e510a63fb1c50aededcced2325670522ed891d7fcfde862ccef3d83f54f1db5f

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Size

192KB
MD5

75fb0ac38426f258484d85c02ae477d4
SHA1

a1b381dc966cc7c4ddae380a87d5857388c8e91f
SHA256

e510a63fb1c50aededcced2325670522ed891d7fcfde862ccef3d83f54f1db5f
SHA512

193cdec3db916ffd55e0a5a0f45df659918c08b83a6c0867e2ba50fdf43f69d82efe53b709124039a9133bfe9c07b0fb03096d83951b195f36369fd334508ce7
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7790E59-CF9B-413d-95FC-3E8042DE547E}\stubpath = "C:\\Windows\\{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe"	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{294571C8-9636-4456-BFB8-C02382FD5734}\stubpath = "C:\\Windows\\{294571C8-9636-4456-BFB8-C02382FD5734}.exe"	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D8DA732-D488-41c0-A415-23605EEE44B1}\stubpath = "C:\\Windows\\{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe"	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}\stubpath = "C:\\Windows\\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}.exe"	{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E152DA32-49CA-4965-8FB6-87963C1B612E}	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E152DA32-49CA-4965-8FB6-87963C1B612E}\stubpath = "C:\\Windows\\{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe"	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3FE40A2-CD2B-4367-A036-0632038BD782}	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}	{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7790E59-CF9B-413d-95FC-3E8042DE547E}	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47FDA46D-C8FD-4961-962A-280F371405F8}	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}\stubpath = "C:\\Windows\\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe"	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3FE40A2-CD2B-4367-A036-0632038BD782}\stubpath = "C:\\Windows\\{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe"	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}\stubpath = "C:\\Windows\\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe"	{294571C8-9636-4456-BFB8-C02382FD5734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{263EF025-7738-4c98-840B-0EAF664FE64E}	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{263EF025-7738-4c98-840B-0EAF664FE64E}\stubpath = "C:\\Windows\\{263EF025-7738-4c98-840B-0EAF664FE64E}.exe"	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47FDA46D-C8FD-4961-962A-280F371405F8}\stubpath = "C:\\Windows\\{47FDA46D-C8FD-4961-962A-280F371405F8}.exe"	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}\stubpath = "C:\\Windows\\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe"	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{294571C8-9636-4456-BFB8-C02382FD5734}	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}	{294571C8-9636-4456-BFB8-C02382FD5734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}\stubpath = "C:\\Windows\\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe"	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D8DA732-D488-41c0-A415-23605EEE44B1}	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe

Executes dropped EXE 12 IoCs

pid	Process
648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe
3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe
2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe
2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe
2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe
4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe
3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe
4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe
496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe
3872	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe
2968	{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe
2960	{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe
File created	C:\Windows\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}.exe	{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe
File created	C:\Windows\{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
File created	C:\Windows\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe
File created	C:\Windows\{263EF025-7738-4c98-840B-0EAF664FE64E}.exe	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe
File created	C:\Windows\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe
File created	C:\Windows\{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe
File created	C:\Windows\{47FDA46D-C8FD-4961-962A-280F371405F8}.exe	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe
File created	C:\Windows\{294571C8-9636-4456-BFB8-C02382FD5734}.exe	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe
File created	C:\Windows\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe	{294571C8-9636-4456-BFB8-C02382FD5734}.exe
File created	C:\Windows\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe
File created	C:\Windows\{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5108	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe
Token: SeIncBasePriorityPrivilege	3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe
Token: SeIncBasePriorityPrivilege	2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe
Token: SeIncBasePriorityPrivilege	2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe
Token: SeIncBasePriorityPrivilege	2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe
Token: SeIncBasePriorityPrivilege	4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe
Token: SeIncBasePriorityPrivilege	3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe
Token: SeIncBasePriorityPrivilege	4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe
Token: SeIncBasePriorityPrivilege	496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe
Token: SeIncBasePriorityPrivilege	3872	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe
Token: SeIncBasePriorityPrivilege	2968	{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 648	5108	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	89
PID 5108 wrote to memory of 648	5108	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	89
PID 5108 wrote to memory of 648	5108	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	89
PID 5108 wrote to memory of 1724	5108	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	90
PID 5108 wrote to memory of 1724	5108	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	90
PID 5108 wrote to memory of 1724	5108	75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe	90
PID 648 wrote to memory of 3004	648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe	91
PID 648 wrote to memory of 3004	648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe	91
PID 648 wrote to memory of 3004	648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe	91
PID 648 wrote to memory of 3588	648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe	92
PID 648 wrote to memory of 3588	648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe	92
PID 648 wrote to memory of 3588	648	{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe	92
PID 3004 wrote to memory of 2024	3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe	95
PID 3004 wrote to memory of 2024	3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe	95
PID 3004 wrote to memory of 2024	3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe	95
PID 3004 wrote to memory of 1548	3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe	94
PID 3004 wrote to memory of 1548	3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe	94
PID 3004 wrote to memory of 1548	3004	{47FDA46D-C8FD-4961-962A-280F371405F8}.exe	94
PID 2024 wrote to memory of 2876	2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe	96
PID 2024 wrote to memory of 2876	2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe	96
PID 2024 wrote to memory of 2876	2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe	96
PID 2024 wrote to memory of 4800	2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe	97
PID 2024 wrote to memory of 4800	2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe	97
PID 2024 wrote to memory of 4800	2024	{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe	97
PID 2876 wrote to memory of 2576	2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe	98
PID 2876 wrote to memory of 2576	2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe	98
PID 2876 wrote to memory of 2576	2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe	98
PID 2876 wrote to memory of 3520	2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe	99
PID 2876 wrote to memory of 3520	2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe	99
PID 2876 wrote to memory of 3520	2876	{294571C8-9636-4456-BFB8-C02382FD5734}.exe	99
PID 2576 wrote to memory of 4764	2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe	100
PID 2576 wrote to memory of 4764	2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe	100
PID 2576 wrote to memory of 4764	2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe	100
PID 2576 wrote to memory of 4428	2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe	101
PID 2576 wrote to memory of 4428	2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe	101
PID 2576 wrote to memory of 4428	2576	{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe	101
PID 4764 wrote to memory of 3356	4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe	102
PID 4764 wrote to memory of 3356	4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe	102
PID 4764 wrote to memory of 3356	4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe	102
PID 4764 wrote to memory of 4656	4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe	103
PID 4764 wrote to memory of 4656	4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe	103
PID 4764 wrote to memory of 4656	4764	{263EF025-7738-4c98-840B-0EAF664FE64E}.exe	103
PID 3356 wrote to memory of 4676	3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe	104
PID 3356 wrote to memory of 4676	3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe	104
PID 3356 wrote to memory of 4676	3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe	104
PID 3356 wrote to memory of 4148	3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe	105
PID 3356 wrote to memory of 4148	3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe	105
PID 3356 wrote to memory of 4148	3356	{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe	105
PID 4676 wrote to memory of 496	4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe	106
PID 4676 wrote to memory of 496	4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe	106
PID 4676 wrote to memory of 496	4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe	106
PID 4676 wrote to memory of 3904	4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe	107
PID 4676 wrote to memory of 3904	4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe	107
PID 4676 wrote to memory of 3904	4676	{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe	107
PID 496 wrote to memory of 3872	496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe	108
PID 496 wrote to memory of 3872	496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe	108
PID 496 wrote to memory of 3872	496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe	108
PID 496 wrote to memory of 4504	496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe	109
PID 496 wrote to memory of 4504	496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe	109
PID 496 wrote to memory of 4504	496	{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe	109
PID 3872 wrote to memory of 2968	3872	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe	110
PID 3872 wrote to memory of 2968	3872	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe	110
PID 3872 wrote to memory of 2968	3872	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe	110
PID 3872 wrote to memory of 4268	3872	{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe	111

C:\Users\Admin\AppData\Local\Temp\75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\75fb0ac38426f258484d85c02ae477d4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe
  C:\Windows\{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\{47FDA46D-C8FD-4961-962A-280F371405F8}.exe
    C:\Windows\{47FDA46D-C8FD-4961-962A-280F371405F8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47FDA~1.EXE > nul
      4⤵
      PID:1548
  - - C:\Windows\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe
      C:\Windows\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\{294571C8-9636-4456-BFB8-C02382FD5734}.exe
        
        C:\Windows\{294571C8-9636-4456-BFB8-C02382FD5734}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe
        
        C:\Windows\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{263EF025-7738-4c98-840B-0EAF664FE64E}.exe
        
        C:\Windows\{263EF025-7738-4c98-840B-0EAF664FE64E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe
        
        C:\Windows\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe
        
        C:\Windows\{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe
        
        C:\Windows\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe
        
        C:\Windows\{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe
        
        C:\Windows\{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}.exe
        
        C:\Windows\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}.exe
        13⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3FE4~1.EXE > nul
        13⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E152D~1.EXE > nul
        12⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0AFC~1.EXE > nul
        11⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D8DA~1.EXE > nul
        10⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54A52~1.EXE > nul
        9⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{263EF~1.EXE > nul
        8⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29262~1.EXE > nul
        7⤵
        
        PID:4428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29457~1.EXE > nul
        6⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB27C~1.EXE > nul
        5⤵
        
        PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B7790~1.EXE > nul
    3⤵
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\75FB0A~1.EXE > nul
  2⤵
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{263EF025-7738-4c98-840B-0EAF664FE64E}.exe

Filesize
192KB

MD5
3a10d1e2ef355948fd88d715527ca6e8

SHA1
811bea7cd0da4e97290c05225a0a47f7449d1ee3

SHA256
120d9f81deeb714e4dff3f146a2c5a0731bc4ca3e96adc767f6cf82bddc3e329

SHA512
ca237b6bb5e32370d8727f5e183e68f61bf0d49f6553761a3234a21c397778cab20bbe2ddbff34bb9d1ab676661bf83afdeed33a0a81e9ac51254cc9a08a2dbd

Download Submit
C:\Windows\{263EF025-7738-4c98-840B-0EAF664FE64E}.exe

Filesize
192KB

MD5
3a10d1e2ef355948fd88d715527ca6e8

SHA1
811bea7cd0da4e97290c05225a0a47f7449d1ee3

SHA256
120d9f81deeb714e4dff3f146a2c5a0731bc4ca3e96adc767f6cf82bddc3e329

SHA512
ca237b6bb5e32370d8727f5e183e68f61bf0d49f6553761a3234a21c397778cab20bbe2ddbff34bb9d1ab676661bf83afdeed33a0a81e9ac51254cc9a08a2dbd

Download Submit
C:\Windows\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe

Filesize
192KB

MD5
9969c185c1c55a8779288e906969223c

SHA1
2bfdf3f8e9191713281e00b81e7469bcd2153f71

SHA256
4d6e3de8260f524ffbaee063b5b63c25012762bc53a4cf46a62fceee7c46b0d5

SHA512
b088e550efa45d029b609c131e34cb14b5470743cb0c0a1597cd396d424e6149775cdd79837617b0c79fb56605fe32318718a337c460078bb38bfc857e988e28

Download Submit
C:\Windows\{292629A9-FFD8-4ab1-9D37-9C2BA6F4B53E}.exe

Filesize
192KB

MD5
9969c185c1c55a8779288e906969223c

SHA1
2bfdf3f8e9191713281e00b81e7469bcd2153f71

SHA256
4d6e3de8260f524ffbaee063b5b63c25012762bc53a4cf46a62fceee7c46b0d5

SHA512
b088e550efa45d029b609c131e34cb14b5470743cb0c0a1597cd396d424e6149775cdd79837617b0c79fb56605fe32318718a337c460078bb38bfc857e988e28

Download Submit
C:\Windows\{294571C8-9636-4456-BFB8-C02382FD5734}.exe

Filesize
192KB

MD5
ac23e2db7b8e84612f25e566ee336462

SHA1
0dcb3cd6199802c8ca7df4bdb289f709e302e5ac

SHA256
39fc913bf8af684d5334b55b27edc8c02bd692dc824f1c7d0bf9e1f0e559ffac

SHA512
0ad3958520597845b213d207d55c74d26a52f865418ebb29880a5ce9e461909a861fe285a1248f1c6e4a3ca1ee64974695b0713228053c4e28dbecc7fe1b0b73

Download Submit
C:\Windows\{294571C8-9636-4456-BFB8-C02382FD5734}.exe

Filesize
192KB

MD5
ac23e2db7b8e84612f25e566ee336462

SHA1
0dcb3cd6199802c8ca7df4bdb289f709e302e5ac

SHA256
39fc913bf8af684d5334b55b27edc8c02bd692dc824f1c7d0bf9e1f0e559ffac

SHA512
0ad3958520597845b213d207d55c74d26a52f865418ebb29880a5ce9e461909a861fe285a1248f1c6e4a3ca1ee64974695b0713228053c4e28dbecc7fe1b0b73

Download Submit
C:\Windows\{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe

Filesize
192KB

MD5
7af4f0b1859c34953509123887b40ca5

SHA1
c7538d6d6b4056a84dc504ed32fdf6272e900fe2

SHA256
f966ddc20a207c8372c87b59fd281dbea0390a62f73a4cb924520f3499ce73db

SHA512
37c775db7288a6c15cc5ad3b9395da1543c6ac2eb112a9bf78643f25dc986f2b8a813fc5d58644e61f6d61fa6bc1eea4fd3037aca039827cb53339718f407f37

Download Submit
C:\Windows\{2D8DA732-D488-41c0-A415-23605EEE44B1}.exe

Filesize
192KB

MD5
7af4f0b1859c34953509123887b40ca5

SHA1
c7538d6d6b4056a84dc504ed32fdf6272e900fe2

SHA256
f966ddc20a207c8372c87b59fd281dbea0390a62f73a4cb924520f3499ce73db

SHA512
37c775db7288a6c15cc5ad3b9395da1543c6ac2eb112a9bf78643f25dc986f2b8a813fc5d58644e61f6d61fa6bc1eea4fd3037aca039827cb53339718f407f37

Download Submit
C:\Windows\{47FDA46D-C8FD-4961-962A-280F371405F8}.exe

Filesize
192KB

MD5
dda86a25fc1ec9f94242aa5dd42f040b

SHA1
380f3d6b1e3aafdd356635be58ec1d9d8efed68c

SHA256
a6ec65f52fcf12cc3b125cd8eecc63b3a5e1e986ddc2eb77f52a6cfc87b199e9

SHA512
89af3b3bfc7e2587480608f2aaf97bdf6ff3b0438972b3309cb5cc4be73a71bf8b834f96bf9d0a6e38395e867136c8ba76b66d43ee88cb204763626032502f3a

Download Submit
C:\Windows\{47FDA46D-C8FD-4961-962A-280F371405F8}.exe

Filesize
192KB

MD5
dda86a25fc1ec9f94242aa5dd42f040b

SHA1
380f3d6b1e3aafdd356635be58ec1d9d8efed68c

SHA256
a6ec65f52fcf12cc3b125cd8eecc63b3a5e1e986ddc2eb77f52a6cfc87b199e9

SHA512
89af3b3bfc7e2587480608f2aaf97bdf6ff3b0438972b3309cb5cc4be73a71bf8b834f96bf9d0a6e38395e867136c8ba76b66d43ee88cb204763626032502f3a

Download Submit
C:\Windows\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe

Filesize
192KB

MD5
88665e459ebdbe6f83e53fef1dc90402

SHA1
e8973e4bd11a839813da9fb7163faf54cd5f7f5e

SHA256
73824b40fcf0a58e250a23b224a94384215af0d9d3dfdbf4ea08ecacc056bc63

SHA512
0860bd01d87db8fe41bf266b4d4732bf257ce18b5b4d116421159aedda9916c91b1a5f64d334b9dfe1790b3aa759cec26bf561bbd879add0628021c7dbb3fdcf

Download Submit
C:\Windows\{54A52AF0-3077-4d0f-9AAB-CEC93B00A046}.exe

Filesize
192KB

MD5
88665e459ebdbe6f83e53fef1dc90402

SHA1
e8973e4bd11a839813da9fb7163faf54cd5f7f5e

SHA256
73824b40fcf0a58e250a23b224a94384215af0d9d3dfdbf4ea08ecacc056bc63

SHA512
0860bd01d87db8fe41bf266b4d4732bf257ce18b5b4d116421159aedda9916c91b1a5f64d334b9dfe1790b3aa759cec26bf561bbd879add0628021c7dbb3fdcf

Download Submit
C:\Windows\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}.exe

Filesize
192KB

MD5
a78ca8fcaf78da2aa2e405d3fe3e5698

SHA1
9bfbfbe31c9831486c756416f4f2941be7d0a1d9

SHA256
aa6d7842525c5f12927da0d0a3501e6003a90bcadbd15746fe16413481a3d3c8

SHA512
eec0c0c6871ca6c48845d7802e7de697cab2239121d5ae7792330451915054630b77243c2de9c6d257e7eb0df15f8e3caabce512c83801edeb832566955d640d

Download Submit
C:\Windows\{7D92AF13-957C-4b89-B2F9-2D95DB454B7A}.exe

Filesize
192KB

MD5
a78ca8fcaf78da2aa2e405d3fe3e5698

SHA1
9bfbfbe31c9831486c756416f4f2941be7d0a1d9

SHA256
aa6d7842525c5f12927da0d0a3501e6003a90bcadbd15746fe16413481a3d3c8

SHA512
eec0c0c6871ca6c48845d7802e7de697cab2239121d5ae7792330451915054630b77243c2de9c6d257e7eb0df15f8e3caabce512c83801edeb832566955d640d

Download Submit
C:\Windows\{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe

Filesize
192KB

MD5
29100d38edbd39496398e65322b0350f

SHA1
76b011c28b4a883fd37631167ef79482175dfb28

SHA256
66e55dfe4db5ac275eac92266d624def804aab7c6f0657c925f5562f28063a12

SHA512
f3a785a263faa02323edbac8297d681e63a66e0d251c0e686cea11bdf34f6776c3d8444a7609fa8b8647df9bec7a65ff2d35b4c49fecda6a21a85b19d9b3e192

Download Submit
C:\Windows\{B7790E59-CF9B-413d-95FC-3E8042DE547E}.exe

Filesize
192KB

MD5
29100d38edbd39496398e65322b0350f

SHA1
76b011c28b4a883fd37631167ef79482175dfb28

SHA256
66e55dfe4db5ac275eac92266d624def804aab7c6f0657c925f5562f28063a12

SHA512
f3a785a263faa02323edbac8297d681e63a66e0d251c0e686cea11bdf34f6776c3d8444a7609fa8b8647df9bec7a65ff2d35b4c49fecda6a21a85b19d9b3e192

Download Submit
C:\Windows\{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe

Filesize
192KB

MD5
251efe12fb97b3f2d646ca73847b670c

SHA1
21f3f6f7699fc6ed6d7140e4817dccf401a60520

SHA256
2d4555a2f8dae23251d5db52a4043d825d8afdc468386fd23f6fd0847dcfa857

SHA512
84d5c457b18df2241677fbc593dc9cca786858c95a79eeefc6c750115aa1de93a001ad14ba53c341bacee2635cb39a24b869e88452a7ab43ffee3b46b5b4d456

Download Submit
C:\Windows\{C3FE40A2-CD2B-4367-A036-0632038BD782}.exe

Filesize
192KB

MD5
251efe12fb97b3f2d646ca73847b670c

SHA1
21f3f6f7699fc6ed6d7140e4817dccf401a60520

SHA256
2d4555a2f8dae23251d5db52a4043d825d8afdc468386fd23f6fd0847dcfa857

SHA512
84d5c457b18df2241677fbc593dc9cca786858c95a79eeefc6c750115aa1de93a001ad14ba53c341bacee2635cb39a24b869e88452a7ab43ffee3b46b5b4d456

Download Submit
C:\Windows\{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe

Filesize
192KB

MD5
a0a5f5d477c17cba6ce5fbff0f57d410

SHA1
5d3d36ad77e394682c432e465b19dafa40fc52e6

SHA256
d23df46719db42a68d2a6f40987ce8f1c7238eac14f3d270ace9c31efaa3d8a6

SHA512
0f6152764e64f2db8d50689246d306389f6b3d2fc4503715eb8dd4aa06a347dfc254da117f9c24845e2bd5723d51dcfc5e0bafa2b8c8c0d306960968ef7378f8

Download Submit
C:\Windows\{E152DA32-49CA-4965-8FB6-87963C1B612E}.exe

Filesize
192KB

MD5
a0a5f5d477c17cba6ce5fbff0f57d410

SHA1
5d3d36ad77e394682c432e465b19dafa40fc52e6

SHA256
d23df46719db42a68d2a6f40987ce8f1c7238eac14f3d270ace9c31efaa3d8a6

SHA512
0f6152764e64f2db8d50689246d306389f6b3d2fc4503715eb8dd4aa06a347dfc254da117f9c24845e2bd5723d51dcfc5e0bafa2b8c8c0d306960968ef7378f8

Download Submit
C:\Windows\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe

Filesize
192KB

MD5
dec50c792da3a35b50fb6948e9601856

SHA1
9fe3f45064ee219be7c4ef2057dca7016bd3dbc7

SHA256
e2b88e0fcfc04a534780c0b37b32a6e907918c1536c8992972f09a6ed3ae35db

SHA512
9fa6ffd8271c93519212b61ad6c5fdf487015dc6091731c4ac283aef1ec8b16cc54eed83e4d4acf72330b8c46ac1159d3c46f0d1eea61ce3b7334217cc8f7410

Download Submit
C:\Windows\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe

Filesize
192KB

MD5
dec50c792da3a35b50fb6948e9601856

SHA1
9fe3f45064ee219be7c4ef2057dca7016bd3dbc7

SHA256
e2b88e0fcfc04a534780c0b37b32a6e907918c1536c8992972f09a6ed3ae35db

SHA512
9fa6ffd8271c93519212b61ad6c5fdf487015dc6091731c4ac283aef1ec8b16cc54eed83e4d4acf72330b8c46ac1159d3c46f0d1eea61ce3b7334217cc8f7410

Download Submit
C:\Windows\{EB27C535-9606-43c7-8191-E44AA2CBC3FD}.exe

Filesize
192KB

MD5
dec50c792da3a35b50fb6948e9601856

SHA1
9fe3f45064ee219be7c4ef2057dca7016bd3dbc7

SHA256
e2b88e0fcfc04a534780c0b37b32a6e907918c1536c8992972f09a6ed3ae35db

SHA512
9fa6ffd8271c93519212b61ad6c5fdf487015dc6091731c4ac283aef1ec8b16cc54eed83e4d4acf72330b8c46ac1159d3c46f0d1eea61ce3b7334217cc8f7410

Download Submit
C:\Windows\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe

Filesize
192KB

MD5
64417e7d01bc7541b2a6cd8fb9b537bb

SHA1
59be93913224be7f4cb459778a84fda293c8bdb0

SHA256
3f12605e1904ff1b503d93911f0a7d9b8550d76d54543c86d4acc1c2832fd367

SHA512
c8e213d804b4b3a3a49eb16db867d2f47f1445b08fa83c7985a466ffe6e12b185c673eb4d2cb4c64da88d3ebe57ea51ef949a8f0a83d2cdd6de6f8b540e0dad7

Download Submit
C:\Windows\{F0AFC817-B63A-4c0e-BE22-B9B0280495C2}.exe

Filesize
192KB

MD5
64417e7d01bc7541b2a6cd8fb9b537bb

SHA1
59be93913224be7f4cb459778a84fda293c8bdb0

SHA256
3f12605e1904ff1b503d93911f0a7d9b8550d76d54543c86d4acc1c2832fd367

SHA512
c8e213d804b4b3a3a49eb16db867d2f47f1445b08fa83c7985a466ffe6e12b185c673eb4d2cb4c64da88d3ebe57ea51ef949a8f0a83d2cdd6de6f8b540e0dad7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads