3ce389f101a1bee070f81454a48843c237cb69e258cf180100ed7b4da6b9d8b7

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2023 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe
Size

372KB
MD5

51e558b6caee4ed85f35266108fad8c4
SHA1

354b9f56f4cd40d9faf4b3163be89dc0846b16b2
SHA256

3ce389f101a1bee070f81454a48843c237cb69e258cf180100ed7b4da6b9d8b7
SHA512

518a90ca5ffeb7ccd6a021547d04cef99802a1f8bdec5cdccd8089f0e091cade7dff26c4e7ec810c51cb5aea7aeefea87598ad879614fbaae3c91773292091ac
SSDEEP

3072:CEGh0onmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGIl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}\stubpath = "C:\\Windows\\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe"	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}\stubpath = "C:\\Windows\\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe"	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71236649-5085-468a-BE39-0124914FBBCA}\stubpath = "C:\\Windows\\{71236649-5085-468a-BE39-0124914FBBCA}.exe"	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}\stubpath = "C:\\Windows\\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}.exe"	{6D53A360-5EE3-4115-8132-753D33E99C66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4E041EF-055C-48e3-A458-23655F3D985C}	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}\stubpath = "C:\\Windows\\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe"	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7797724-ABE2-412b-AE6E-9B420FB44E03}\stubpath = "C:\\Windows\\{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe"	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{043DE1E2-F485-4457-A991-169E16B6E0EB}	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{043DE1E2-F485-4457-A991-169E16B6E0EB}\stubpath = "C:\\Windows\\{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe"	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71236649-5085-468a-BE39-0124914FBBCA}	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4E041EF-055C-48e3-A458-23655F3D985C}\stubpath = "C:\\Windows\\{D4E041EF-055C-48e3-A458-23655F3D985C}.exe"	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4957288E-0215-43bc-B075-B7D84B3D8150}	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4957288E-0215-43bc-B075-B7D84B3D8150}\stubpath = "C:\\Windows\\{4957288E-0215-43bc-B075-B7D84B3D8150}.exe"	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}	{6D53A360-5EE3-4115-8132-753D33E99C66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7797724-ABE2-412b-AE6E-9B420FB44E03}	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}\stubpath = "C:\\Windows\\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe"	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}\stubpath = "C:\\Windows\\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe"	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D53A360-5EE3-4115-8132-753D33E99C66}	{71236649-5085-468a-BE39-0124914FBBCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D53A360-5EE3-4115-8132-753D33E99C66}\stubpath = "C:\\Windows\\{6D53A360-5EE3-4115-8132-753D33E99C66}.exe"	{71236649-5085-468a-BE39-0124914FBBCA}.exe

Executes dropped EXE 12 IoCs

pid	Process
4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe
4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe
4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe
2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe
2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe
2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe
2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe
4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe
3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe
1356	{71236649-5085-468a-BE39-0124914FBBCA}.exe
4580	{6D53A360-5EE3-4115-8132-753D33E99C66}.exe
1952	{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe
File created	C:\Windows\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe
File created	C:\Windows\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe
File created	C:\Windows\{D4E041EF-055C-48e3-A458-23655F3D985C}.exe	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe
File created	C:\Windows\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe
File created	C:\Windows\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe
File created	C:\Windows\{71236649-5085-468a-BE39-0124914FBBCA}.exe	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe
File created	C:\Windows\{6D53A360-5EE3-4115-8132-753D33E99C66}.exe	{71236649-5085-468a-BE39-0124914FBBCA}.exe
File created	C:\Windows\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}.exe	{6D53A360-5EE3-4115-8132-753D33E99C66}.exe
File created	C:\Windows\{4957288E-0215-43bc-B075-B7D84B3D8150}.exe	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe
File created	C:\Windows\{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe
File created	C:\Windows\{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe
Token: SeIncBasePriorityPrivilege	4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe
Token: SeIncBasePriorityPrivilege	4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe
Token: SeIncBasePriorityPrivilege	2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe
Token: SeIncBasePriorityPrivilege	2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe
Token: SeIncBasePriorityPrivilege	2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe
Token: SeIncBasePriorityPrivilege	2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe
Token: SeIncBasePriorityPrivilege	4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe
Token: SeIncBasePriorityPrivilege	3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe
Token: SeIncBasePriorityPrivilege	1356	{71236649-5085-468a-BE39-0124914FBBCA}.exe
Token: SeIncBasePriorityPrivilege	4580	{6D53A360-5EE3-4115-8132-753D33E99C66}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4948	2080	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe	89
PID 2080 wrote to memory of 4948	2080	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe	89
PID 2080 wrote to memory of 4948	2080	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe	89
PID 2080 wrote to memory of 992	2080	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe	90
PID 2080 wrote to memory of 992	2080	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe	90
PID 2080 wrote to memory of 992	2080	51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe	90
PID 4948 wrote to memory of 4488	4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe	91
PID 4948 wrote to memory of 4488	4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe	91
PID 4948 wrote to memory of 4488	4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe	91
PID 4948 wrote to memory of 3068	4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe	92
PID 4948 wrote to memory of 3068	4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe	92
PID 4948 wrote to memory of 3068	4948	{D4E041EF-055C-48e3-A458-23655F3D985C}.exe	92
PID 4488 wrote to memory of 4588	4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe	94
PID 4488 wrote to memory of 4588	4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe	94
PID 4488 wrote to memory of 4588	4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe	94
PID 4488 wrote to memory of 3260	4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe	95
PID 4488 wrote to memory of 3260	4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe	95
PID 4488 wrote to memory of 3260	4488	{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe	95
PID 4588 wrote to memory of 2084	4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe	96
PID 4588 wrote to memory of 2084	4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe	96
PID 4588 wrote to memory of 2084	4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe	96
PID 4588 wrote to memory of 2508	4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe	97
PID 4588 wrote to memory of 2508	4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe	97
PID 4588 wrote to memory of 2508	4588	{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe	97
PID 2084 wrote to memory of 2252	2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe	98
PID 2084 wrote to memory of 2252	2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe	98
PID 2084 wrote to memory of 2252	2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe	98
PID 2084 wrote to memory of 4924	2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe	99
PID 2084 wrote to memory of 4924	2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe	99
PID 2084 wrote to memory of 4924	2084	{4957288E-0215-43bc-B075-B7D84B3D8150}.exe	99
PID 2252 wrote to memory of 2260	2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe	100
PID 2252 wrote to memory of 2260	2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe	100
PID 2252 wrote to memory of 2260	2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe	100
PID 2252 wrote to memory of 1424	2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe	101
PID 2252 wrote to memory of 1424	2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe	101
PID 2252 wrote to memory of 1424	2252	{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe	101
PID 2260 wrote to memory of 2732	2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe	102
PID 2260 wrote to memory of 2732	2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe	102
PID 2260 wrote to memory of 2732	2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe	102
PID 2260 wrote to memory of 2800	2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe	103
PID 2260 wrote to memory of 2800	2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe	103
PID 2260 wrote to memory of 2800	2260	{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe	103
PID 2732 wrote to memory of 4300	2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe	104
PID 2732 wrote to memory of 4300	2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe	104
PID 2732 wrote to memory of 4300	2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe	104
PID 2732 wrote to memory of 4468	2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe	105
PID 2732 wrote to memory of 4468	2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe	105
PID 2732 wrote to memory of 4468	2732	{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe	105
PID 4300 wrote to memory of 3660	4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe	106
PID 4300 wrote to memory of 3660	4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe	106
PID 4300 wrote to memory of 3660	4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe	106
PID 4300 wrote to memory of 2160	4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe	107
PID 4300 wrote to memory of 2160	4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe	107
PID 4300 wrote to memory of 2160	4300	{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe	107
PID 3660 wrote to memory of 1356	3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe	108
PID 3660 wrote to memory of 1356	3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe	108
PID 3660 wrote to memory of 1356	3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe	108
PID 3660 wrote to memory of 388	3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe	109
PID 3660 wrote to memory of 388	3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe	109
PID 3660 wrote to memory of 388	3660	{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe	109
PID 1356 wrote to memory of 4580	1356	{71236649-5085-468a-BE39-0124914FBBCA}.exe	110
PID 1356 wrote to memory of 4580	1356	{71236649-5085-468a-BE39-0124914FBBCA}.exe	110
PID 1356 wrote to memory of 4580	1356	{71236649-5085-468a-BE39-0124914FBBCA}.exe	110
PID 1356 wrote to memory of 1700	1356	{71236649-5085-468a-BE39-0124914FBBCA}.exe	111

C:\Users\Admin\AppData\Local\Temp\51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\51e558b6caee4ed85f35266108fad8c4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{D4E041EF-055C-48e3-A458-23655F3D985C}.exe
  C:\Windows\{D4E041EF-055C-48e3-A458-23655F3D985C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe
    C:\Windows\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe
      C:\Windows\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\{4957288E-0215-43bc-B075-B7D84B3D8150}.exe
        
        C:\Windows\{4957288E-0215-43bc-B075-B7D84B3D8150}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe
        
        C:\Windows\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe
        
        C:\Windows\{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe
        
        C:\Windows\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe
        
        C:\Windows\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe
        
        C:\Windows\{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\{71236649-5085-468a-BE39-0124914FBBCA}.exe
        
        C:\Windows\{71236649-5085-468a-BE39-0124914FBBCA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{6D53A360-5EE3-4115-8132-753D33E99C66}.exe
        
        C:\Windows\{6D53A360-5EE3-4115-8132-753D33E99C66}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}.exe
        
        C:\Windows\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}.exe
        13⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D53A~1.EXE > nul
        13⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71236~1.EXE > nul
        12⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{043DE~1.EXE > nul
        11⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07E0A~1.EXE > nul
        10⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24876~1.EXE > nul
        9⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7797~1.EXE > nul
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29350~1.EXE > nul
        7⤵
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49572~1.EXE > nul
        6⤵
        
        PID:4924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65919~1.EXE > nul
        5⤵
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7383C~1.EXE > nul
      4⤵
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E04~1.EXE > nul
    3⤵
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\51E558~1.EXE > nul
  2⤵
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe

Filesize
372KB

MD5
7d418debc93eda0e010eb06d81983b37

SHA1
ea806423f1d36a6857bc73509033a34f8a822703

SHA256
272971fb44725a8633e0679be3042a84480a23cdc7fb67913eff6dc9e7f07324

SHA512
26af2867e904cb07654800b1f07e96005880c6ac7ff0a32fe2927e3b95f4d06574748d908418335ea4a446dcf15a1a25169f506d0af529423af57db507ca870d

Download Submit
C:\Windows\{043DE1E2-F485-4457-A991-169E16B6E0EB}.exe

Filesize
372KB

MD5
7d418debc93eda0e010eb06d81983b37

SHA1
ea806423f1d36a6857bc73509033a34f8a822703

SHA256
272971fb44725a8633e0679be3042a84480a23cdc7fb67913eff6dc9e7f07324

SHA512
26af2867e904cb07654800b1f07e96005880c6ac7ff0a32fe2927e3b95f4d06574748d908418335ea4a446dcf15a1a25169f506d0af529423af57db507ca870d

Download Submit
C:\Windows\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe

Filesize
372KB

MD5
bd6fbadf28c715fa00bc23b2c734faee

SHA1
c880d868179e61df38a42bb655f91590d0973d45

SHA256
ac243bf14ccc406ec34e09a7cb71f0e6cdaacb5079e7c20cbe9bc091ffd259cd

SHA512
b0507301d1a45e77e9fcb1849343214106df7d7364d24095ef117f0ad4499b0f60f41986d68f24377b8448a4c20e680566d95388b79c7f57346aed8f8344a8ab

Download Submit
C:\Windows\{07E0ABC7-CE52-49b3-93FD-8CBBF76D7C95}.exe

Filesize
372KB

MD5
bd6fbadf28c715fa00bc23b2c734faee

SHA1
c880d868179e61df38a42bb655f91590d0973d45

SHA256
ac243bf14ccc406ec34e09a7cb71f0e6cdaacb5079e7c20cbe9bc091ffd259cd

SHA512
b0507301d1a45e77e9fcb1849343214106df7d7364d24095ef117f0ad4499b0f60f41986d68f24377b8448a4c20e680566d95388b79c7f57346aed8f8344a8ab

Download Submit
C:\Windows\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}.exe

Filesize
372KB

MD5
ad95a140f558b33f0e3feb28ab7cc676

SHA1
ab43596e7c4858b643319bc2f792c3f82564ba3e

SHA256
a0d640594a9cbd77c19c3ce873507b4346f31ad25c405ade10dfe7ce2bf86c16

SHA512
1ae69e2d663e0f43cb40e7bb5e017b752a78457612c41c0bf5d7e3f119a58b0a22c55e2a6722cc0eed0c11d79817637d6f6a7945cfe63f35d0084c5e94a5973b

Download Submit
C:\Windows\{1AAD465C-75A3-4b9b-A504-DA9F3B9F1673}.exe

Filesize
372KB

MD5
ad95a140f558b33f0e3feb28ab7cc676

SHA1
ab43596e7c4858b643319bc2f792c3f82564ba3e

SHA256
a0d640594a9cbd77c19c3ce873507b4346f31ad25c405ade10dfe7ce2bf86c16

SHA512
1ae69e2d663e0f43cb40e7bb5e017b752a78457612c41c0bf5d7e3f119a58b0a22c55e2a6722cc0eed0c11d79817637d6f6a7945cfe63f35d0084c5e94a5973b

Download Submit
C:\Windows\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe

Filesize
372KB

MD5
1fd9dd2e51f8ab4da760e839aa6f983a

SHA1
9292e56d4b569caf23d6a398704fe5d600de680f

SHA256
1f42f56fc3476a38540ddf20a5c412881093d6b1f25d7442abf97b49a5168512

SHA512
6525a5405180ff5119d2e0ea7245afc193e6c1bbbaeeb1d2615de1256e3aff512f85b28bfb902814192375411b9a0a12396c6e3f88dc2748e1521b4eb1fcc9f5

Download Submit
C:\Windows\{2487695C-9AC9-49f7-BA3C-AEFDE886DB54}.exe

Filesize
372KB

MD5
1fd9dd2e51f8ab4da760e839aa6f983a

SHA1
9292e56d4b569caf23d6a398704fe5d600de680f

SHA256
1f42f56fc3476a38540ddf20a5c412881093d6b1f25d7442abf97b49a5168512

SHA512
6525a5405180ff5119d2e0ea7245afc193e6c1bbbaeeb1d2615de1256e3aff512f85b28bfb902814192375411b9a0a12396c6e3f88dc2748e1521b4eb1fcc9f5

Download Submit
C:\Windows\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe

Filesize
372KB

MD5
fd1b3c330bcc0805566b892ca05c7cd4

SHA1
04af25830c948fa84c2cb877d7f69dc583625e3c

SHA256
298c13e6ab8ad2fcf1f1eb98db4cc594c6aa18a0d26b431568fd54b39f464553

SHA512
11b1eb513322578d8809ac4dad63204370a3b74493ddc6098720ad0d33304e01a15b2de324518f2b52d5a677328cac2e4ff30513c1cbf18eaf7a9f4988d6e96e

Download Submit
C:\Windows\{29350A6B-DB40-414e-BF25-BDD96FCAEFF5}.exe

Filesize
372KB

MD5
fd1b3c330bcc0805566b892ca05c7cd4

SHA1
04af25830c948fa84c2cb877d7f69dc583625e3c

SHA256
298c13e6ab8ad2fcf1f1eb98db4cc594c6aa18a0d26b431568fd54b39f464553

SHA512
11b1eb513322578d8809ac4dad63204370a3b74493ddc6098720ad0d33304e01a15b2de324518f2b52d5a677328cac2e4ff30513c1cbf18eaf7a9f4988d6e96e

Download Submit
C:\Windows\{4957288E-0215-43bc-B075-B7D84B3D8150}.exe

Filesize
372KB

MD5
3adc8a88cc9d7833371393a0763f254b

SHA1
39a88b297324a283deab480baf39090b059d7462

SHA256
12e2876a5783516852c5554dd71f6144a520338ea7ccf713e1539f27708ce59b

SHA512
fd98f0f01bcb7229657098d0077ecb18b999f1290102e0e21dacd024dafc44c81c19e76ea7c4a73c46b7944da4d671cac2a96248359be189a1b8537fa6df9e61

Download Submit
C:\Windows\{4957288E-0215-43bc-B075-B7D84B3D8150}.exe

Filesize
372KB

MD5
3adc8a88cc9d7833371393a0763f254b

SHA1
39a88b297324a283deab480baf39090b059d7462

SHA256
12e2876a5783516852c5554dd71f6144a520338ea7ccf713e1539f27708ce59b

SHA512
fd98f0f01bcb7229657098d0077ecb18b999f1290102e0e21dacd024dafc44c81c19e76ea7c4a73c46b7944da4d671cac2a96248359be189a1b8537fa6df9e61

Download Submit
C:\Windows\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe

Filesize
372KB

MD5
0cca1093966c2cbc88f88eab7601e339

SHA1
20b4d1300a0bfc8a05523d0474d5c4fcf7290289

SHA256
30c68fee3135543e4b1455198fa2342e2234b66186dbdfaaca8f534e4dd0f295

SHA512
43a5434ac71b3ca60a4d3486db68cc48a9a165f83c662e9afec53e214a24ae9ef75a0cbbeed82108c1412f5676912480b4fd058461f3a57451ef167013659e5f

Download Submit
C:\Windows\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe

Filesize
372KB

MD5
0cca1093966c2cbc88f88eab7601e339

SHA1
20b4d1300a0bfc8a05523d0474d5c4fcf7290289

SHA256
30c68fee3135543e4b1455198fa2342e2234b66186dbdfaaca8f534e4dd0f295

SHA512
43a5434ac71b3ca60a4d3486db68cc48a9a165f83c662e9afec53e214a24ae9ef75a0cbbeed82108c1412f5676912480b4fd058461f3a57451ef167013659e5f

Download Submit
C:\Windows\{65919669-01BD-4952-A0AA-6AE6E4FA5D03}.exe

Filesize
372KB

MD5
0cca1093966c2cbc88f88eab7601e339

SHA1
20b4d1300a0bfc8a05523d0474d5c4fcf7290289

SHA256
30c68fee3135543e4b1455198fa2342e2234b66186dbdfaaca8f534e4dd0f295

SHA512
43a5434ac71b3ca60a4d3486db68cc48a9a165f83c662e9afec53e214a24ae9ef75a0cbbeed82108c1412f5676912480b4fd058461f3a57451ef167013659e5f

Download Submit
C:\Windows\{6D53A360-5EE3-4115-8132-753D33E99C66}.exe

Filesize
372KB

MD5
44bb5623f816cd57bd2ccd2d1ddd20cf

SHA1
3e0f0498ba0cf71c5394f0780dc13a6f05af31b1

SHA256
0b7d49036ed19df689ea28344abbf941f7b82ebff9f5ecf660d71df6e401c959

SHA512
68d9c61ba9408074f170c911d366e89bd7d6316f733d56834b6c44514e8739eb4616310a8dc8b09c7376e58fdb7e4a7f38a228a9b724621a82213179b3992a9b

Download Submit
C:\Windows\{6D53A360-5EE3-4115-8132-753D33E99C66}.exe

Filesize
372KB

MD5
44bb5623f816cd57bd2ccd2d1ddd20cf

SHA1
3e0f0498ba0cf71c5394f0780dc13a6f05af31b1

SHA256
0b7d49036ed19df689ea28344abbf941f7b82ebff9f5ecf660d71df6e401c959

SHA512
68d9c61ba9408074f170c911d366e89bd7d6316f733d56834b6c44514e8739eb4616310a8dc8b09c7376e58fdb7e4a7f38a228a9b724621a82213179b3992a9b

Download Submit
C:\Windows\{71236649-5085-468a-BE39-0124914FBBCA}.exe

Filesize
372KB

MD5
b2627480f9bbc4b6c54744375165239b

SHA1
488a3e8b52f1e6e23a8f29813f0ad4617d6f3409

SHA256
05eddd873c98784b9ec2b305d9073fd4655a421c951b0ca77dce730c0d01c7dc

SHA512
5772b56271701d9264feb0c0c1f032a0c23219de153632e0f8ee4e678babaffa4c5b4991ab3d1f85c1aa4b821a7a4bae44aeeb7dd90262b131f740bed28d4046

Download Submit
C:\Windows\{71236649-5085-468a-BE39-0124914FBBCA}.exe

Filesize
372KB

MD5
b2627480f9bbc4b6c54744375165239b

SHA1
488a3e8b52f1e6e23a8f29813f0ad4617d6f3409

SHA256
05eddd873c98784b9ec2b305d9073fd4655a421c951b0ca77dce730c0d01c7dc

SHA512
5772b56271701d9264feb0c0c1f032a0c23219de153632e0f8ee4e678babaffa4c5b4991ab3d1f85c1aa4b821a7a4bae44aeeb7dd90262b131f740bed28d4046

Download Submit
C:\Windows\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe

Filesize
372KB

MD5
868848874fffc3052b846f8dae366abe

SHA1
312a2f0ca98271f24fc520603ab1349cafb52818

SHA256
113e30c46305f295863a85e3290cb1cd2d692b5f22e749fef6ec0e8da6823b5a

SHA512
724bf5dcec4681c83272984b72cce12c8b9191f93e62697fe3f9a376f12b797cdb476ce6254c0372f83500d5845cfef79c87f2fc0639201cec309f40da921132

Download Submit
C:\Windows\{7383C69A-369D-40f2-B1A9-9C1E2DC22CAF}.exe

Filesize
372KB

MD5
868848874fffc3052b846f8dae366abe

SHA1
312a2f0ca98271f24fc520603ab1349cafb52818

SHA256
113e30c46305f295863a85e3290cb1cd2d692b5f22e749fef6ec0e8da6823b5a

SHA512
724bf5dcec4681c83272984b72cce12c8b9191f93e62697fe3f9a376f12b797cdb476ce6254c0372f83500d5845cfef79c87f2fc0639201cec309f40da921132

Download Submit
C:\Windows\{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe

Filesize
372KB

MD5
c4152ac6c587955c0aa8914c6617964d

SHA1
55bdcd0d71aa6913916284df32c6af4e17fcd732

SHA256
35e4d0776938734effada6777acec3d2e254499f0c7809735d91ccba426d77dc

SHA512
05f155cef9efaa140825b061ef138d7073dadd6947015eff4e0e8d8db38f0fc039ba8b3dc8ca8b832e5c868d1ab76dc4dbbdb5e17b2aa58f51c893890a856fd2

Download Submit
C:\Windows\{C7797724-ABE2-412b-AE6E-9B420FB44E03}.exe

Filesize
372KB

MD5
c4152ac6c587955c0aa8914c6617964d

SHA1
55bdcd0d71aa6913916284df32c6af4e17fcd732

SHA256
35e4d0776938734effada6777acec3d2e254499f0c7809735d91ccba426d77dc

SHA512
05f155cef9efaa140825b061ef138d7073dadd6947015eff4e0e8d8db38f0fc039ba8b3dc8ca8b832e5c868d1ab76dc4dbbdb5e17b2aa58f51c893890a856fd2

Download Submit
C:\Windows\{D4E041EF-055C-48e3-A458-23655F3D985C}.exe

Filesize
372KB

MD5
0bfbac4e44eba6403ee3003c7b89dadf

SHA1
5086a96aa6bd4b76093e0019275aa802abb80665

SHA256
840f155fbf474f5444adf19d55742bfc44b0d77b55d8c9e95a456b20c470b8a0

SHA512
5be2c3aee52e9c3383b8d51af1d35d0a8dc700933ff9c608487a526d0b30a144bfbf4622901059b86bfadd9e0ecd4c895c0a5a0a6c75c2986b797182dd86cd0d

Download Submit
C:\Windows\{D4E041EF-055C-48e3-A458-23655F3D985C}.exe

Filesize
372KB

MD5
0bfbac4e44eba6403ee3003c7b89dadf

SHA1
5086a96aa6bd4b76093e0019275aa802abb80665

SHA256
840f155fbf474f5444adf19d55742bfc44b0d77b55d8c9e95a456b20c470b8a0

SHA512
5be2c3aee52e9c3383b8d51af1d35d0a8dc700933ff9c608487a526d0b30a144bfbf4622901059b86bfadd9e0ecd4c895c0a5a0a6c75c2986b797182dd86cd0d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads