7a73251acd9be3a5233cf2efdefa24abf97d54e19f181a87078c23e6a1b2f334

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe
Size

380KB
MD5

9b37f080166025b91567eb1877fd52dd
SHA1

0aa133fe6f92054a896fe9cee0a64a3dfdb52029
SHA256

7a73251acd9be3a5233cf2efdefa24abf97d54e19f181a87078c23e6a1b2f334
SHA512

4979a9c48969fe6697e4d8efd63570abfcdbb30f3a64bf817ef3eec4f2632804ddd684c13ba6acf5f89fc3721d8ac59925ec1bc7de6c714629f79dcce912542a
SSDEEP

3072:mEGh0odlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGLl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6744B507-2371-4958-845B-ACCF917446CB}\stubpath = "C:\\Windows\\{6744B507-2371-4958-845B-ACCF917446CB}.exe"	{355D6320-777F-4cca-86B3-68128282FD86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3967D160-020D-4037-9790-6055911D1D8D}	{6744B507-2371-4958-845B-ACCF917446CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414B4655-FB31-4700-8293-6CD0DB574C5C}	{3967D160-020D-4037-9790-6055911D1D8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}\stubpath = "C:\\Windows\\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe"	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6744B507-2371-4958-845B-ACCF917446CB}	{355D6320-777F-4cca-86B3-68128282FD86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0135E53B-A905-4d5b-A58E-3738290758F3}	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0135E53B-A905-4d5b-A58E-3738290758F3}\stubpath = "C:\\Windows\\{0135E53B-A905-4d5b-A58E-3738290758F3}.exe"	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7497B5BC-63C2-4938-8152-6E538B0946BA}	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A43028-2F17-4919-AC10-D9047440E710}	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6C9482-6448-4a45-9125-93868756C188}\stubpath = "C:\\Windows\\{BE6C9482-6448-4a45-9125-93868756C188}.exe"	{A3A43028-2F17-4919-AC10-D9047440E710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7497B5BC-63C2-4938-8152-6E538B0946BA}\stubpath = "C:\\Windows\\{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe"	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762CD1F7-861A-4a23-AC34-C9B14357053F}	{BE6C9482-6448-4a45-9125-93868756C188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762CD1F7-861A-4a23-AC34-C9B14357053F}\stubpath = "C:\\Windows\\{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe"	{BE6C9482-6448-4a45-9125-93868756C188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33FEE9E0-2053-49e6-B64C-F7966F540A73}	{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}\stubpath = "C:\\Windows\\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe"	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6C9482-6448-4a45-9125-93868756C188}	{A3A43028-2F17-4919-AC10-D9047440E710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{355D6320-777F-4cca-86B3-68128282FD86}	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{355D6320-777F-4cca-86B3-68128282FD86}\stubpath = "C:\\Windows\\{355D6320-777F-4cca-86B3-68128282FD86}.exe"	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3967D160-020D-4037-9790-6055911D1D8D}\stubpath = "C:\\Windows\\{3967D160-020D-4037-9790-6055911D1D8D}.exe"	{6744B507-2371-4958-845B-ACCF917446CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414B4655-FB31-4700-8293-6CD0DB574C5C}\stubpath = "C:\\Windows\\{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe"	{3967D160-020D-4037-9790-6055911D1D8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33FEE9E0-2053-49e6-B64C-F7966F540A73}\stubpath = "C:\\Windows\\{33FEE9E0-2053-49e6-B64C-F7966F540A73}.exe"	{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A43028-2F17-4919-AC10-D9047440E710}\stubpath = "C:\\Windows\\{A3A43028-2F17-4919-AC10-D9047440E710}.exe"	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe

Executes dropped EXE 12 IoCs

pid	Process
4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe
5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe
1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe
4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe
1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe
1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe
4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe
2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe
1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe
3316	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe
4344	{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe
3256	{33FEE9E0-2053-49e6-B64C-F7966F540A73}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe
File created	C:\Windows\{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe
File created	C:\Windows\{BE6C9482-6448-4a45-9125-93868756C188}.exe	{A3A43028-2F17-4919-AC10-D9047440E710}.exe
File created	C:\Windows\{6744B507-2371-4958-845B-ACCF917446CB}.exe	{355D6320-777F-4cca-86B3-68128282FD86}.exe
File created	C:\Windows\{33FEE9E0-2053-49e6-B64C-F7966F540A73}.exe	{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe
File created	C:\Windows\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe
File created	C:\Windows\{0135E53B-A905-4d5b-A58E-3738290758F3}.exe	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe
File created	C:\Windows\{A3A43028-2F17-4919-AC10-D9047440E710}.exe	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe
File created	C:\Windows\{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe	{BE6C9482-6448-4a45-9125-93868756C188}.exe
File created	C:\Windows\{355D6320-777F-4cca-86B3-68128282FD86}.exe	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe
File created	C:\Windows\{3967D160-020D-4037-9790-6055911D1D8D}.exe	{6744B507-2371-4958-845B-ACCF917446CB}.exe
File created	C:\Windows\{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe	{3967D160-020D-4037-9790-6055911D1D8D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe
Token: SeIncBasePriorityPrivilege	5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe
Token: SeIncBasePriorityPrivilege	1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe
Token: SeIncBasePriorityPrivilege	4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe
Token: SeIncBasePriorityPrivilege	1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe
Token: SeIncBasePriorityPrivilege	1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe
Token: SeIncBasePriorityPrivilege	4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe
Token: SeIncBasePriorityPrivilege	2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe
Token: SeIncBasePriorityPrivilege	1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe
Token: SeIncBasePriorityPrivilege	3316	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe
Token: SeIncBasePriorityPrivilege	4344	{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4076	1720	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe	89
PID 1720 wrote to memory of 4076	1720	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe	89
PID 1720 wrote to memory of 4076	1720	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe	89
PID 1720 wrote to memory of 5076	1720	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe	90
PID 1720 wrote to memory of 5076	1720	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe	90
PID 1720 wrote to memory of 5076	1720	9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe	90
PID 4076 wrote to memory of 5036	4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe	91
PID 4076 wrote to memory of 5036	4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe	91
PID 4076 wrote to memory of 5036	4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe	91
PID 4076 wrote to memory of 884	4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe	92
PID 4076 wrote to memory of 884	4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe	92
PID 4076 wrote to memory of 884	4076	{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe	92
PID 5036 wrote to memory of 1928	5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe	94
PID 5036 wrote to memory of 1928	5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe	94
PID 5036 wrote to memory of 1928	5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe	94
PID 5036 wrote to memory of 3712	5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe	95
PID 5036 wrote to memory of 3712	5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe	95
PID 5036 wrote to memory of 3712	5036	{0135E53B-A905-4d5b-A58E-3738290758F3}.exe	95
PID 1928 wrote to memory of 4968	1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe	96
PID 1928 wrote to memory of 4968	1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe	96
PID 1928 wrote to memory of 4968	1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe	96
PID 1928 wrote to memory of 452	1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe	97
PID 1928 wrote to memory of 452	1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe	97
PID 1928 wrote to memory of 452	1928	{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe	97
PID 4968 wrote to memory of 1632	4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe	98
PID 4968 wrote to memory of 1632	4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe	98
PID 4968 wrote to memory of 1632	4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe	98
PID 4968 wrote to memory of 876	4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe	99
PID 4968 wrote to memory of 876	4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe	99
PID 4968 wrote to memory of 876	4968	{A3A43028-2F17-4919-AC10-D9047440E710}.exe	99
PID 1632 wrote to memory of 1736	1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe	100
PID 1632 wrote to memory of 1736	1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe	100
PID 1632 wrote to memory of 1736	1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe	100
PID 1632 wrote to memory of 4328	1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe	101
PID 1632 wrote to memory of 4328	1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe	101
PID 1632 wrote to memory of 4328	1632	{BE6C9482-6448-4a45-9125-93868756C188}.exe	101
PID 1736 wrote to memory of 4992	1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe	102
PID 1736 wrote to memory of 4992	1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe	102
PID 1736 wrote to memory of 4992	1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe	102
PID 1736 wrote to memory of 3644	1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe	103
PID 1736 wrote to memory of 3644	1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe	103
PID 1736 wrote to memory of 3644	1736	{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe	103
PID 4992 wrote to memory of 2928	4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe	104
PID 4992 wrote to memory of 2928	4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe	104
PID 4992 wrote to memory of 2928	4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe	104
PID 4992 wrote to memory of 4208	4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe	105
PID 4992 wrote to memory of 4208	4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe	105
PID 4992 wrote to memory of 4208	4992	{355D6320-777F-4cca-86B3-68128282FD86}.exe	105
PID 2928 wrote to memory of 1552	2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe	106
PID 2928 wrote to memory of 1552	2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe	106
PID 2928 wrote to memory of 1552	2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe	106
PID 2928 wrote to memory of 1816	2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe	107
PID 2928 wrote to memory of 1816	2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe	107
PID 2928 wrote to memory of 1816	2928	{6744B507-2371-4958-845B-ACCF917446CB}.exe	107
PID 1552 wrote to memory of 3316	1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe	108
PID 1552 wrote to memory of 3316	1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe	108
PID 1552 wrote to memory of 3316	1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe	108
PID 1552 wrote to memory of 1868	1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe	109
PID 1552 wrote to memory of 1868	1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe	109
PID 1552 wrote to memory of 1868	1552	{3967D160-020D-4037-9790-6055911D1D8D}.exe	109
PID 3316 wrote to memory of 4344	3316	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe	110
PID 3316 wrote to memory of 4344	3316	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe	110
PID 3316 wrote to memory of 4344	3316	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe	110
PID 3316 wrote to memory of 4504	3316	{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe	111

C:\Users\Admin\AppData\Local\Temp\9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9b37f080166025b91567eb1877fd52dd_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe
  C:\Windows\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\{0135E53B-A905-4d5b-A58E-3738290758F3}.exe
    C:\Windows\{0135E53B-A905-4d5b-A58E-3738290758F3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe
      C:\Windows\{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\{A3A43028-2F17-4919-AC10-D9047440E710}.exe
        
        C:\Windows\{A3A43028-2F17-4919-AC10-D9047440E710}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
      - C:\Windows\{BE6C9482-6448-4a45-9125-93868756C188}.exe
        
        C:\Windows\{BE6C9482-6448-4a45-9125-93868756C188}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe
        
        C:\Windows\{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{355D6320-777F-4cca-86B3-68128282FD86}.exe
        
        C:\Windows\{355D6320-777F-4cca-86B3-68128282FD86}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{6744B507-2371-4958-845B-ACCF917446CB}.exe
        
        C:\Windows\{6744B507-2371-4958-845B-ACCF917446CB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{3967D160-020D-4037-9790-6055911D1D8D}.exe
        
        C:\Windows\{3967D160-020D-4037-9790-6055911D1D8D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe
        
        C:\Windows\{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe
        
        C:\Windows\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\{33FEE9E0-2053-49e6-B64C-F7966F540A73}.exe
        
        C:\Windows\{33FEE9E0-2053-49e6-B64C-F7966F540A73}.exe
        13⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCEFC~1.EXE > nul
        13⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{414B4~1.EXE > nul
        12⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3967D~1.EXE > nul
        11⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6744B~1.EXE > nul
        10⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{355D6~1.EXE > nul
        9⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{762CD~1.EXE > nul
        8⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6C9~1.EXE > nul
        7⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3A43~1.EXE > nul
        6⤵
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7497B~1.EXE > nul
        5⤵
        
        PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0135E~1.EXE > nul
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4206F~1.EXE > nul
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9B37F0~1.EXE > nul
  2⤵
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0135E53B-A905-4d5b-A58E-3738290758F3}.exe

Filesize
380KB

MD5
cd40f1409a13c22484e2b0a983596992

SHA1
d2baba6cb98dc832774d9772a7099b3807e4696c

SHA256
e8641eb8e92a7d03d01f2c0264e97d969b0838a0332e2878c781bcc64df2ae92

SHA512
e85626e0cd335c9fb9ef44cc4e6f2451313d229e11adac01233b64316785e783793bc30e44b1eaa15275d1c0a8b0ffcb7e5c1f32eebc36dfe633857975503f0c

Download Submit
C:\Windows\{0135E53B-A905-4d5b-A58E-3738290758F3}.exe

Filesize
380KB

MD5
cd40f1409a13c22484e2b0a983596992

SHA1
d2baba6cb98dc832774d9772a7099b3807e4696c

SHA256
e8641eb8e92a7d03d01f2c0264e97d969b0838a0332e2878c781bcc64df2ae92

SHA512
e85626e0cd335c9fb9ef44cc4e6f2451313d229e11adac01233b64316785e783793bc30e44b1eaa15275d1c0a8b0ffcb7e5c1f32eebc36dfe633857975503f0c

Download Submit
C:\Windows\{33FEE9E0-2053-49e6-B64C-F7966F540A73}.exe

Filesize
380KB

MD5
b425e3dab559588243c41d72518bb359

SHA1
2ea3dea47fe7d71c16bd37581ea45f5ab6580963

SHA256
fd638f4b2d6ccd53d561edaa3aa25082f157d048965a3b6f26890358e4559fe9

SHA512
5543f5915e96c4598dda8edf037d04641d6ec453bc8bc92ce5e3423c89bbae146738d8179d2ec1f500fd0761d46c8a13e687a5371b131197adc0110169cb562b

Download Submit
C:\Windows\{33FEE9E0-2053-49e6-B64C-F7966F540A73}.exe

Filesize
380KB

MD5
b425e3dab559588243c41d72518bb359

SHA1
2ea3dea47fe7d71c16bd37581ea45f5ab6580963

SHA256
fd638f4b2d6ccd53d561edaa3aa25082f157d048965a3b6f26890358e4559fe9

SHA512
5543f5915e96c4598dda8edf037d04641d6ec453bc8bc92ce5e3423c89bbae146738d8179d2ec1f500fd0761d46c8a13e687a5371b131197adc0110169cb562b

Download Submit
C:\Windows\{355D6320-777F-4cca-86B3-68128282FD86}.exe

Filesize
380KB

MD5
fc7ab81a1fec83564ca0b92b3c92b5de

SHA1
9a236e0678a63449ef5c72085aef1015dae3a19b

SHA256
c679efa272ca19b8bab4f23f66d085cfd41fb60fe3184fc39a9474aacb61ffe1

SHA512
776b34c0deb5c0cb2af260b1db354f5d88479431eb3ffc99a4b5ca6a9bf9c32b65c29f6a96321545d09bf14ab128742739dee747ca1cb0ec142cfdc883be243f

Download Submit
C:\Windows\{355D6320-777F-4cca-86B3-68128282FD86}.exe

Filesize
380KB

MD5
fc7ab81a1fec83564ca0b92b3c92b5de

SHA1
9a236e0678a63449ef5c72085aef1015dae3a19b

SHA256
c679efa272ca19b8bab4f23f66d085cfd41fb60fe3184fc39a9474aacb61ffe1

SHA512
776b34c0deb5c0cb2af260b1db354f5d88479431eb3ffc99a4b5ca6a9bf9c32b65c29f6a96321545d09bf14ab128742739dee747ca1cb0ec142cfdc883be243f

Download Submit
C:\Windows\{3967D160-020D-4037-9790-6055911D1D8D}.exe

Filesize
380KB

MD5
3ac926daba12692591e6e3742f928b2e

SHA1
161e73c432a656fd7c5c20d24fa92df8c5c8c2bb

SHA256
22eeeb7951cfb77436ebb65385af5d06c929657e9f16025b626e22f0015da687

SHA512
adc977e96c79977a0af8de84aa88307b59cc8358d34fcc9dc9105301fc928b8b3142e2f35e5fbb979f8951032ad1f566ff476756c148d65476dffedc7d8a3e1e

Download Submit
C:\Windows\{3967D160-020D-4037-9790-6055911D1D8D}.exe

Filesize
380KB

MD5
3ac926daba12692591e6e3742f928b2e

SHA1
161e73c432a656fd7c5c20d24fa92df8c5c8c2bb

SHA256
22eeeb7951cfb77436ebb65385af5d06c929657e9f16025b626e22f0015da687

SHA512
adc977e96c79977a0af8de84aa88307b59cc8358d34fcc9dc9105301fc928b8b3142e2f35e5fbb979f8951032ad1f566ff476756c148d65476dffedc7d8a3e1e

Download Submit
C:\Windows\{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe

Filesize
380KB

MD5
732c6f88492972b6ed5703b57de36919

SHA1
013e7dc4c3ed9d0b6d1bd0bac7968109292c6ea3

SHA256
09b8a1a5decbd4e2ecd5698672b7263550b50849669e37250838a4c63bf84afd

SHA512
b103f6275c1c1caf860df24f311a07ef522ad8c3ef30417e1cb2793fe6f1f738cda31dc00c93be342353c6b36736407e196982f122f7e030da623724d4969d6b

Download Submit
C:\Windows\{414B4655-FB31-4700-8293-6CD0DB574C5C}.exe

Filesize
380KB

MD5
732c6f88492972b6ed5703b57de36919

SHA1
013e7dc4c3ed9d0b6d1bd0bac7968109292c6ea3

SHA256
09b8a1a5decbd4e2ecd5698672b7263550b50849669e37250838a4c63bf84afd

SHA512
b103f6275c1c1caf860df24f311a07ef522ad8c3ef30417e1cb2793fe6f1f738cda31dc00c93be342353c6b36736407e196982f122f7e030da623724d4969d6b

Download Submit
C:\Windows\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe

Filesize
380KB

MD5
358cc5b279373f0cce5b64d429ce392d

SHA1
8f66c983db1d64ed22a017326b17982d41282a49

SHA256
48b68ba62a3a61e55d01d89ad8eaf5ae333b669c37847748dab0e8cc2079b4d4

SHA512
f63ba7d7fbf2ebf2a507601debcf80a8fea13dd1ae743cfd474718f86c8ad2ea6bf6d5a40acf678b6d682b7e90ef2c8ad7fa2bce6221a3d345f2c40c6d74e299

Download Submit
C:\Windows\{4206FCB4-13FF-4073-9F4C-9CF45BA01DB4}.exe

Filesize
380KB

MD5
358cc5b279373f0cce5b64d429ce392d

SHA1
8f66c983db1d64ed22a017326b17982d41282a49

SHA256
48b68ba62a3a61e55d01d89ad8eaf5ae333b669c37847748dab0e8cc2079b4d4

SHA512
f63ba7d7fbf2ebf2a507601debcf80a8fea13dd1ae743cfd474718f86c8ad2ea6bf6d5a40acf678b6d682b7e90ef2c8ad7fa2bce6221a3d345f2c40c6d74e299

Download Submit
C:\Windows\{6744B507-2371-4958-845B-ACCF917446CB}.exe

Filesize
380KB

MD5
c8af953e0c6f74cc819320f5106e6684

SHA1
f1520e860ab698d4c6d9514b9607498a7ddb79e1

SHA256
ff5bd36ff9f565ea415dfa175ccb6fec6e36417577de378917ce9d0d8f2704eb

SHA512
93baedfbec84eeb28ab8c6a2e92f90ae16398232b8e8159698ba34c09111930b80f0e824f3e601f9604732db42187fc66c5a63f200064baea6126cc339ae0e82

Download Submit
C:\Windows\{6744B507-2371-4958-845B-ACCF917446CB}.exe

Filesize
380KB

MD5
c8af953e0c6f74cc819320f5106e6684

SHA1
f1520e860ab698d4c6d9514b9607498a7ddb79e1

SHA256
ff5bd36ff9f565ea415dfa175ccb6fec6e36417577de378917ce9d0d8f2704eb

SHA512
93baedfbec84eeb28ab8c6a2e92f90ae16398232b8e8159698ba34c09111930b80f0e824f3e601f9604732db42187fc66c5a63f200064baea6126cc339ae0e82

Download Submit
C:\Windows\{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe

Filesize
380KB

MD5
20dd7729fbf52ce7be1f1af5d8be1d89

SHA1
d850ee54772a70d0b26f30a2fd6874ebabf6d27d

SHA256
0cb33d1ed75b7a67f7e13924868d5428433d44b4d73eb05e26e1fbde6571f79c

SHA512
17c432bef0f9bf46fd505d65b594de7d39244e67a817a294d8ca014d547611613be5174b19f1c801b2d90c9db0d8c6368c03be8d2018880957912872fe5c1036

Download Submit
C:\Windows\{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe

Filesize
380KB

MD5
20dd7729fbf52ce7be1f1af5d8be1d89

SHA1
d850ee54772a70d0b26f30a2fd6874ebabf6d27d

SHA256
0cb33d1ed75b7a67f7e13924868d5428433d44b4d73eb05e26e1fbde6571f79c

SHA512
17c432bef0f9bf46fd505d65b594de7d39244e67a817a294d8ca014d547611613be5174b19f1c801b2d90c9db0d8c6368c03be8d2018880957912872fe5c1036

Download Submit
C:\Windows\{7497B5BC-63C2-4938-8152-6E538B0946BA}.exe

Filesize
380KB

MD5
20dd7729fbf52ce7be1f1af5d8be1d89

SHA1
d850ee54772a70d0b26f30a2fd6874ebabf6d27d

SHA256
0cb33d1ed75b7a67f7e13924868d5428433d44b4d73eb05e26e1fbde6571f79c

SHA512
17c432bef0f9bf46fd505d65b594de7d39244e67a817a294d8ca014d547611613be5174b19f1c801b2d90c9db0d8c6368c03be8d2018880957912872fe5c1036

Download Submit
C:\Windows\{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe

Filesize
380KB

MD5
e06794aa58f6017599de4cde481faf1d

SHA1
25de4fec1f1a644f0eb884da278e342922cecc1f

SHA256
d53af1bfaf664ce09ccbc97c0f789abfa3227a1d781f24a87e137ae871141572

SHA512
a187d6d670f706aa0267c2031d230efe7b0923456e424122a4514fa89419c9e6eb7bd9a4f75afdf0f2a8d0d3ff1e0efdadbeeb557fa61f5dfb2d18dc049c8684

Download Submit
C:\Windows\{762CD1F7-861A-4a23-AC34-C9B14357053F}.exe

Filesize
380KB

MD5
e06794aa58f6017599de4cde481faf1d

SHA1
25de4fec1f1a644f0eb884da278e342922cecc1f

SHA256
d53af1bfaf664ce09ccbc97c0f789abfa3227a1d781f24a87e137ae871141572

SHA512
a187d6d670f706aa0267c2031d230efe7b0923456e424122a4514fa89419c9e6eb7bd9a4f75afdf0f2a8d0d3ff1e0efdadbeeb557fa61f5dfb2d18dc049c8684

Download Submit
C:\Windows\{A3A43028-2F17-4919-AC10-D9047440E710}.exe

Filesize
380KB

MD5
41a96b0b07adbc9dcb67eb31bab0928f

SHA1
a01d1e6899608ec87e3ca59f609f683e733808f4

SHA256
c9c687ff15b539cc39967e52f4b72c5c6ad83f39ea9132555795f06972d20936

SHA512
1bb7a594fd6140df4f4aca009f31a81547eaeb374dca0ae80ea4b9e621f946e4598f83452423e5adc9fce753c26e25ba964705457961c808fcd4a3ff3d97dc7c

Download Submit
C:\Windows\{A3A43028-2F17-4919-AC10-D9047440E710}.exe

Filesize
380KB

MD5
41a96b0b07adbc9dcb67eb31bab0928f

SHA1
a01d1e6899608ec87e3ca59f609f683e733808f4

SHA256
c9c687ff15b539cc39967e52f4b72c5c6ad83f39ea9132555795f06972d20936

SHA512
1bb7a594fd6140df4f4aca009f31a81547eaeb374dca0ae80ea4b9e621f946e4598f83452423e5adc9fce753c26e25ba964705457961c808fcd4a3ff3d97dc7c

Download Submit
C:\Windows\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe

Filesize
380KB

MD5
e2a9ad58c8f4f9437d8e9ae3c252bcad

SHA1
b8765240958732f2d2cb148ac5d8f712d1bedfa4

SHA256
cc3dd338e24fc40722b0298a81871c7ea2b0dc09721ae1a7d4815f21d9184913

SHA512
8b32f74b7522e5ce26d66157b680eee5cd7a882dc8be8e39ebcffecd3c9b75f3b3acc6a066f42196e70fcbab59761b4c1561450a71fb1ac225ce1c020115fecd

Download Submit
C:\Windows\{BCEFC9EE-A77A-4a8b-A522-3CBA09E400AA}.exe

Filesize
380KB

MD5
e2a9ad58c8f4f9437d8e9ae3c252bcad

SHA1
b8765240958732f2d2cb148ac5d8f712d1bedfa4

SHA256
cc3dd338e24fc40722b0298a81871c7ea2b0dc09721ae1a7d4815f21d9184913

SHA512
8b32f74b7522e5ce26d66157b680eee5cd7a882dc8be8e39ebcffecd3c9b75f3b3acc6a066f42196e70fcbab59761b4c1561450a71fb1ac225ce1c020115fecd

Download Submit
C:\Windows\{BE6C9482-6448-4a45-9125-93868756C188}.exe

Filesize
380KB

MD5
e91fad4d81f5fefbe1be9c380e77b506

SHA1
e86e6f259cf9272205800401a95a0dbcce8803fc

SHA256
34020181e24194a4b9e654c3388a499c6ccc37aca390a299ba05ba1223cd185c

SHA512
c45b10c7a34dd1429a9c4f6fb699e96e11a887dcf680027c1cb8ec098cb0743c26f93005e8f5fbafbeb3d76c5a5c401a40a394db159b5aa6250737cf91164835

Download Submit
C:\Windows\{BE6C9482-6448-4a45-9125-93868756C188}.exe

Filesize
380KB

MD5
e91fad4d81f5fefbe1be9c380e77b506

SHA1
e86e6f259cf9272205800401a95a0dbcce8803fc

SHA256
34020181e24194a4b9e654c3388a499c6ccc37aca390a299ba05ba1223cd185c

SHA512
c45b10c7a34dd1429a9c4f6fb699e96e11a887dcf680027c1cb8ec098cb0743c26f93005e8f5fbafbeb3d76c5a5c401a40a394db159b5aa6250737cf91164835

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads