ff543f0fbf5af528a271468c72af845a1749344da052e28d865f1804cae1aaec9c9386

Download Submit
C:\Windows\{E2765872-6109-4142-80B3-E61B26405D89}.exe

Filesize
204KB

MD5
29414b1570107696f6cdc3dcd6e75179

SHA1
3a5047dc23341bcc9e2adfa9b963681d62035b17

SHA256
ac1c349b59ed688f9607b0e024cc629ee792b8d97d9d9cb0256325905dac5b60

SHA512
4aafeaa15410df0769d7cdb660fe842b8d5617abb718264f5ccbbaa736ff543f0fbf5af528a271468c72af845a1749344da052e28d865f1804cae1aaec9c9386

Download Submit
C:\Windows\{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe

Filesize
204KB

MD5
d60e1fbdefdd48bb89d6c44e3cee31a8

SHA1
3f01106f65857ae699cff96debf0b2afad9cf796

SHA256
e044134cd6d0e0946e1887080aa52ad4e0ef5035a993f9f1a02c42490a5b927b

SHA512
39d7092cecdeaf5e9cf8fd78bcb65b95d81ac262b546d8a1833ad6d25a747a52d0a06217877b4e7b9bfc464a085d9446a630fe13dc2da2436f52aabc1c095b67

Download Submit
C:\Windows\{F7040F8D-039D-4882-8F21-EC2AEBC74888}.exe

Filesize
204KB

MD5
d60e1fbdefdd48bb89d6c44e3cee31a8

SHA1
3f01106f65857ae699cff96debf0b2afad9cf796

SHA256
e044134cd6d0e0946e1887080aa52ad4e0ef5035a993f9f1a02c42490a5b927b

SHA512
39d7092cecdeaf5e9cf8fd78bcb65b95d81ac262b546d8a1833ad6d25a747a52d0a06217877b4e7b9bfc464a085d9446a630fe13dc2da2436f52aabc1c095b67

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads