2b22d8ec3d67af6f85acfce5ab6c5dde67ac34b69e60df3abdb48c98e7ec505b

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Size

216KB
MD5

65c869d688b6cd1972b79cf52cb69e96
SHA1

b22b4c9b8e06cb7d7282b3ab7e8aa1ed102e9178
SHA256

2b22d8ec3d67af6f85acfce5ab6c5dde67ac34b69e60df3abdb48c98e7ec505b
SHA512

0dd47265c2c5ed4d001091205bc159b7f973afd698e899b9e770abf0321e78043ec0355588cdebf1b492daeb86c766478239dcfadab240397b8671a47d07bb58
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGdlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}\stubpath = "C:\\Windows\\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe"	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}\stubpath = "C:\\Windows\\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe"	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}\stubpath = "C:\\Windows\\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe"	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}\stubpath = "C:\\Windows\\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe"	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}\stubpath = "C:\\Windows\\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe"	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD211654-BE07-4235-A33C-70B9108B0F72}	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}\stubpath = "C:\\Windows\\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}.exe"	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}\stubpath = "C:\\Windows\\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe"	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}\stubpath = "C:\\Windows\\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe"	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}\stubpath = "C:\\Windows\\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe"	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD211654-BE07-4235-A33C-70B9108B0F72}\stubpath = "C:\\Windows\\{AD211654-BE07-4235-A33C-70B9108B0F72}.exe"	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}\stubpath = "C:\\Windows\\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe"	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe

Executes dropped EXE 11 IoCs

pid	Process
1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe
100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe
388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe
3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe
4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe
3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe
864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe
1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe
4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe
2320	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe
732	{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe
File created	C:\Windows\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe
File created	C:\Windows\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}.exe	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe
File created	C:\Windows\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
File created	C:\Windows\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe
File created	C:\Windows\{AD211654-BE07-4235-A33C-70B9108B0F72}.exe	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe
File created	C:\Windows\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe
File created	C:\Windows\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe
File created	C:\Windows\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe
File created	C:\Windows\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe
File created	C:\Windows\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3148	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe
Token: SeIncBasePriorityPrivilege	100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe
Token: SeIncBasePriorityPrivilege	388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe
Token: SeIncBasePriorityPrivilege	3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe
Token: SeIncBasePriorityPrivilege	4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe
Token: SeIncBasePriorityPrivilege	3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe
Token: SeIncBasePriorityPrivilege	864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe
Token: SeIncBasePriorityPrivilege	1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe
Token: SeIncBasePriorityPrivilege	4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe
Token: SeIncBasePriorityPrivilege	2320	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 1232	3148	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	85
PID 3148 wrote to memory of 1232	3148	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	85
PID 3148 wrote to memory of 1232	3148	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	85
PID 3148 wrote to memory of 1144	3148	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	86
PID 3148 wrote to memory of 1144	3148	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	86
PID 3148 wrote to memory of 1144	3148	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	86
PID 1232 wrote to memory of 100	1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe	91
PID 1232 wrote to memory of 100	1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe	91
PID 1232 wrote to memory of 100	1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe	91
PID 1232 wrote to memory of 2328	1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe	92
PID 1232 wrote to memory of 2328	1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe	92
PID 1232 wrote to memory of 2328	1232	{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe	92
PID 100 wrote to memory of 388	100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe	94
PID 100 wrote to memory of 388	100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe	94
PID 100 wrote to memory of 388	100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe	94
PID 100 wrote to memory of 4976	100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe	93
PID 100 wrote to memory of 4976	100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe	93
PID 100 wrote to memory of 4976	100	{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe	93
PID 388 wrote to memory of 3876	388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe	95
PID 388 wrote to memory of 3876	388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe	95
PID 388 wrote to memory of 3876	388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe	95
PID 388 wrote to memory of 1216	388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe	96
PID 388 wrote to memory of 1216	388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe	96
PID 388 wrote to memory of 1216	388	{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe	96
PID 3876 wrote to memory of 4864	3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe	97
PID 3876 wrote to memory of 4864	3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe	97
PID 3876 wrote to memory of 4864	3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe	97
PID 3876 wrote to memory of 2004	3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe	98
PID 3876 wrote to memory of 2004	3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe	98
PID 3876 wrote to memory of 2004	3876	{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe	98
PID 4864 wrote to memory of 3228	4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe	99
PID 4864 wrote to memory of 3228	4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe	99
PID 4864 wrote to memory of 3228	4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe	99
PID 4864 wrote to memory of 3836	4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe	100
PID 4864 wrote to memory of 3836	4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe	100
PID 4864 wrote to memory of 3836	4864	{AD211654-BE07-4235-A33C-70B9108B0F72}.exe	100
PID 3228 wrote to memory of 864	3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe	101
PID 3228 wrote to memory of 864	3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe	101
PID 3228 wrote to memory of 864	3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe	101
PID 3228 wrote to memory of 1444	3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe	102
PID 3228 wrote to memory of 1444	3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe	102
PID 3228 wrote to memory of 1444	3228	{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe	102
PID 864 wrote to memory of 1796	864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe	103
PID 864 wrote to memory of 1796	864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe	103
PID 864 wrote to memory of 1796	864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe	103
PID 864 wrote to memory of 2368	864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe	104
PID 864 wrote to memory of 2368	864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe	104
PID 864 wrote to memory of 2368	864	{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe	104
PID 1796 wrote to memory of 4232	1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe	105
PID 1796 wrote to memory of 4232	1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe	105
PID 1796 wrote to memory of 4232	1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe	105
PID 1796 wrote to memory of 3736	1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe	106
PID 1796 wrote to memory of 3736	1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe	106
PID 1796 wrote to memory of 3736	1796	{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe	106
PID 4232 wrote to memory of 2320	4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe	107
PID 4232 wrote to memory of 2320	4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe	107
PID 4232 wrote to memory of 2320	4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe	107
PID 4232 wrote to memory of 3504	4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe	108
PID 4232 wrote to memory of 3504	4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe	108
PID 4232 wrote to memory of 3504	4232	{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe	108
PID 2320 wrote to memory of 732	2320	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe	109
PID 2320 wrote to memory of 732	2320	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe	109
PID 2320 wrote to memory of 732	2320	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe	109
PID 2320 wrote to memory of 812	2320	{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe	110

C:\Users\Admin\AppData\Local\Temp\65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe
  C:\Windows\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe
    C:\Windows\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B72~1.EXE > nul
      4⤵
      PID:4976
  - - C:\Windows\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe
      C:\Windows\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Windows\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe
        
        C:\Windows\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
      - C:\Windows\{AD211654-BE07-4235-A33C-70B9108B0F72}.exe
        
        C:\Windows\{AD211654-BE07-4235-A33C-70B9108B0F72}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe
        
        C:\Windows\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe
        
        C:\Windows\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe
        
        C:\Windows\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe
        
        C:\Windows\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe
        
        C:\Windows\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}.exe
        
        C:\Windows\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}.exe
        12⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1BD7~1.EXE > nul
        12⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8FCB~1.EXE > nul
        11⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1332C~1.EXE > nul
        10⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04FD1~1.EXE > nul
        9⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{144FD~1.EXE > nul
        8⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD211~1.EXE > nul
        7⤵
        
        PID:3836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67009~1.EXE > nul
        6⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B0EE~1.EXE > nul
        5⤵
        
        PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BB7D2~1.EXE > nul
    3⤵
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\65C869~1.EXE > nul
  2⤵
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe

Filesize
216KB

MD5
16896464c7462d2c692600f440270fd4

SHA1
09584f1af161c811b438e48666ef44159e3c4276

SHA256
aeaff2a06f1d8f9ef85487c9d94c58378c050532507f7b6b9d4482418fb68b43

SHA512
3f06434d42a542232164663e1bd761b3fd5fcc3fb137dec3814a3148a489cf53d20345f0c6f4e31583992229152e21f73c572e71691154e88d0f69eedb02233c

Download Submit
C:\Windows\{04FD175A-B3EB-48d0-9771-551DA97ED5A3}.exe

Filesize
216KB

MD5
16896464c7462d2c692600f440270fd4

SHA1
09584f1af161c811b438e48666ef44159e3c4276

SHA256
aeaff2a06f1d8f9ef85487c9d94c58378c050532507f7b6b9d4482418fb68b43

SHA512
3f06434d42a542232164663e1bd761b3fd5fcc3fb137dec3814a3148a489cf53d20345f0c6f4e31583992229152e21f73c572e71691154e88d0f69eedb02233c

Download Submit
C:\Windows\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe

Filesize
216KB

MD5
30d146f28ecc02505a7b1be660e744ab

SHA1
5036f8053a41293002ef05dd271373b23c5be053

SHA256
04a25ee76c4b7cdf11b4d53bb65fb60017a6e9659001b73bd856d51176c25b26

SHA512
b89d525f8044fe7ef9af301110f7eb6997537e3b6a74b405efcfab353725726aeeca134ac35859d1c18b3f9473846e2fe3e302a2c6eca1d08dc842204479d808

Download Submit
C:\Windows\{1332C152-CD5F-4fcf-80EC-0CB5CB815AB8}.exe

Filesize
216KB

MD5
30d146f28ecc02505a7b1be660e744ab

SHA1
5036f8053a41293002ef05dd271373b23c5be053

SHA256
04a25ee76c4b7cdf11b4d53bb65fb60017a6e9659001b73bd856d51176c25b26

SHA512
b89d525f8044fe7ef9af301110f7eb6997537e3b6a74b405efcfab353725726aeeca134ac35859d1c18b3f9473846e2fe3e302a2c6eca1d08dc842204479d808

Download Submit
C:\Windows\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe

Filesize
216KB

MD5
51a8c9ede78ac1710558fe91b7ca80d8

SHA1
6271ea24696f7272c18898c28880ef055a1620e1

SHA256
1da023f14a5a2548f7011d58f193bae6ae2d8c3156f46e7661f175a58bc55b7b

SHA512
668a062efd8e83685ff45c96a5af3182a4daf8b787a6cf23bfb4cf74ee5b30e22604a16449f65aaa0859ef9cfa072f4c56c2db4902c16ab9bdc50f808342c2dd

Download Submit
C:\Windows\{144FD50E-B5A4-4936-8A9B-DA9705454C2E}.exe

Filesize
216KB

MD5
51a8c9ede78ac1710558fe91b7ca80d8

SHA1
6271ea24696f7272c18898c28880ef055a1620e1

SHA256
1da023f14a5a2548f7011d58f193bae6ae2d8c3156f46e7661f175a58bc55b7b

SHA512
668a062efd8e83685ff45c96a5af3182a4daf8b787a6cf23bfb4cf74ee5b30e22604a16449f65aaa0859ef9cfa072f4c56c2db4902c16ab9bdc50f808342c2dd

Download Submit
C:\Windows\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}.exe

Filesize
216KB

MD5
03409531d68b6a3e1477e3050e65de4f

SHA1
81172e287483099c92142245857f899910014676

SHA256
eabe1862f75e90bcbd5e3de3cfb304c9abc32b04de23fb44fc2722502b4ef634

SHA512
b75f931f6531639f5e3239357f45ccaaed72f790b5d8a43d4ef7abac4f0d6116ef4cb0d0047f587ab2f279be600a567028faa755dae85c5802aab16274f57a3a

Download Submit
C:\Windows\{1947BEC3-55BF-4d94-97A6-8A81B59D8EEB}.exe

Filesize
216KB

MD5
03409531d68b6a3e1477e3050e65de4f

SHA1
81172e287483099c92142245857f899910014676

SHA256
eabe1862f75e90bcbd5e3de3cfb304c9abc32b04de23fb44fc2722502b4ef634

SHA512
b75f931f6531639f5e3239357f45ccaaed72f790b5d8a43d4ef7abac4f0d6116ef4cb0d0047f587ab2f279be600a567028faa755dae85c5802aab16274f57a3a

Download Submit
C:\Windows\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe

Filesize
216KB

MD5
615f7eceb15d213c3d72c84f087e0a3f

SHA1
8600dd88623a637d05915684099afcf50c800534

SHA256
e8403c4d623f6eac3a49ef5c11885ea41cdc6a2c72af17d7159cac23755e736e

SHA512
57362f9f60cd9b2e6fcfce92071358c94c3d74853e79b2fd2524eba9c13991c043e7f26117b7e29a40e745a3251d21327fcb8661dd31fa0506100a36efdc7ec3

Download Submit
C:\Windows\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe

Filesize
216KB

MD5
615f7eceb15d213c3d72c84f087e0a3f

SHA1
8600dd88623a637d05915684099afcf50c800534

SHA256
e8403c4d623f6eac3a49ef5c11885ea41cdc6a2c72af17d7159cac23755e736e

SHA512
57362f9f60cd9b2e6fcfce92071358c94c3d74853e79b2fd2524eba9c13991c043e7f26117b7e29a40e745a3251d21327fcb8661dd31fa0506100a36efdc7ec3

Download Submit
C:\Windows\{1B0EE99E-2625-4c7b-B0F9-4988458B054A}.exe

Filesize
216KB

MD5
615f7eceb15d213c3d72c84f087e0a3f

SHA1
8600dd88623a637d05915684099afcf50c800534

SHA256
e8403c4d623f6eac3a49ef5c11885ea41cdc6a2c72af17d7159cac23755e736e

SHA512
57362f9f60cd9b2e6fcfce92071358c94c3d74853e79b2fd2524eba9c13991c043e7f26117b7e29a40e745a3251d21327fcb8661dd31fa0506100a36efdc7ec3

Download Submit
C:\Windows\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe

Filesize
216KB

MD5
c075e580b68e388371c108c57e67a633

SHA1
47fb70d7652649c961414c39cbb22fd713a73c5e

SHA256
c123b48f2528ec05e8e591b3c3fa16adea312f792080b75bd2a97c6d67d7e0a6

SHA512
9a1d79d6129156f7d2d5e22a7fb254bbb4a1e428aebe01363ee082784c02b24fed6cf4d46fd5367b6557f280853d208d5eea84482c3044e8efcd7413a0206f00

Download Submit
C:\Windows\{670097B7-BB3F-49b5-8E0E-C98AA04064C4}.exe

Filesize
216KB

MD5
c075e580b68e388371c108c57e67a633

SHA1
47fb70d7652649c961414c39cbb22fd713a73c5e

SHA256
c123b48f2528ec05e8e591b3c3fa16adea312f792080b75bd2a97c6d67d7e0a6

SHA512
9a1d79d6129156f7d2d5e22a7fb254bbb4a1e428aebe01363ee082784c02b24fed6cf4d46fd5367b6557f280853d208d5eea84482c3044e8efcd7413a0206f00

Download Submit
C:\Windows\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe

Filesize
216KB

MD5
cc3023a16a37d7cd51cbabe42d45e4b5

SHA1
3d88d5248206f39838b6778f63be893ac941fbc1

SHA256
3ab7b92190bf5489896fe73e9286fc35021cbc825a91e336814040c74430c3da

SHA512
17a157edca0f0e10c9ca35eee4d446300195db625d8c7be28895f03a01e1c6796be53fece9e43e3d72fe734797d7f6a7b8ab90c8171e568ee103585e7d0dccf1

Download Submit
C:\Windows\{A3B721A2-C338-4fb7-AAEE-0B54AC3D1DAB}.exe

Filesize
216KB

MD5
cc3023a16a37d7cd51cbabe42d45e4b5

SHA1
3d88d5248206f39838b6778f63be893ac941fbc1

SHA256
3ab7b92190bf5489896fe73e9286fc35021cbc825a91e336814040c74430c3da

SHA512
17a157edca0f0e10c9ca35eee4d446300195db625d8c7be28895f03a01e1c6796be53fece9e43e3d72fe734797d7f6a7b8ab90c8171e568ee103585e7d0dccf1

Download Submit
C:\Windows\{AD211654-BE07-4235-A33C-70B9108B0F72}.exe

Filesize
216KB

MD5
4bacf3b7744e2a0ad816543d6020f798

SHA1
53b91456b79f51c478eeb3be513dccecc507a3fd

SHA256
2862654db473fc73afd65b65c9798a07ba1e0bceb64a2af43f1f199ae4dccb54

SHA512
b5124ab1fd2896526c5b7fe1f87a3782e57960b530c05f923fda07828626755c93ac7911ddb291aa61a9c90d76adb8acf938589c39033befd242e96cde9efcb4

Download Submit
C:\Windows\{AD211654-BE07-4235-A33C-70B9108B0F72}.exe

Filesize
216KB

MD5
4bacf3b7744e2a0ad816543d6020f798

SHA1
53b91456b79f51c478eeb3be513dccecc507a3fd

SHA256
2862654db473fc73afd65b65c9798a07ba1e0bceb64a2af43f1f199ae4dccb54

SHA512
b5124ab1fd2896526c5b7fe1f87a3782e57960b530c05f923fda07828626755c93ac7911ddb291aa61a9c90d76adb8acf938589c39033befd242e96cde9efcb4

Download Submit
C:\Windows\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe

Filesize
216KB

MD5
456e620d8d178d4db06a0eba50210ee1

SHA1
074a5744e3b999c042f366cc827efb312f989fa3

SHA256
18443fa338b78335d1bcf7ae9153261940416774efd309a42af7ea3ec7de664c

SHA512
5cde7974526caf45c777e543efdb0fee502ac8ce32d24bf45ec5aab38290e9d8a37417d51cb37bc4b72eb901ea4dab31379cf542fa69765584f27f61dc76ad9d

Download Submit
C:\Windows\{B1BD7B8A-547C-44be-8682-71A9698FA2AF}.exe

Filesize
216KB

MD5
456e620d8d178d4db06a0eba50210ee1

SHA1
074a5744e3b999c042f366cc827efb312f989fa3

SHA256
18443fa338b78335d1bcf7ae9153261940416774efd309a42af7ea3ec7de664c

SHA512
5cde7974526caf45c777e543efdb0fee502ac8ce32d24bf45ec5aab38290e9d8a37417d51cb37bc4b72eb901ea4dab31379cf542fa69765584f27f61dc76ad9d

Download Submit
C:\Windows\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe

Filesize
216KB

MD5
6e75fa7cf8b49c2c419a5ad5498137f0

SHA1
c7259fab73c17e25fc774a00c221ad1ca5d998e9

SHA256
abd5c4bfd5bf0143655e8e4b57760b060ddd37362a4ce48937744c18fc194124

SHA512
8ab1fc381daa476d88210a340785f39c287aff855b7c8463320164e88892f0456b6fd87c3a31fdfbf4a93a4c82e619dd763129d9c9a590c14e0e8fac6a1833d3

Download Submit
C:\Windows\{BB7D2964-DE71-4b54-9620-8BBD97F40D4D}.exe

Filesize
216KB

MD5
6e75fa7cf8b49c2c419a5ad5498137f0

SHA1
c7259fab73c17e25fc774a00c221ad1ca5d998e9

SHA256
abd5c4bfd5bf0143655e8e4b57760b060ddd37362a4ce48937744c18fc194124

SHA512
8ab1fc381daa476d88210a340785f39c287aff855b7c8463320164e88892f0456b6fd87c3a31fdfbf4a93a4c82e619dd763129d9c9a590c14e0e8fac6a1833d3

Download Submit
C:\Windows\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe

Filesize
216KB

MD5
de7eefa8a501235723cd9f7bd1450d5f

SHA1
c21cd807ce97e23f3ca40f2ffdeed6ae5853c6f8

SHA256
da329ac1a31334025fad78cfece8afa7f9e3fb41a4f5e5b8a35a4609de0f6a55

SHA512
28353ffbfa5c168fde406aaedf0f51f914fe028a9656d4e57212584fd2e08e24bc0357e3e5500c8c86ade2c040eca23b5919452b6512b71f4af1be22415c8e43

Download Submit
C:\Windows\{C8FCB4CC-1538-4567-BF0C-13A6F37103CD}.exe

Filesize
216KB

MD5
de7eefa8a501235723cd9f7bd1450d5f

SHA1
c21cd807ce97e23f3ca40f2ffdeed6ae5853c6f8

SHA256
da329ac1a31334025fad78cfece8afa7f9e3fb41a4f5e5b8a35a4609de0f6a55

SHA512
28353ffbfa5c168fde406aaedf0f51f914fe028a9656d4e57212584fd2e08e24bc0357e3e5500c8c86ade2c040eca23b5919452b6512b71f4af1be22415c8e43

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads