0ab68923f3f6c5c494e564508b648e5ece02957dd84a7a9f186975e775aef959

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23-08-2023 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Size

372KB
MD5

76584f45934fbbc5ee094bd3abbf8f32
SHA1

4729c85f4288d08c10f3e86e27294bd7a2fc888f
SHA256

0ab68923f3f6c5c494e564508b648e5ece02957dd84a7a9f186975e775aef959
SHA512

59c7b121f0b589560ab8f25b98fda1cc26fc76e17a4b3bd364ea0f3475223e4b3619c926cada705b7f25a59fa90efce336fcfaa42a81be9e0123e733121c4a0f
SSDEEP

3072:CEGh0oMmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGvl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE3D11E-1147-409c-984B-0D966633BA52}\stubpath = "C:\\Windows\\{5BE3D11E-1147-409c-984B-0D966633BA52}.exe"	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD931DCA-FCA9-4daa-B069-F3563C97C425}	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD931DCA-FCA9-4daa-B069-F3563C97C425}\stubpath = "C:\\Windows\\{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe"	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6228492C-1AB6-4701-99B0-3FB7567836C8}	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86B597F-18A2-47a6-83A1-AF928895EBB2}\stubpath = "C:\\Windows\\{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe"	{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}	{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}\stubpath = "C:\\Windows\\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe"	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A2365E-4A32-45f1-B3FD-D389945F5863}	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{265DBB73-0400-4b75-8D74-70B341DC0655}	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}	{265DBB73-0400-4b75-8D74-70B341DC0655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86B597F-18A2-47a6-83A1-AF928895EBB2}	{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1A2365E-4A32-45f1-B3FD-D389945F5863}\stubpath = "C:\\Windows\\{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe"	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3B0084-E027-433b-BE86-F07E475220E8}	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3B0084-E027-433b-BE86-F07E475220E8}\stubpath = "C:\\Windows\\{4E3B0084-E027-433b-BE86-F07E475220E8}.exe"	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}\stubpath = "C:\\Windows\\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe"	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}\stubpath = "C:\\Windows\\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe"	{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}\stubpath = "C:\\Windows\\{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}.exe"	{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE3D11E-1147-409c-984B-0D966633BA52}	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6228492C-1AB6-4701-99B0-3FB7567836C8}\stubpath = "C:\\Windows\\{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe"	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{265DBB73-0400-4b75-8D74-70B341DC0655}\stubpath = "C:\\Windows\\{265DBB73-0400-4b75-8D74-70B341DC0655}.exe"	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}\stubpath = "C:\\Windows\\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe"	{265DBB73-0400-4b75-8D74-70B341DC0655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}	{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe
2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe
2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe
2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe
2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe
2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe
776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe
636	{265DBB73-0400-4b75-8D74-70B341DC0655}.exe
2232	{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe
2128	{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe
2712	{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe
1084	{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe
File created	C:\Windows\{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe
File created	C:\Windows\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe
File created	C:\Windows\{265DBB73-0400-4b75-8D74-70B341DC0655}.exe	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe
File created	C:\Windows\{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
File created	C:\Windows\{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe
File created	C:\Windows\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe	{265DBB73-0400-4b75-8D74-70B341DC0655}.exe
File created	C:\Windows\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe	{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe
File created	C:\Windows\{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe	{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe
File created	C:\Windows\{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}.exe	{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe
File created	C:\Windows\{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe
File created	C:\Windows\{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe
Token: SeIncBasePriorityPrivilege	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe
Token: SeIncBasePriorityPrivilege	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe
Token: SeIncBasePriorityPrivilege	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe
Token: SeIncBasePriorityPrivilege	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe
Token: SeIncBasePriorityPrivilege	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe
Token: SeIncBasePriorityPrivilege	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe
Token: SeIncBasePriorityPrivilege	636	{265DBB73-0400-4b75-8D74-70B341DC0655}.exe
Token: SeIncBasePriorityPrivilege	2232	{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe
Token: SeIncBasePriorityPrivilege	2128	{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe
Token: SeIncBasePriorityPrivilege	2712	{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1096	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	28
PID 2172 wrote to memory of 1096	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	28
PID 2172 wrote to memory of 1096	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	28
PID 2172 wrote to memory of 1096	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	28
PID 2172 wrote to memory of 2100	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	29
PID 2172 wrote to memory of 2100	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	29
PID 2172 wrote to memory of 2100	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	29
PID 2172 wrote to memory of 2100	2172	76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe	29
PID 1096 wrote to memory of 2864	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	32
PID 1096 wrote to memory of 2864	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	32
PID 1096 wrote to memory of 2864	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	32
PID 1096 wrote to memory of 2864	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	32
PID 1096 wrote to memory of 1696	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	33
PID 1096 wrote to memory of 1696	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	33
PID 1096 wrote to memory of 1696	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	33
PID 1096 wrote to memory of 1696	1096	{5BE3D11E-1147-409c-984B-0D966633BA52}.exe	33
PID 2864 wrote to memory of 2832	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	34
PID 2864 wrote to memory of 2832	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	34
PID 2864 wrote to memory of 2832	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	34
PID 2864 wrote to memory of 2832	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	34
PID 2864 wrote to memory of 1572	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	35
PID 2864 wrote to memory of 1572	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	35
PID 2864 wrote to memory of 1572	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	35
PID 2864 wrote to memory of 1572	2864	{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe	35
PID 2832 wrote to memory of 2720	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	36
PID 2832 wrote to memory of 2720	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	36
PID 2832 wrote to memory of 2720	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	36
PID 2832 wrote to memory of 2720	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	36
PID 2832 wrote to memory of 2676	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	37
PID 2832 wrote to memory of 2676	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	37
PID 2832 wrote to memory of 2676	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	37
PID 2832 wrote to memory of 2676	2832	{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe	37
PID 2720 wrote to memory of 2724	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	38
PID 2720 wrote to memory of 2724	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	38
PID 2720 wrote to memory of 2724	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	38
PID 2720 wrote to memory of 2724	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	38
PID 2720 wrote to memory of 2356	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	39
PID 2720 wrote to memory of 2356	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	39
PID 2720 wrote to memory of 2356	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	39
PID 2720 wrote to memory of 2356	2720	{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe	39
PID 2724 wrote to memory of 2472	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	40
PID 2724 wrote to memory of 2472	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	40
PID 2724 wrote to memory of 2472	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	40
PID 2724 wrote to memory of 2472	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	40
PID 2724 wrote to memory of 2000	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	41
PID 2724 wrote to memory of 2000	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	41
PID 2724 wrote to memory of 2000	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	41
PID 2724 wrote to memory of 2000	2724	{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe	41
PID 2472 wrote to memory of 776	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	42
PID 2472 wrote to memory of 776	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	42
PID 2472 wrote to memory of 776	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	42
PID 2472 wrote to memory of 776	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	42
PID 2472 wrote to memory of 1008	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	43
PID 2472 wrote to memory of 1008	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	43
PID 2472 wrote to memory of 1008	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	43
PID 2472 wrote to memory of 1008	2472	{4E3B0084-E027-433b-BE86-F07E475220E8}.exe	43
PID 776 wrote to memory of 636	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	44
PID 776 wrote to memory of 636	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	44
PID 776 wrote to memory of 636	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	44
PID 776 wrote to memory of 636	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	44
PID 776 wrote to memory of 564	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	45
PID 776 wrote to memory of 564	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	45
PID 776 wrote to memory of 564	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	45
PID 776 wrote to memory of 564	776	{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe	45

C:\Users\Admin\AppData\Local\Temp\76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\76584f45934fbbc5ee094bd3abbf8f32_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{5BE3D11E-1147-409c-984B-0D966633BA52}.exe
  C:\Windows\{5BE3D11E-1147-409c-984B-0D966633BA52}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe
    C:\Windows\{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe
      C:\Windows\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe
        
        C:\Windows\{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe
        
        C:\Windows\{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{4E3B0084-E027-433b-BE86-F07E475220E8}.exe
        
        C:\Windows\{4E3B0084-E027-433b-BE86-F07E475220E8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe
        
        C:\Windows\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{265DBB73-0400-4b75-8D74-70B341DC0655}.exe
        
        C:\Windows\{265DBB73-0400-4b75-8D74-70B341DC0655}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe
        
        C:\Windows\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe
        
        C:\Windows\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe
        
        C:\Windows\{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}.exe
        
        C:\Windows\{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}.exe
        13⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B86B5~1.EXE > nul
        13⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D32B0~1.EXE > nul
        12⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4036~1.EXE > nul
        11⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{265DB~1.EXE > nul
        10⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95CCC~1.EXE > nul
        9⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3B0~1.EXE > nul
        8⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A23~1.EXE > nul
        7⤵
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62284~1.EXE > nul
        6⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B6E4~1.EXE > nul
        5⤵
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD931~1.EXE > nul
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BE3D~1.EXE > nul
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76584F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{265DBB73-0400-4b75-8D74-70B341DC0655}.exe

Filesize
372KB

MD5
305dda7bfaa067b99854ead17407464a

SHA1
532bb029cd9706ecd7f9b74061c88699a0eb8ff1

SHA256
746ed0f73ac8ec37a6824fe2db80df9bfcae1e04b31812378d0b3d16bd80481e

SHA512
f2b1edc979331c4e7eb98a9c0cf0b498db1497ce08c4bce34e3d3a5c12e26408c22d806b0ff4d912edfccd6a5fe1a95791521b0cf1faaa8b8f34a8d8e6172fcc

Download Submit
C:\Windows\{265DBB73-0400-4b75-8D74-70B341DC0655}.exe

Filesize
372KB

MD5
305dda7bfaa067b99854ead17407464a

SHA1
532bb029cd9706ecd7f9b74061c88699a0eb8ff1

SHA256
746ed0f73ac8ec37a6824fe2db80df9bfcae1e04b31812378d0b3d16bd80481e

SHA512
f2b1edc979331c4e7eb98a9c0cf0b498db1497ce08c4bce34e3d3a5c12e26408c22d806b0ff4d912edfccd6a5fe1a95791521b0cf1faaa8b8f34a8d8e6172fcc

Download Submit
C:\Windows\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe

Filesize
372KB

MD5
c902b2b5a3a27e4e4932765b136e02e3

SHA1
e907d27324f33db8b9fbe00d716520549055c442

SHA256
378ce05cce937c4b7f437000feca622c19a4ed985c61a13de38c871b3bbde7ad

SHA512
7b2594d7c58cf723955f33d4a9094014ea027fdc4a24969df55cb05e8cedd40c7bff027df3dd3f9f32102e1cb8dcf7a159a468644df38c46bef1b79c8d9a1375

Download Submit
C:\Windows\{3B6E4C85-0F6F-4b21-8A1F-1D51C231BAD6}.exe

Filesize
372KB

MD5
c902b2b5a3a27e4e4932765b136e02e3

SHA1
e907d27324f33db8b9fbe00d716520549055c442

SHA256
378ce05cce937c4b7f437000feca622c19a4ed985c61a13de38c871b3bbde7ad

SHA512
7b2594d7c58cf723955f33d4a9094014ea027fdc4a24969df55cb05e8cedd40c7bff027df3dd3f9f32102e1cb8dcf7a159a468644df38c46bef1b79c8d9a1375

Download Submit
C:\Windows\{4E3B0084-E027-433b-BE86-F07E475220E8}.exe

Filesize
372KB

MD5
dee4230f22c5b8d78d3591fa7f2a5bc4

SHA1
810c3e3ef91ff5bd88b0038298dd3dbc17cfa019

SHA256
39dd4701e7a7dcc577c735894ac3aa30ddf8da497b0c8e0f0885f677562e8a74

SHA512
69efb4f96136b83bb42b753314ba165bc4e55b497d8533a03a3cbc0dc4639e621f21178e5c173d7a8b792b88c9f86dd3988442715037148291a7272ed6573b35

Download Submit
C:\Windows\{4E3B0084-E027-433b-BE86-F07E475220E8}.exe

Filesize
372KB

MD5
dee4230f22c5b8d78d3591fa7f2a5bc4

SHA1
810c3e3ef91ff5bd88b0038298dd3dbc17cfa019

SHA256
39dd4701e7a7dcc577c735894ac3aa30ddf8da497b0c8e0f0885f677562e8a74

SHA512
69efb4f96136b83bb42b753314ba165bc4e55b497d8533a03a3cbc0dc4639e621f21178e5c173d7a8b792b88c9f86dd3988442715037148291a7272ed6573b35

Download Submit
C:\Windows\{5BE3D11E-1147-409c-984B-0D966633BA52}.exe

Filesize
372KB

MD5
e623b64536493fab724aa9ddb4db500e

SHA1
8d22480889080bbb8ae84ad06c593b5c0e295f7b

SHA256
03fd1c1377b04f977a2ce4ea7d27d14069651ec35ba2da3b81ed766666412272

SHA512
ccbde727104ad918bfcf13cbfd627087a6ca07a9537aa916e66c39ea5e3394d6e3531c7fc0505aec90948208775865d1cef503381948b095b8c2b07bb7d1d633

Download Submit
C:\Windows\{5BE3D11E-1147-409c-984B-0D966633BA52}.exe

Filesize
372KB

MD5
e623b64536493fab724aa9ddb4db500e

SHA1
8d22480889080bbb8ae84ad06c593b5c0e295f7b

SHA256
03fd1c1377b04f977a2ce4ea7d27d14069651ec35ba2da3b81ed766666412272

SHA512
ccbde727104ad918bfcf13cbfd627087a6ca07a9537aa916e66c39ea5e3394d6e3531c7fc0505aec90948208775865d1cef503381948b095b8c2b07bb7d1d633

Download Submit
C:\Windows\{5BE3D11E-1147-409c-984B-0D966633BA52}.exe

Filesize
372KB

MD5
e623b64536493fab724aa9ddb4db500e

SHA1
8d22480889080bbb8ae84ad06c593b5c0e295f7b

SHA256
03fd1c1377b04f977a2ce4ea7d27d14069651ec35ba2da3b81ed766666412272

SHA512
ccbde727104ad918bfcf13cbfd627087a6ca07a9537aa916e66c39ea5e3394d6e3531c7fc0505aec90948208775865d1cef503381948b095b8c2b07bb7d1d633

Download Submit
C:\Windows\{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe

Filesize
372KB

MD5
ef0168993a021dc6a627a683aac56bd1

SHA1
58ae2f6ca250e2ef807de5a3ff98171eff8fa383

SHA256
be3424b69d5d71b8c54140880ce46ad3c3bfd152e897683a46c2bb1bb2925067

SHA512
94c70abe861f99085450e8dbd12b2f8f73e975bf9d80b2579c2f0e454010691a24f038589032fe4d4a5ae68c7877a12362893b5c3d6713fdd967bf6c52fc3c97

Download Submit
C:\Windows\{6228492C-1AB6-4701-99B0-3FB7567836C8}.exe

Filesize
372KB

MD5
ef0168993a021dc6a627a683aac56bd1

SHA1
58ae2f6ca250e2ef807de5a3ff98171eff8fa383

SHA256
be3424b69d5d71b8c54140880ce46ad3c3bfd152e897683a46c2bb1bb2925067

SHA512
94c70abe861f99085450e8dbd12b2f8f73e975bf9d80b2579c2f0e454010691a24f038589032fe4d4a5ae68c7877a12362893b5c3d6713fdd967bf6c52fc3c97

Download Submit
C:\Windows\{6D96DE04-1AC3-4fef-9EDC-D3BAA50D0AE2}.exe

Filesize
372KB

MD5
8440f73eba9bc5ca80eee23221f385fb

SHA1
6c79b137b900c9baa0b234706c3a04b47ab10112

SHA256
00101e453e1c4cffe7bc5150f51ab20b929ba50297d50753b17f4852e2873bef

SHA512
ebbcefc34360c3a5f3dd4859d62f213aa4f6de43a4d8c5f65408e9d18836785cd6998f0d71d8c8e03e2a339e5468289f5d093a67cf2902bb2d61e3c2fa4165e4

Download Submit
C:\Windows\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe

Filesize
372KB

MD5
208cec1701efb184b8e17da401f49cd9

SHA1
f15838fbbf04659f21fa40b5577e52c2be42b75e

SHA256
aa8322677acea84624fcd05087fef4d252b48469184de196d50d0bb8d6356e59

SHA512
356bb6269a25a99dc8570f81df8c6540797102846d8db2f6efce6f074c6b6f5bcec86afb5f1653fdd309fef6ee4101a1561169c469557c0cff12011498126dd4

Download Submit
C:\Windows\{95CCC9CE-76D0-4a36-8694-FFBE3FB6E043}.exe

Filesize
372KB

MD5
208cec1701efb184b8e17da401f49cd9

SHA1
f15838fbbf04659f21fa40b5577e52c2be42b75e

SHA256
aa8322677acea84624fcd05087fef4d252b48469184de196d50d0bb8d6356e59

SHA512
356bb6269a25a99dc8570f81df8c6540797102846d8db2f6efce6f074c6b6f5bcec86afb5f1653fdd309fef6ee4101a1561169c469557c0cff12011498126dd4

Download Submit
C:\Windows\{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe

Filesize
372KB

MD5
50a86e4371fb063bb8b18496bc5f53d4

SHA1
bf1890ccf0f511be91ecc97e26788d049c6bd8be

SHA256
f3a70cb53bf4de27fb27db50e712ef4ba846d6859d445895dc5156a764eae510

SHA512
c7a534df55a66943a35148f7c92d0d40bb0477a3a216af96b7653c0d673b8acc84942425b6b7300ce98c8280fab3adae48a8583813a47a64fb9dab80f98010d9

Download Submit
C:\Windows\{B1A2365E-4A32-45f1-B3FD-D389945F5863}.exe

Filesize
372KB

MD5
50a86e4371fb063bb8b18496bc5f53d4

SHA1
bf1890ccf0f511be91ecc97e26788d049c6bd8be

SHA256
f3a70cb53bf4de27fb27db50e712ef4ba846d6859d445895dc5156a764eae510

SHA512
c7a534df55a66943a35148f7c92d0d40bb0477a3a216af96b7653c0d673b8acc84942425b6b7300ce98c8280fab3adae48a8583813a47a64fb9dab80f98010d9

Download Submit
C:\Windows\{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe

Filesize
372KB

MD5
f32726b6afa22588256068a6eda49143

SHA1
6640e6da3a4d48d195118f2888cbbac557a9b242

SHA256
9d9928c6f52802f4eaad2d3189816772d5df8d45b5eaa2ec882d8dfe5f7900c2

SHA512
f37bea877a74fc0421b6957504a54fbd01d37f359746512dc5d731153276133851d4fa400d43dfb2880e402cb3e199c4ca31a570d8efc2b35efba931f8cbd128

Download Submit
C:\Windows\{B86B597F-18A2-47a6-83A1-AF928895EBB2}.exe

Filesize
372KB

MD5
f32726b6afa22588256068a6eda49143

SHA1
6640e6da3a4d48d195118f2888cbbac557a9b242

SHA256
9d9928c6f52802f4eaad2d3189816772d5df8d45b5eaa2ec882d8dfe5f7900c2

SHA512
f37bea877a74fc0421b6957504a54fbd01d37f359746512dc5d731153276133851d4fa400d43dfb2880e402cb3e199c4ca31a570d8efc2b35efba931f8cbd128

Download Submit
C:\Windows\{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe

Filesize
372KB

MD5
bc1bf980b883181c4e83043615851a69

SHA1
daea47b3ca02e6a2222445cc67aebcb7d8ab6e04

SHA256
d1ac30b8bcd6948119d9372b5ec72e7094c00a6ca468639157d586dd97e05db1

SHA512
bc89072cc529f1eefffe2d09632b08be0040ae23abceedf32dfd6ea6ea8684098b3eb8b2d27f4f2bd4277340928a32adf1d874db7930a7036b2de61a299e8fd2

Download Submit
C:\Windows\{CD931DCA-FCA9-4daa-B069-F3563C97C425}.exe

Filesize
372KB

MD5
bc1bf980b883181c4e83043615851a69

SHA1
daea47b3ca02e6a2222445cc67aebcb7d8ab6e04

SHA256
d1ac30b8bcd6948119d9372b5ec72e7094c00a6ca468639157d586dd97e05db1

SHA512
bc89072cc529f1eefffe2d09632b08be0040ae23abceedf32dfd6ea6ea8684098b3eb8b2d27f4f2bd4277340928a32adf1d874db7930a7036b2de61a299e8fd2

Download Submit
C:\Windows\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe

Filesize
372KB

MD5
c9ed588d0b79529f15edaa641eff71e6

SHA1
6705878821f5d364b23b008124b4e95a3c98ad65

SHA256
60dbe4c0b6777770fa8297593dff9da38609064de66075559d50c2ca60cbc7ce

SHA512
1561caea27c2a0909f63afd18cb44cf1ea4d09feddeb95807468dc6aff7880e90505843c04ad316ce1d1be16df6b646d338e224612ddba85d43a688e0e02cd92

Download Submit
C:\Windows\{D32B052E-AE0D-4d70-B424-5A11637B6FCA}.exe

Filesize
372KB

MD5
c9ed588d0b79529f15edaa641eff71e6

SHA1
6705878821f5d364b23b008124b4e95a3c98ad65

SHA256
60dbe4c0b6777770fa8297593dff9da38609064de66075559d50c2ca60cbc7ce

SHA512
1561caea27c2a0909f63afd18cb44cf1ea4d09feddeb95807468dc6aff7880e90505843c04ad316ce1d1be16df6b646d338e224612ddba85d43a688e0e02cd92

Download Submit
C:\Windows\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe

Filesize
372KB

MD5
f012279e68b67d9dde7c6b9fc8a1d155

SHA1
194ac2bc7a080b19a2af868c916f41dcb408de3d

SHA256
07a6c2cc9c3fd5c3639ac4637e274147699c99087543c7d6240408f4102e5eae

SHA512
10faa7121f4c08ba40cc447695c733890d8ea645a43e38d270a4a6adbf8c3f302fc1034273868e2fa9330e1bba712d7f561c90b35894270b9c5f6bd84d87d882

Download Submit
C:\Windows\{E4036E79-17A4-4744-A7FF-A73DFDC385C8}.exe

Filesize
372KB

MD5
f012279e68b67d9dde7c6b9fc8a1d155

SHA1
194ac2bc7a080b19a2af868c916f41dcb408de3d

SHA256
07a6c2cc9c3fd5c3639ac4637e274147699c99087543c7d6240408f4102e5eae

SHA512
10faa7121f4c08ba40cc447695c733890d8ea645a43e38d270a4a6adbf8c3f302fc1034273868e2fa9330e1bba712d7f561c90b35894270b9c5f6bd84d87d882

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads