a0d240bf417ed593194d4ad73f7d439c008d262d2b7a8a860ed995843ca9f7a3

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22-08-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
Size

168KB
MD5

6d0e146fd664fa1604f17a1ee9da6f05
SHA1

fc7ed052b786f5ef9f17d492d57e86f912b9fd00
SHA256

a0d240bf417ed593194d4ad73f7d439c008d262d2b7a8a860ed995843ca9f7a3
SHA512

32f484915194b80e4bb6710341f670ff8f163eeb36823092de8bb1c74a6b9e40e6975cab7f2607ff0df202a1f560be6fa88ef04a65cc0abe404ec3a55733884a
SSDEEP

1536:1EGh0o9lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o9lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}\stubpath = "C:\\Windows\\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe"	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}\stubpath = "C:\\Windows\\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe"	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FABA5904-E64D-4a46-980C-154D335D9F1B}\stubpath = "C:\\Windows\\{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe"	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}\stubpath = "C:\\Windows\\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe"	{D4367020-4D53-4216-B298-C517564C8F5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{649AF151-44B4-4c73-9833-4F2CC26C707F}	{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}\stubpath = "C:\\Windows\\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe"	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}	{D4367020-4D53-4216-B298-C517564C8F5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305818C9-2325-4883-A002-4745CD451916}	{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305818C9-2325-4883-A002-4745CD451916}\stubpath = "C:\\Windows\\{305818C9-2325-4883-A002-4745CD451916}.exe"	{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{649AF151-44B4-4c73-9833-4F2CC26C707F}\stubpath = "C:\\Windows\\{649AF151-44B4-4c73-9833-4F2CC26C707F}.exe"	{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}	{305818C9-2325-4883-A002-4745CD451916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FABA5904-E64D-4a46-980C-154D335D9F1B}	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}\stubpath = "C:\\Windows\\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe"	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4367020-4D53-4216-B298-C517564C8F5E}	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4367020-4D53-4216-B298-C517564C8F5E}\stubpath = "C:\\Windows\\{D4367020-4D53-4216-B298-C517564C8F5E}.exe"	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}\stubpath = "C:\\Windows\\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe"	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}\stubpath = "C:\\Windows\\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe"	{305818C9-2325-4883-A002-4745CD451916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe
2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe
2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe
2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe
2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe
2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe
2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe
564	{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe
1032	{305818C9-2325-4883-A002-4745CD451916}.exe
2696	{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe
1996	{649AF151-44B4-4c73-9833-4F2CC26C707F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe
File created	C:\Windows\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe
File created	C:\Windows\{305818C9-2325-4883-A002-4745CD451916}.exe	{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe
File created	C:\Windows\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe	{305818C9-2325-4883-A002-4745CD451916}.exe
File created	C:\Windows\{649AF151-44B4-4c73-9833-4F2CC26C707F}.exe	{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe
File created	C:\Windows\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
File created	C:\Windows\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe
File created	C:\Windows\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe
File created	C:\Windows\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe
File created	C:\Windows\{D4367020-4D53-4216-B298-C517564C8F5E}.exe	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe
File created	C:\Windows\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	{D4367020-4D53-4216-B298-C517564C8F5E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe
Token: SeIncBasePriorityPrivilege	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe
Token: SeIncBasePriorityPrivilege	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe
Token: SeIncBasePriorityPrivilege	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe
Token: SeIncBasePriorityPrivilege	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe
Token: SeIncBasePriorityPrivilege	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe
Token: SeIncBasePriorityPrivilege	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe
Token: SeIncBasePriorityPrivilege	564	{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe
Token: SeIncBasePriorityPrivilege	1032	{305818C9-2325-4883-A002-4745CD451916}.exe
Token: SeIncBasePriorityPrivilege	2696	{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2492	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	28
PID 1176 wrote to memory of 2492	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	28
PID 1176 wrote to memory of 2492	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	28
PID 1176 wrote to memory of 2492	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	28
PID 1176 wrote to memory of 2220	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	29
PID 1176 wrote to memory of 2220	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	29
PID 1176 wrote to memory of 2220	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	29
PID 1176 wrote to memory of 2220	1176	6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe	29
PID 2492 wrote to memory of 2988	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	32
PID 2492 wrote to memory of 2988	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	32
PID 2492 wrote to memory of 2988	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	32
PID 2492 wrote to memory of 2988	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	32
PID 2492 wrote to memory of 2852	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	33
PID 2492 wrote to memory of 2852	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	33
PID 2492 wrote to memory of 2852	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	33
PID 2492 wrote to memory of 2852	2492	{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe	33
PID 2988 wrote to memory of 2976	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	34
PID 2988 wrote to memory of 2976	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	34
PID 2988 wrote to memory of 2976	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	34
PID 2988 wrote to memory of 2976	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	34
PID 2988 wrote to memory of 2868	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	35
PID 2988 wrote to memory of 2868	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	35
PID 2988 wrote to memory of 2868	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	35
PID 2988 wrote to memory of 2868	2988	{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe	35
PID 2976 wrote to memory of 2912	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	36
PID 2976 wrote to memory of 2912	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	36
PID 2976 wrote to memory of 2912	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	36
PID 2976 wrote to memory of 2912	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	36
PID 2976 wrote to memory of 2752	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	37
PID 2976 wrote to memory of 2752	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	37
PID 2976 wrote to memory of 2752	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	37
PID 2976 wrote to memory of 2752	2976	{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe	37
PID 2912 wrote to memory of 2880	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	38
PID 2912 wrote to memory of 2880	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	38
PID 2912 wrote to memory of 2880	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	38
PID 2912 wrote to memory of 2880	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	38
PID 2912 wrote to memory of 2624	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	39
PID 2912 wrote to memory of 2624	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	39
PID 2912 wrote to memory of 2624	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	39
PID 2912 wrote to memory of 2624	2912	{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe	39
PID 2880 wrote to memory of 2744	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	40
PID 2880 wrote to memory of 2744	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	40
PID 2880 wrote to memory of 2744	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	40
PID 2880 wrote to memory of 2744	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	40
PID 2880 wrote to memory of 2640	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	41
PID 2880 wrote to memory of 2640	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	41
PID 2880 wrote to memory of 2640	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	41
PID 2880 wrote to memory of 2640	2880	{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe	41
PID 2744 wrote to memory of 2764	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	42
PID 2744 wrote to memory of 2764	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	42
PID 2744 wrote to memory of 2764	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	42
PID 2744 wrote to memory of 2764	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	42
PID 2744 wrote to memory of 2300	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	43
PID 2744 wrote to memory of 2300	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	43
PID 2744 wrote to memory of 2300	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	43
PID 2744 wrote to memory of 2300	2744	{D4367020-4D53-4216-B298-C517564C8F5E}.exe	43
PID 2764 wrote to memory of 564	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	44
PID 2764 wrote to memory of 564	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	44
PID 2764 wrote to memory of 564	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	44
PID 2764 wrote to memory of 564	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	44
PID 2764 wrote to memory of 580	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	45
PID 2764 wrote to memory of 580	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	45
PID 2764 wrote to memory of 580	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	45
PID 2764 wrote to memory of 580	2764	{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe	45

C:\Users\Admin\AppData\Local\Temp\6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6d0e146fd664fa1604f17a1ee9da6f05_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe
  C:\Windows\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe
    C:\Windows\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe
      C:\Windows\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe
        
        C:\Windows\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe
        
        C:\Windows\{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{D4367020-4D53-4216-B298-C517564C8F5E}.exe
        
        C:\Windows\{D4367020-4D53-4216-B298-C517564C8F5E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe
        
        C:\Windows\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe
        
        C:\Windows\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A79C5~1.EXE > nul
        10⤵
        
        PID:1128
        
        C:\Windows\{305818C9-2325-4883-A002-4745CD451916}.exe
        
        C:\Windows\{305818C9-2325-4883-A002-4745CD451916}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe
        
        C:\Windows\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{649AF151-44B4-4c73-9833-4F2CC26C707F}.exe
        
        C:\Windows\{649AF151-44B4-4c73-9833-4F2CC26C707F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E64C2~1.EXE > nul
        12⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30581~1.EXE > nul
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CBB5~1.EXE > nul
        9⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4367~1.EXE > nul
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FABA5~1.EXE > nul
        7⤵
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4644~1.EXE > nul
        6⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F960B~1.EXE > nul
        5⤵
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DB83B~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3F34C~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6D0E14~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{305818C9-2325-4883-A002-4745CD451916}.exe

Filesize
168KB

MD5
dd866b2d4abd3841b3d0466a26a4c065

SHA1
b26652610b314942b19a8364285e8450009de19b

SHA256
64ddbb50f89f94e3b9068421186732cde2638cbea191adb2678fd5e287832f76

SHA512
746fc9f8fbd6d138f86fd346e347a8646d3aa85ea7effabee0a52122bf2f60f8fbc9088ce01238f5309c65b1e1ee580252f297bd09ee65867f452047a5c123bc

Download Submit
C:\Windows\{305818C9-2325-4883-A002-4745CD451916}.exe

Filesize
168KB

MD5
dd866b2d4abd3841b3d0466a26a4c065

SHA1
b26652610b314942b19a8364285e8450009de19b

SHA256
64ddbb50f89f94e3b9068421186732cde2638cbea191adb2678fd5e287832f76

SHA512
746fc9f8fbd6d138f86fd346e347a8646d3aa85ea7effabee0a52122bf2f60f8fbc9088ce01238f5309c65b1e1ee580252f297bd09ee65867f452047a5c123bc

Download Submit
C:\Windows\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe

Filesize
168KB

MD5
12f3b8513d7034f720125bb550bce294

SHA1
7fbf89777a77977d166cd1a9536b3944953ed9bd

SHA256
9822b6b6a54eca5b3c615ec28218e1dae9fe68c35706f35a3a73ee6038d35585

SHA512
1507397515a948fc20fd7be82cda1c868cd6ce3d4b9ed663b19942a6d0cf33119201c85d16e5682fdb01d06eb4653218cf47e0b6d97f3461739dda1073b526ec

Download Submit
C:\Windows\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe

Filesize
168KB

MD5
12f3b8513d7034f720125bb550bce294

SHA1
7fbf89777a77977d166cd1a9536b3944953ed9bd

SHA256
9822b6b6a54eca5b3c615ec28218e1dae9fe68c35706f35a3a73ee6038d35585

SHA512
1507397515a948fc20fd7be82cda1c868cd6ce3d4b9ed663b19942a6d0cf33119201c85d16e5682fdb01d06eb4653218cf47e0b6d97f3461739dda1073b526ec

Download Submit
C:\Windows\{3F34C347-74E4-452e-B27F-1B72E8CF88D6}.exe

Filesize
168KB

MD5
12f3b8513d7034f720125bb550bce294

SHA1
7fbf89777a77977d166cd1a9536b3944953ed9bd

SHA256
9822b6b6a54eca5b3c615ec28218e1dae9fe68c35706f35a3a73ee6038d35585

SHA512
1507397515a948fc20fd7be82cda1c868cd6ce3d4b9ed663b19942a6d0cf33119201c85d16e5682fdb01d06eb4653218cf47e0b6d97f3461739dda1073b526ec

Download Submit
C:\Windows\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe

Filesize
168KB

MD5
163c4678a518096726b899b3314406bc

SHA1
66c4387f4776a407c1087326ae9fee0a204587fa

SHA256
5a63b991aac0c951604fcd3b93b3ffabda591ff9e838f65c2155af4f92759937

SHA512
e8cdece6e0b54a95a4bbb885cfd9060e6cd1a51f3f520e6932c79fa5218cdb096d7884c90e824ba1d28ab66c8bc3afe5ada58fbf879125eb6103ff0c8d82b46a

Download Submit
C:\Windows\{4CBB53CC-B7DC-4c6d-9F14-C3E015B4225A}.exe

Filesize
168KB

MD5
163c4678a518096726b899b3314406bc

SHA1
66c4387f4776a407c1087326ae9fee0a204587fa

SHA256
5a63b991aac0c951604fcd3b93b3ffabda591ff9e838f65c2155af4f92759937

SHA512
e8cdece6e0b54a95a4bbb885cfd9060e6cd1a51f3f520e6932c79fa5218cdb096d7884c90e824ba1d28ab66c8bc3afe5ada58fbf879125eb6103ff0c8d82b46a

Download Submit
C:\Windows\{649AF151-44B4-4c73-9833-4F2CC26C707F}.exe

Filesize
168KB

MD5
c35fdd820bec30882464b548d17e579e

SHA1
9240d42f4ef4fe68dcd862086e34ff140047aa78

SHA256
e074f45238f7c72ccde6a75394529c41bcb25428aff7615881e7c499880017e7

SHA512
5e69643a2e35b81ffe760c674b2fbddc6e2cfdb06c893f5a2175d344002f918aade421c33e6338f975c8a1d05ccaf210d614227dd5995ff00f3d5adbd26c111f

Download Submit
C:\Windows\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe

Filesize
168KB

MD5
ed0ddd2e6055a3c516ba1ef14457fc2e

SHA1
50ebc7560d9bd394dca078e83d4d3cd2ed2376c2

SHA256
97f69bcfae8b26d4c68d29c57064c0fe4e8f94c298923459aa4252a03fef901d

SHA512
d80df2b78ca2f0a3c531e864fc079febc3778940a7a2f3970b5b8aca35c921ff5f0c72d2cac902a6730d0f824aee6091443c46ba843792e843b80fbe188826b9

Download Submit
C:\Windows\{A79C5CA5-1270-46b0-86A8-A753D3C734E0}.exe

Filesize
168KB

MD5
ed0ddd2e6055a3c516ba1ef14457fc2e

SHA1
50ebc7560d9bd394dca078e83d4d3cd2ed2376c2

SHA256
97f69bcfae8b26d4c68d29c57064c0fe4e8f94c298923459aa4252a03fef901d

SHA512
d80df2b78ca2f0a3c531e864fc079febc3778940a7a2f3970b5b8aca35c921ff5f0c72d2cac902a6730d0f824aee6091443c46ba843792e843b80fbe188826b9

Download Submit
C:\Windows\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe

Filesize
168KB

MD5
4979174f5929e131518909697ee039cd

SHA1
ff29e20ca8310f20da6a600eca4440bd47d8d19b

SHA256
b03424bc0f3c7a5c65572a965bab9bd5792ea6c3d432442f4d06280f63514f77

SHA512
92a0561d1beeca5ec247b2951c8bd0e009459616df3cc9b9ac66639d4f70dec4ffc2227ddfc7b3af39a8b2b1c6414d77636aa27999a084bdb37979fa3cdc81b7

Download Submit
C:\Windows\{B4644C09-1A3C-41a7-89C4-2348F6EFF588}.exe

Filesize
168KB

MD5
4979174f5929e131518909697ee039cd

SHA1
ff29e20ca8310f20da6a600eca4440bd47d8d19b

SHA256
b03424bc0f3c7a5c65572a965bab9bd5792ea6c3d432442f4d06280f63514f77

SHA512
92a0561d1beeca5ec247b2951c8bd0e009459616df3cc9b9ac66639d4f70dec4ffc2227ddfc7b3af39a8b2b1c6414d77636aa27999a084bdb37979fa3cdc81b7

Download Submit
C:\Windows\{D4367020-4D53-4216-B298-C517564C8F5E}.exe

Filesize
168KB

MD5
dfab6bd608e03846b3204d0871f5bd09

SHA1
04b00792d4d169d640c0a68f4250a0fdade6fcad

SHA256
933fbc53188c985473f917541d899a4c3be694453bc4a58296fb69d100736154

SHA512
470c9ecec950a6f5d70e29ecbfcceae809b35ad885180069e3c259a02e9d891ea22de47af0f03c78f20f036e281ad1f7b2830d9bcda1deaf7718b056801fc504

Download Submit
C:\Windows\{D4367020-4D53-4216-B298-C517564C8F5E}.exe

Filesize
168KB

MD5
dfab6bd608e03846b3204d0871f5bd09

SHA1
04b00792d4d169d640c0a68f4250a0fdade6fcad

SHA256
933fbc53188c985473f917541d899a4c3be694453bc4a58296fb69d100736154

SHA512
470c9ecec950a6f5d70e29ecbfcceae809b35ad885180069e3c259a02e9d891ea22de47af0f03c78f20f036e281ad1f7b2830d9bcda1deaf7718b056801fc504

Download Submit
C:\Windows\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe

Filesize
168KB

MD5
4d01d3edf9f17c31421816a1003cef05

SHA1
1eaeb37e7ef018f10ef41de985d737afed2e74e6

SHA256
7658dc7bbee4423fd7ae351e8d4d29e94b4b0d174bb6913458d0ef2fbe565646

SHA512
dc318b9ab916698e117436622c0f747e13361db10337ead54a903514f9389eac2657e084d6b111c7f7997cb0c3c41b3d6f2c7d45715c8329562f646eb27f58d4

Download Submit
C:\Windows\{DB83BE17-7200-4336-AAD5-3C226CD4EE30}.exe

Filesize
168KB

MD5
4d01d3edf9f17c31421816a1003cef05

SHA1
1eaeb37e7ef018f10ef41de985d737afed2e74e6

SHA256
7658dc7bbee4423fd7ae351e8d4d29e94b4b0d174bb6913458d0ef2fbe565646

SHA512
dc318b9ab916698e117436622c0f747e13361db10337ead54a903514f9389eac2657e084d6b111c7f7997cb0c3c41b3d6f2c7d45715c8329562f646eb27f58d4

Download Submit
C:\Windows\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe

Filesize
168KB

MD5
89522ff2ddca9b3e8cffd222bd33c82c

SHA1
216a8d6a4406b06f9102b3b923ec5c4657f2d6f3

SHA256
3cef06d680562cdc917824724bcd80dec7e96c9e2163f8da999a3c77cbce2e78

SHA512
1cd8b3d4e2ba796e5f81cdff6cf787df5f3124373ca7b42c19ced04d560b9625ecb4a9384b3894e7935a5ded94cfd92245806a2d665aaa2c580e41adb4af4b8f

Download Submit
C:\Windows\{E64C2858-95A6-4d7c-A65D-AD6DEC3FCB21}.exe

Filesize
168KB

MD5
89522ff2ddca9b3e8cffd222bd33c82c

SHA1
216a8d6a4406b06f9102b3b923ec5c4657f2d6f3

SHA256
3cef06d680562cdc917824724bcd80dec7e96c9e2163f8da999a3c77cbce2e78

SHA512
1cd8b3d4e2ba796e5f81cdff6cf787df5f3124373ca7b42c19ced04d560b9625ecb4a9384b3894e7935a5ded94cfd92245806a2d665aaa2c580e41adb4af4b8f

Download Submit
C:\Windows\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe

Filesize
168KB

MD5
59d13ae9c23588cad872e8544a131032

SHA1
100f54e92d23da521fd881dfd102e455e9f657ee

SHA256
b20ae937613655ee8ff44a0e41ad31180e62a3c8954200aad58b5156c2ef56ad

SHA512
df29aedd3b8686aded8ff55629e4c8e15bdda05bcb9a0377755456c1f860a59f99ab407612639376471980c1c80199246fb34c6b1e3e41d01614226b817bd269

Download Submit
C:\Windows\{F960B979-6BF1-4acb-B19C-652DEA68EB8F}.exe

Filesize
168KB

MD5
59d13ae9c23588cad872e8544a131032

SHA1
100f54e92d23da521fd881dfd102e455e9f657ee

SHA256
b20ae937613655ee8ff44a0e41ad31180e62a3c8954200aad58b5156c2ef56ad

SHA512
df29aedd3b8686aded8ff55629e4c8e15bdda05bcb9a0377755456c1f860a59f99ab407612639376471980c1c80199246fb34c6b1e3e41d01614226b817bd269

Download Submit
C:\Windows\{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe

Filesize
168KB

MD5
b73da23fc6245b7171cf3b4196299b94

SHA1
84dcc18666fb2e5c864c7827f6c11a4d19065ecf

SHA256
011a20578da65da4a38743215d04d775ac20b91bf436eb5fcc91b7da5a188fa5

SHA512
6541e41be0318a0676399b762d1bebe00160e37cbd2706b71cd36be480fb856cd8b3e8ac8dee49c22d3921a3b682dbf1f7fe0dc00e25a7f1f5d0ec28e3060df2

Download Submit
C:\Windows\{FABA5904-E64D-4a46-980C-154D335D9F1B}.exe

Filesize
168KB

MD5
b73da23fc6245b7171cf3b4196299b94

SHA1
84dcc18666fb2e5c864c7827f6c11a4d19065ecf

SHA256
011a20578da65da4a38743215d04d775ac20b91bf436eb5fcc91b7da5a188fa5

SHA512
6541e41be0318a0676399b762d1bebe00160e37cbd2706b71cd36be480fb856cd8b3e8ac8dee49c22d3921a3b682dbf1f7fe0dc00e25a7f1f5d0ec28e3060df2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads