60d6bd244d3473bdf2de9a3806aeac02a11c8e397cda89c8220cdef97707844c

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 15:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe
Size

168KB
MD5

741ef0a59ced38016e10be0c5992e65e
SHA1

6f7d5015035e45f83748196295a84d962a0e2cc7
SHA256

60d6bd244d3473bdf2de9a3806aeac02a11c8e397cda89c8220cdef97707844c
SHA512

e05d0556387174fd293aa136dbd22e876f98ad6506ddfcbc973c017c02aa025fbc7bcc4228d48e6f59fdafee60325dcff78d43ff2bb414c8a660f0d7d0226484
SSDEEP

1536:1EGh0oPlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oPlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}\stubpath = "C:\\Windows\\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe"	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}\stubpath = "C:\\Windows\\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe"	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54B73ED6-D9E4-4e55-A98F-006C8950F513}\stubpath = "C:\\Windows\\{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe"	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}\stubpath = "C:\\Windows\\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe"	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3050A3BB-FB03-466b-880A-05F65565692E}	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302C9CBF-460E-4460-A285-B9651A3C9491}	{3050A3BB-FB03-466b-880A-05F65565692E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302C9CBF-460E-4460-A285-B9651A3C9491}\stubpath = "C:\\Windows\\{302C9CBF-460E-4460-A285-B9651A3C9491}.exe"	{3050A3BB-FB03-466b-880A-05F65565692E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EADFA82-297E-4841-BECB-8B98E0B30191}\stubpath = "C:\\Windows\\{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe"	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3050A3BB-FB03-466b-880A-05F65565692E}\stubpath = "C:\\Windows\\{3050A3BB-FB03-466b-880A-05F65565692E}.exe"	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}\stubpath = "C:\\Windows\\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe"	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53044B0B-764F-49e7-830E-17BA932B12EC}	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}\stubpath = "C:\\Windows\\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe"	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EADFA82-297E-4841-BECB-8B98E0B30191}	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}\stubpath = "C:\\Windows\\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe"	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54B73ED6-D9E4-4e55-A98F-006C8950F513}	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53044B0B-764F-49e7-830E-17BA932B12EC}\stubpath = "C:\\Windows\\{53044B0B-764F-49e7-830E-17BA932B12EC}.exe"	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe

Executes dropped EXE 11 IoCs

pid	Process
2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe
2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe
3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe
4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe
3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe
784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe
3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe
4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe
4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe
4332	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe
4336	{53044B0B-764F-49e7-830E-17BA932B12EC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe
File created	C:\Windows\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe
File created	C:\Windows\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe
File created	C:\Windows\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe
File created	C:\Windows\{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe
File created	C:\Windows\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe
File created	C:\Windows\{3050A3BB-FB03-466b-880A-05F65565692E}.exe	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe
File created	C:\Windows\{302C9CBF-460E-4460-A285-B9651A3C9491}.exe	{3050A3BB-FB03-466b-880A-05F65565692E}.exe
File created	C:\Windows\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe
File created	C:\Windows\{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe
File created	C:\Windows\{53044B0B-764F-49e7-830E-17BA932B12EC}.exe	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3060	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe
Token: SeIncBasePriorityPrivilege	2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe
Token: SeIncBasePriorityPrivilege	3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe
Token: SeIncBasePriorityPrivilege	4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe
Token: SeIncBasePriorityPrivilege	3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe
Token: SeIncBasePriorityPrivilege	784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe
Token: SeIncBasePriorityPrivilege	3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe
Token: SeIncBasePriorityPrivilege	4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe
Token: SeIncBasePriorityPrivilege	4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe
Token: SeIncBasePriorityPrivilege	4332	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2300	3060	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe	88
PID 3060 wrote to memory of 2300	3060	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe	88
PID 3060 wrote to memory of 2300	3060	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe	88
PID 3060 wrote to memory of 4112	3060	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe	89
PID 3060 wrote to memory of 4112	3060	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe	89
PID 3060 wrote to memory of 4112	3060	741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe	89
PID 2300 wrote to memory of 2176	2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe	93
PID 2300 wrote to memory of 2176	2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe	93
PID 2300 wrote to memory of 2176	2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe	93
PID 2300 wrote to memory of 3800	2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe	94
PID 2300 wrote to memory of 3800	2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe	94
PID 2300 wrote to memory of 3800	2300	{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe	94
PID 2176 wrote to memory of 3780	2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe	96
PID 2176 wrote to memory of 3780	2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe	96
PID 2176 wrote to memory of 3780	2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe	96
PID 2176 wrote to memory of 2400	2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe	95
PID 2176 wrote to memory of 2400	2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe	95
PID 2176 wrote to memory of 2400	2176	{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe	95
PID 3780 wrote to memory of 4368	3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe	97
PID 3780 wrote to memory of 4368	3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe	97
PID 3780 wrote to memory of 4368	3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe	97
PID 3780 wrote to memory of 1848	3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe	98
PID 3780 wrote to memory of 1848	3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe	98
PID 3780 wrote to memory of 1848	3780	{3050A3BB-FB03-466b-880A-05F65565692E}.exe	98
PID 4368 wrote to memory of 3180	4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe	99
PID 4368 wrote to memory of 3180	4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe	99
PID 4368 wrote to memory of 3180	4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe	99
PID 4368 wrote to memory of 684	4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe	100
PID 4368 wrote to memory of 684	4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe	100
PID 4368 wrote to memory of 684	4368	{302C9CBF-460E-4460-A285-B9651A3C9491}.exe	100
PID 3180 wrote to memory of 784	3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe	101
PID 3180 wrote to memory of 784	3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe	101
PID 3180 wrote to memory of 784	3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe	101
PID 3180 wrote to memory of 2260	3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe	102
PID 3180 wrote to memory of 2260	3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe	102
PID 3180 wrote to memory of 2260	3180	{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe	102
PID 784 wrote to memory of 3068	784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe	103
PID 784 wrote to memory of 3068	784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe	103
PID 784 wrote to memory of 3068	784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe	103
PID 784 wrote to memory of 680	784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe	104
PID 784 wrote to memory of 680	784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe	104
PID 784 wrote to memory of 680	784	{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe	104
PID 3068 wrote to memory of 4100	3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe	105
PID 3068 wrote to memory of 4100	3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe	105
PID 3068 wrote to memory of 4100	3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe	105
PID 3068 wrote to memory of 1188	3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe	106
PID 3068 wrote to memory of 1188	3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe	106
PID 3068 wrote to memory of 1188	3068	{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe	106
PID 4100 wrote to memory of 4548	4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe	107
PID 4100 wrote to memory of 4548	4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe	107
PID 4100 wrote to memory of 4548	4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe	107
PID 4100 wrote to memory of 2980	4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe	108
PID 4100 wrote to memory of 2980	4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe	108
PID 4100 wrote to memory of 2980	4100	{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe	108
PID 4548 wrote to memory of 4332	4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe	109
PID 4548 wrote to memory of 4332	4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe	109
PID 4548 wrote to memory of 4332	4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe	109
PID 4548 wrote to memory of 3436	4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe	110
PID 4548 wrote to memory of 3436	4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe	110
PID 4548 wrote to memory of 3436	4548	{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe	110
PID 4332 wrote to memory of 4336	4332	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe	111
PID 4332 wrote to memory of 4336	4332	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe	111
PID 4332 wrote to memory of 4336	4332	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe	111
PID 4332 wrote to memory of 2440	4332	{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe	112

C:\Users\Admin\AppData\Local\Temp\741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\741ef0a59ced38016e10be0c5992e65e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe
  C:\Windows\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe
    C:\Windows\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CDFA4~1.EXE > nul
      4⤵
      PID:2400
  - - C:\Windows\{3050A3BB-FB03-466b-880A-05F65565692E}.exe
      C:\Windows\{3050A3BB-FB03-466b-880A-05F65565692E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\{302C9CBF-460E-4460-A285-B9651A3C9491}.exe
        
        C:\Windows\{302C9CBF-460E-4460-A285-B9651A3C9491}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Windows\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe
        
        C:\Windows\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe
        
        C:\Windows\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe
        
        C:\Windows\{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe
        
        C:\Windows\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe
        
        C:\Windows\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe
        
        C:\Windows\{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{53044B0B-764F-49e7-830E-17BA932B12EC}.exe
        
        C:\Windows\{53044B0B-764F-49e7-830E-17BA932B12EC}.exe
        12⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54B73~1.EXE > nul
        12⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7612D~1.EXE > nul
        11⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F4BD~1.EXE > nul
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EADF~1.EXE > nul
        9⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C839A~1.EXE > nul
        8⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D512A~1.EXE > nul
        7⤵
        
        PID:2260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{302C9~1.EXE > nul
        6⤵
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3050A~1.EXE > nul
        5⤵
        
        PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E102~1.EXE > nul
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\741EF0~1.EXE > nul
  2⤵
  PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe

Filesize
168KB

MD5
b36da6df1f7641230d9fb2d0498b2c4a

SHA1
7c5c35aac2b82dda8b8aa343a79f7ecc0e68450e

SHA256
18661a74463cdd2e8337e1d9e145a57e88cfbea0790bf2578d8142dae254c6b1

SHA512
bdb599a7c9968196cdb8698179cb07046695bd96ad5fe17a945b1b3c4bc95f5ce2c5b78096141a3f14d2401330911738523356d457dea7385321c1dfed2edb07

Download Submit
C:\Windows\{0F4BD95A-0E1C-48af-94B2-0D03AB0AEC94}.exe

Filesize
168KB

MD5
b36da6df1f7641230d9fb2d0498b2c4a

SHA1
7c5c35aac2b82dda8b8aa343a79f7ecc0e68450e

SHA256
18661a74463cdd2e8337e1d9e145a57e88cfbea0790bf2578d8142dae254c6b1

SHA512
bdb599a7c9968196cdb8698179cb07046695bd96ad5fe17a945b1b3c4bc95f5ce2c5b78096141a3f14d2401330911738523356d457dea7385321c1dfed2edb07

Download Submit
C:\Windows\{302C9CBF-460E-4460-A285-B9651A3C9491}.exe

Filesize
168KB

MD5
e5ac114c6fd80d566a4d7fd2ab474880

SHA1
5e383102d8fdea03a76c1dc208000b1fdce6ebc2

SHA256
3ffdcb7ffd7c6809060e3918464c842679fc771edf67372c576b95b606dfdf98

SHA512
979d247589a49a0b53a2a9a70b0c1e6225f084e2997f2b3daccddcddc12e770fe341ff651859f288bf42a58e7eadd1d9ae1931488ce18fe3f8ab82a7555f3076

Download Submit
C:\Windows\{302C9CBF-460E-4460-A285-B9651A3C9491}.exe

Filesize
168KB

MD5
e5ac114c6fd80d566a4d7fd2ab474880

SHA1
5e383102d8fdea03a76c1dc208000b1fdce6ebc2

SHA256
3ffdcb7ffd7c6809060e3918464c842679fc771edf67372c576b95b606dfdf98

SHA512
979d247589a49a0b53a2a9a70b0c1e6225f084e2997f2b3daccddcddc12e770fe341ff651859f288bf42a58e7eadd1d9ae1931488ce18fe3f8ab82a7555f3076

Download Submit
C:\Windows\{3050A3BB-FB03-466b-880A-05F65565692E}.exe

Filesize
168KB

MD5
76d2bc359d18c5547b7f02c647c024d2

SHA1
99e578cf64c1508bef182d019873a46a6aeff115

SHA256
495a7d49460e065411f73381eab2a5bbe25872d11d5f6833a428de11fd8580a9

SHA512
2522658433de2633c464bf54cfaf9b6a6e19fe6fc869e5498c13cdda06074f3dc2ec18d6c35ab36fb01f54ae72164791eec4a682b05a7b568aebe414733517bb

Download Submit
C:\Windows\{3050A3BB-FB03-466b-880A-05F65565692E}.exe

Filesize
168KB

MD5
76d2bc359d18c5547b7f02c647c024d2

SHA1
99e578cf64c1508bef182d019873a46a6aeff115

SHA256
495a7d49460e065411f73381eab2a5bbe25872d11d5f6833a428de11fd8580a9

SHA512
2522658433de2633c464bf54cfaf9b6a6e19fe6fc869e5498c13cdda06074f3dc2ec18d6c35ab36fb01f54ae72164791eec4a682b05a7b568aebe414733517bb

Download Submit
C:\Windows\{3050A3BB-FB03-466b-880A-05F65565692E}.exe

Filesize
168KB

MD5
76d2bc359d18c5547b7f02c647c024d2

SHA1
99e578cf64c1508bef182d019873a46a6aeff115

SHA256
495a7d49460e065411f73381eab2a5bbe25872d11d5f6833a428de11fd8580a9

SHA512
2522658433de2633c464bf54cfaf9b6a6e19fe6fc869e5498c13cdda06074f3dc2ec18d6c35ab36fb01f54ae72164791eec4a682b05a7b568aebe414733517bb

Download Submit
C:\Windows\{53044B0B-764F-49e7-830E-17BA932B12EC}.exe

Filesize
168KB

MD5
feb98f971e3c0b70137cb4bc63dce58b

SHA1
f1896c6f62a0a97e12330d50ae6786ec2f835d2e

SHA256
31fc8b963222b1a46f2d5d2f9926596391e010e9e9f2e6fdf8b8212b90cb1441

SHA512
10334c6fd8130d7aee677afd309ef96f1f5611f8c771f75879f2403a2afe3c4dddf7b18b93e92d3cd99e60545c1a2d02b7d0272b87cd4579c356c4dd9c440762

Download Submit
C:\Windows\{53044B0B-764F-49e7-830E-17BA932B12EC}.exe

Filesize
168KB

MD5
feb98f971e3c0b70137cb4bc63dce58b

SHA1
f1896c6f62a0a97e12330d50ae6786ec2f835d2e

SHA256
31fc8b963222b1a46f2d5d2f9926596391e010e9e9f2e6fdf8b8212b90cb1441

SHA512
10334c6fd8130d7aee677afd309ef96f1f5611f8c771f75879f2403a2afe3c4dddf7b18b93e92d3cd99e60545c1a2d02b7d0272b87cd4579c356c4dd9c440762

Download Submit
C:\Windows\{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe

Filesize
168KB

MD5
fb2de0f67db8ca710ced558f91ef8d72

SHA1
6b6147ba5fe9cb565f903b7ca7442b3881e20bb6

SHA256
0be5ab86606a520c053cf84544eed2dff5fb1f636a26f299dc0fdf977dc65fb2

SHA512
d91de31f2a9f609111a853ffab757e3d057a048b3e667fd0100acaf2bf61316baf0d2764f6f3ddd15ddb52324ba42320b8e9c4ddaf18a1407628aafee1073411

Download Submit
C:\Windows\{54B73ED6-D9E4-4e55-A98F-006C8950F513}.exe

Filesize
168KB

MD5
fb2de0f67db8ca710ced558f91ef8d72

SHA1
6b6147ba5fe9cb565f903b7ca7442b3881e20bb6

SHA256
0be5ab86606a520c053cf84544eed2dff5fb1f636a26f299dc0fdf977dc65fb2

SHA512
d91de31f2a9f609111a853ffab757e3d057a048b3e667fd0100acaf2bf61316baf0d2764f6f3ddd15ddb52324ba42320b8e9c4ddaf18a1407628aafee1073411

Download Submit
C:\Windows\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe

Filesize
168KB

MD5
51785194354460475951dc018134b17f

SHA1
1b5bae27f3efdce42c8bc27af16fa711039ee568

SHA256
f7d0021e3d8ff20949ccce111db8c0cd3f8a6f220bdada42cc835fa53cb0ef76

SHA512
5523a6f4fd57d93a5d1a18f7ac73194237b8f51cf8e7f2c57393ca270aba9c0b8091c6cfe0626a1e490f99e77466ee2abc30fa770095626ebb64e9f9876acfaa

Download Submit
C:\Windows\{7612D6E3-5CDC-4b74-B0C9-45132546EAAC}.exe

Filesize
168KB

MD5
51785194354460475951dc018134b17f

SHA1
1b5bae27f3efdce42c8bc27af16fa711039ee568

SHA256
f7d0021e3d8ff20949ccce111db8c0cd3f8a6f220bdada42cc835fa53cb0ef76

SHA512
5523a6f4fd57d93a5d1a18f7ac73194237b8f51cf8e7f2c57393ca270aba9c0b8091c6cfe0626a1e490f99e77466ee2abc30fa770095626ebb64e9f9876acfaa

Download Submit
C:\Windows\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe

Filesize
168KB

MD5
32d2839d31a92f8d4584c6cf80c33734

SHA1
15dab7c45fb9f837e4ea43b9c0eeea4e53f97c66

SHA256
e3cf94f6f81054bed22e4f89b4e90c6feda20963cb5835740dc9a050beb522eb

SHA512
10e28879adc4bcb29257a8a4b174c4aabaec72781ae10e476aee67c2bdf582107a5785481d98e0e4653d61e5e36f16fd046c925f6651997e487b7c24e5bf20b0

Download Submit
C:\Windows\{7E102C3B-D804-4cc7-A8C9-12648DD673E9}.exe

Filesize
168KB

MD5
32d2839d31a92f8d4584c6cf80c33734

SHA1
15dab7c45fb9f837e4ea43b9c0eeea4e53f97c66

SHA256
e3cf94f6f81054bed22e4f89b4e90c6feda20963cb5835740dc9a050beb522eb

SHA512
10e28879adc4bcb29257a8a4b174c4aabaec72781ae10e476aee67c2bdf582107a5785481d98e0e4653d61e5e36f16fd046c925f6651997e487b7c24e5bf20b0

Download Submit
C:\Windows\{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe

Filesize
168KB

MD5
b919e188de2639c1ed09f3ac2720ad85

SHA1
d3fdb905c612c5d0bbefa6f545b72f1f2551498d

SHA256
0980f5ca5454131f9be236050457b584403142e38f4433aaa99bfe361f3a4312

SHA512
a2f1adfad32d8f6e814f2443761cd3f7d15c8b6097fdeafe0470b443950c820aa409dde2fb87db7267044117938ef9c84fff40b31917b54d975c497d70b434af

Download Submit
C:\Windows\{9EADFA82-297E-4841-BECB-8B98E0B30191}.exe

Filesize
168KB

MD5
b919e188de2639c1ed09f3ac2720ad85

SHA1
d3fdb905c612c5d0bbefa6f545b72f1f2551498d

SHA256
0980f5ca5454131f9be236050457b584403142e38f4433aaa99bfe361f3a4312

SHA512
a2f1adfad32d8f6e814f2443761cd3f7d15c8b6097fdeafe0470b443950c820aa409dde2fb87db7267044117938ef9c84fff40b31917b54d975c497d70b434af

Download Submit
C:\Windows\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe

Filesize
168KB

MD5
0605d38d31f2a1033a64a5b1adb36215

SHA1
736b2baf0a79d8d38b7b804a5dbb0da3c25a3a1e

SHA256
11f1dd5de21ceb53d86656627bf633bf85f17dc6d9019b96d85940c6c9e4b05f

SHA512
e3c91369176b77c215f5db8ff12e325b77bf846aff687a4174d8bca4f54140315b355f5b7657d5b5227923f64b310b8fb2f03fd704fa5707d84b9e82aa39a1fa

Download Submit
C:\Windows\{C839AC36-6621-4065-AFAF-268BEE0DCDB3}.exe

Filesize
168KB

MD5
0605d38d31f2a1033a64a5b1adb36215

SHA1
736b2baf0a79d8d38b7b804a5dbb0da3c25a3a1e

SHA256
11f1dd5de21ceb53d86656627bf633bf85f17dc6d9019b96d85940c6c9e4b05f

SHA512
e3c91369176b77c215f5db8ff12e325b77bf846aff687a4174d8bca4f54140315b355f5b7657d5b5227923f64b310b8fb2f03fd704fa5707d84b9e82aa39a1fa

Download Submit
C:\Windows\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe

Filesize
168KB

MD5
517103b90163256535279b97c9f3b89e

SHA1
9fe0a9555fbaf5556f3407572f3f4ee32dbf4d8e

SHA256
3c48360c553b55451c124a196ead84bc933b2f5fa656dbb782ce4a44d5276ba5

SHA512
f410f79c7ab2ff7b2241297e2f1d1633f25cca4473d27a4b521babcd86d05a754ba89f938f7d5b177bfd7dd46f4c76d96436eb32dc2b042ba3d90a53d5a6e7ad

Download Submit
C:\Windows\{CDFA41F0-684B-43b0-915A-52F90FD39DAE}.exe

Filesize
168KB

MD5
517103b90163256535279b97c9f3b89e

SHA1
9fe0a9555fbaf5556f3407572f3f4ee32dbf4d8e

SHA256
3c48360c553b55451c124a196ead84bc933b2f5fa656dbb782ce4a44d5276ba5

SHA512
f410f79c7ab2ff7b2241297e2f1d1633f25cca4473d27a4b521babcd86d05a754ba89f938f7d5b177bfd7dd46f4c76d96436eb32dc2b042ba3d90a53d5a6e7ad

Download Submit
C:\Windows\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe

Filesize
168KB

MD5
f0549f09170ed12b86912953035fd3a3

SHA1
86d064af07d8b732ef62fa091fc0198e53b6009f

SHA256
1024c692b0425b197b94b35fe6ec39b18af7a708cb99224dc983732f8251c39b

SHA512
cc4ae6d9df2812c250fcde0802a5b0a414d063c115fa600ac2e5062331eca2ff05719c251d77ee3de0eb6ac30855aadff227f26d58cca50550842950a62ef3af

Download Submit
C:\Windows\{D512A261-0126-40b5-B8E6-4BBEFD2D6BC8}.exe

Filesize
168KB

MD5
f0549f09170ed12b86912953035fd3a3

SHA1
86d064af07d8b732ef62fa091fc0198e53b6009f

SHA256
1024c692b0425b197b94b35fe6ec39b18af7a708cb99224dc983732f8251c39b

SHA512
cc4ae6d9df2812c250fcde0802a5b0a414d063c115fa600ac2e5062331eca2ff05719c251d77ee3de0eb6ac30855aadff227f26d58cca50550842950a62ef3af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads