fa3d49157af8789c15858aa4330148040316ec5fff11000f3e8c262c44dfe7c8

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 14:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Size

408KB
MD5

cc6fd83dcac9559938940a0a6f4124d4
SHA1

8108d8585fb8b403b1e6e9f05bce3a6a4034f0aa
SHA256

fa3d49157af8789c15858aa4330148040316ec5fff11000f3e8c262c44dfe7c8
SHA512

3e1f593764ac9a182c62ad552c41356b1f49fbe71a3a94cd344140d939a802435962a00e3e2130fd7bba481c726ce271dafbbd3b6f78044e8fed73a15659e956
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG6ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}\stubpath = "C:\\Windows\\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe"	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}\stubpath = "C:\\Windows\\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe"	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DD931B3-3145-4d5c-B598-3601F8969409}\stubpath = "C:\\Windows\\{8DD931B3-3145-4d5c-B598-3601F8969409}.exe"	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2068FF0A-8112-494a-AB71-5A2C52528C6A}\stubpath = "C:\\Windows\\{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe"	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45C76529-3B98-455e-800B-7B290C923044}	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F78E89-D489-4eff-8944-6D7CC03940AC}\stubpath = "C:\\Windows\\{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe"	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}\stubpath = "C:\\Windows\\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe"	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}\stubpath = "C:\\Windows\\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe"	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC377B9-3F50-458e-B8F0-C04736C62D59}\stubpath = "C:\\Windows\\{2FC377B9-3F50-458e-B8F0-C04736C62D59}.exe"	{45C76529-3B98-455e-800B-7B290C923044}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F78E89-D489-4eff-8944-6D7CC03940AC}	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0A22701-B37F-4f88-94A7-6AFA53709514}	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979F63E1-2E03-450b-90AF-4416E296E29A}	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979F63E1-2E03-450b-90AF-4416E296E29A}\stubpath = "C:\\Windows\\{979F63E1-2E03-450b-90AF-4416E296E29A}.exe"	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC377B9-3F50-458e-B8F0-C04736C62D59}	{45C76529-3B98-455e-800B-7B290C923044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0A22701-B37F-4f88-94A7-6AFA53709514}\stubpath = "C:\\Windows\\{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe"	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DD931B3-3145-4d5c-B598-3601F8969409}	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2068FF0A-8112-494a-AB71-5A2C52528C6A}	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45C76529-3B98-455e-800B-7B290C923044}\stubpath = "C:\\Windows\\{45C76529-3B98-455e-800B-7B290C923044}.exe"	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe

Executes dropped EXE 11 IoCs

pid	Process
3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe
3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe
216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe
2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe
4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe
2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe
928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe
4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe
1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe
2828	{45C76529-3B98-455e-800B-7B290C923044}.exe
2380	{2FC377B9-3F50-458e-B8F0-C04736C62D59}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe
File created	C:\Windows\{979F63E1-2E03-450b-90AF-4416E296E29A}.exe	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe
File created	C:\Windows\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe
File created	C:\Windows\{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe
File created	C:\Windows\{45C76529-3B98-455e-800B-7B290C923044}.exe	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe
File created	C:\Windows\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe
File created	C:\Windows\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe
File created	C:\Windows\{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe
File created	C:\Windows\{8DD931B3-3145-4d5c-B598-3601F8969409}.exe	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe
File created	C:\Windows\{2FC377B9-3F50-458e-B8F0-C04736C62D59}.exe	{45C76529-3B98-455e-800B-7B290C923044}.exe
File created	C:\Windows\{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	320	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe
Token: SeIncBasePriorityPrivilege	3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe
Token: SeIncBasePriorityPrivilege	216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe
Token: SeIncBasePriorityPrivilege	2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe
Token: SeIncBasePriorityPrivilege	4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe
Token: SeIncBasePriorityPrivilege	2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe
Token: SeIncBasePriorityPrivilege	928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe
Token: SeIncBasePriorityPrivilege	4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe
Token: SeIncBasePriorityPrivilege	1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe
Token: SeIncBasePriorityPrivilege	2828	{45C76529-3B98-455e-800B-7B290C923044}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 3452	320	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	84
PID 320 wrote to memory of 3452	320	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	84
PID 320 wrote to memory of 3452	320	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	84
PID 320 wrote to memory of 2888	320	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	85
PID 320 wrote to memory of 2888	320	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	85
PID 320 wrote to memory of 2888	320	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	85
PID 3452 wrote to memory of 3080	3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe	88
PID 3452 wrote to memory of 3080	3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe	88
PID 3452 wrote to memory of 3080	3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe	88
PID 3452 wrote to memory of 1688	3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe	89
PID 3452 wrote to memory of 1688	3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe	89
PID 3452 wrote to memory of 1688	3452	{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe	89
PID 3080 wrote to memory of 216	3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe	91
PID 3080 wrote to memory of 216	3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe	91
PID 3080 wrote to memory of 216	3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe	91
PID 3080 wrote to memory of 3392	3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe	92
PID 3080 wrote to memory of 3392	3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe	92
PID 3080 wrote to memory of 3392	3080	{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe	92
PID 216 wrote to memory of 2404	216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe	93
PID 216 wrote to memory of 2404	216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe	93
PID 216 wrote to memory of 2404	216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe	93
PID 216 wrote to memory of 468	216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe	94
PID 216 wrote to memory of 468	216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe	94
PID 216 wrote to memory of 468	216	{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe	94
PID 2404 wrote to memory of 4876	2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe	95
PID 2404 wrote to memory of 4876	2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe	95
PID 2404 wrote to memory of 4876	2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe	95
PID 2404 wrote to memory of 4144	2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe	96
PID 2404 wrote to memory of 4144	2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe	96
PID 2404 wrote to memory of 4144	2404	{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe	96
PID 4876 wrote to memory of 2156	4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe	98
PID 4876 wrote to memory of 2156	4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe	98
PID 4876 wrote to memory of 2156	4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe	98
PID 4876 wrote to memory of 1236	4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe	97
PID 4876 wrote to memory of 1236	4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe	97
PID 4876 wrote to memory of 1236	4876	{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe	97
PID 2156 wrote to memory of 928	2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe	99
PID 2156 wrote to memory of 928	2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe	99
PID 2156 wrote to memory of 928	2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe	99
PID 2156 wrote to memory of 3660	2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe	100
PID 2156 wrote to memory of 3660	2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe	100
PID 2156 wrote to memory of 3660	2156	{979F63E1-2E03-450b-90AF-4416E296E29A}.exe	100
PID 928 wrote to memory of 4436	928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe	101
PID 928 wrote to memory of 4436	928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe	101
PID 928 wrote to memory of 4436	928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe	101
PID 928 wrote to memory of 4300	928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe	102
PID 928 wrote to memory of 4300	928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe	102
PID 928 wrote to memory of 4300	928	{8DD931B3-3145-4d5c-B598-3601F8969409}.exe	102
PID 4436 wrote to memory of 1352	4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe	103
PID 4436 wrote to memory of 1352	4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe	103
PID 4436 wrote to memory of 1352	4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe	103
PID 4436 wrote to memory of 4296	4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe	104
PID 4436 wrote to memory of 4296	4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe	104
PID 4436 wrote to memory of 4296	4436	{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe	104
PID 1352 wrote to memory of 2828	1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe	105
PID 1352 wrote to memory of 2828	1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe	105
PID 1352 wrote to memory of 2828	1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe	105
PID 1352 wrote to memory of 4780	1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe	106
PID 1352 wrote to memory of 4780	1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe	106
PID 1352 wrote to memory of 4780	1352	{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe	106
PID 2828 wrote to memory of 2380	2828	{45C76529-3B98-455e-800B-7B290C923044}.exe	107
PID 2828 wrote to memory of 2380	2828	{45C76529-3B98-455e-800B-7B290C923044}.exe	107
PID 2828 wrote to memory of 2380	2828	{45C76529-3B98-455e-800B-7B290C923044}.exe	107
PID 2828 wrote to memory of 3064	2828	{45C76529-3B98-455e-800B-7B290C923044}.exe	108

C:\Users\Admin\AppData\Local\Temp\cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe
  C:\Windows\{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe
    C:\Windows\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe
      C:\Windows\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe
        
        C:\Windows\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe
        
        C:\Windows\{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0A22~1.EXE > nul
        7⤵
        
        PID:1236
        
        C:\Windows\{979F63E1-2E03-450b-90AF-4416E296E29A}.exe
        
        C:\Windows\{979F63E1-2E03-450b-90AF-4416E296E29A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{8DD931B3-3145-4d5c-B598-3601F8969409}.exe
        
        C:\Windows\{8DD931B3-3145-4d5c-B598-3601F8969409}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe
        
        C:\Windows\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe
        
        C:\Windows\{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{45C76529-3B98-455e-800B-7B290C923044}.exe
        
        C:\Windows\{45C76529-3B98-455e-800B-7B290C923044}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{2FC377B9-3F50-458e-B8F0-C04736C62D59}.exe
        
        C:\Windows\{2FC377B9-3F50-458e-B8F0-C04736C62D59}.exe
        12⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45C76~1.EXE > nul
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2068F~1.EXE > nul
        11⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DBA9~1.EXE > nul
        10⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DD93~1.EXE > nul
        9⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{979F6~1.EXE > nul
        8⤵
        
        PID:3660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D0C1~1.EXE > nul
        6⤵
        
        PID:4144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EEE6~1.EXE > nul
        5⤵
        
        PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{407B0~1.EXE > nul
      4⤵
      PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A4F78~1.EXE > nul
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CC6FD8~1.EXE > nul
  2⤵
  PID:2888

Network

DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

126.178.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.178.238.8.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

140.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.121.18.2.in-addr.arpa

IN PTR

Response

140.121.18.2.in-addr.arpa

IN PTR

a2-18-121-140deploystaticakamaitechnologiescom
DNS

72.239.69.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.239.69.13.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

126.178.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

126.178.238.8.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

140.121.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

140.121.18.2.in-addr.arpa
8.8.8.8:53

72.239.69.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

72.239.69.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe

Filesize
408KB

MD5
038cdd0210f6ae0920a5fb1fefdabbf0

SHA1
3cc25bd04823a17d357653b503702e7b25b02877

SHA256
51d4176d89bf634641fe17cb644e5e846c7fd3f543b103bf5afd3c88141b614f

SHA512
588e1f985256249306f6d8cb73cba61bad71e802e8df8c869dcc4537c32246fb284b848672fb348d17de0da2bd0b99c9b1b0b219ce4fcf207374dc0a840bc791

Download Submit
C:\Windows\{2068FF0A-8112-494a-AB71-5A2C52528C6A}.exe

Filesize
408KB

MD5
038cdd0210f6ae0920a5fb1fefdabbf0

SHA1
3cc25bd04823a17d357653b503702e7b25b02877

SHA256
51d4176d89bf634641fe17cb644e5e846c7fd3f543b103bf5afd3c88141b614f

SHA512
588e1f985256249306f6d8cb73cba61bad71e802e8df8c869dcc4537c32246fb284b848672fb348d17de0da2bd0b99c9b1b0b219ce4fcf207374dc0a840bc791

Download Submit
C:\Windows\{2FC377B9-3F50-458e-B8F0-C04736C62D59}.exe

Filesize
408KB

MD5
7f7ac3d7e9f578196b2339054dfd3776

SHA1
69dd510a2b5db2b232b25041d3853fb85ee8f3c1

SHA256
aa90456faeb5a14a830fb00421949586b5eaf33bbcce9fd861e7c4f107039963

SHA512
b551f0fbc316440355e004977846fb26e1f3dec721016b83ebf2c7811a0e71dd0912dc3384ad6231137fa08f6d4626dac12b6e372c4ff3ed91a9f9c473466f87

Download Submit
C:\Windows\{2FC377B9-3F50-458e-B8F0-C04736C62D59}.exe

Filesize
408KB

MD5
7f7ac3d7e9f578196b2339054dfd3776

SHA1
69dd510a2b5db2b232b25041d3853fb85ee8f3c1

SHA256
aa90456faeb5a14a830fb00421949586b5eaf33bbcce9fd861e7c4f107039963

SHA512
b551f0fbc316440355e004977846fb26e1f3dec721016b83ebf2c7811a0e71dd0912dc3384ad6231137fa08f6d4626dac12b6e372c4ff3ed91a9f9c473466f87

Download Submit
C:\Windows\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe

Filesize
408KB

MD5
e483ebda0f64396ffaaf39e0e2d6a330

SHA1
01e72e396b7a6c6f2a3c918a7bb7704285613bf7

SHA256
ff4cdf22b0392cc4126e7fff01becd0397b79869b5038bdfe7c6a06c86ec37f7

SHA512
95537e9af157b5dc69dd9ad039249db964eb48193eabb749a4d7335ca4cff62bbf2b73f367cb0181bc21cbe1700e02bafb67000a1ef8399b09f29ec8bdace59c

Download Submit
C:\Windows\{407B06E8-CE37-4768-A4D7-82B58FCB57A5}.exe

Filesize
408KB

MD5
e483ebda0f64396ffaaf39e0e2d6a330

SHA1
01e72e396b7a6c6f2a3c918a7bb7704285613bf7

SHA256
ff4cdf22b0392cc4126e7fff01becd0397b79869b5038bdfe7c6a06c86ec37f7

SHA512
95537e9af157b5dc69dd9ad039249db964eb48193eabb749a4d7335ca4cff62bbf2b73f367cb0181bc21cbe1700e02bafb67000a1ef8399b09f29ec8bdace59c

Download Submit
C:\Windows\{45C76529-3B98-455e-800B-7B290C923044}.exe

Filesize
408KB

MD5
8d1f9cde9b35902768b6711cb4e1274a

SHA1
52d55e77fefd14c437f2e31594ea804220afacd3

SHA256
310ca114d0100ce9be44dd978d8bcd67a8282bedee722d6a435b560b3710cf35

SHA512
60023d1822b9209170994066f973b9d339b6f0118b530283e1942f300ccf93cb50e0553f035acb6c5142139f8d53ccb90e15dda73a52d583e5b849818d1cc616

Download Submit
C:\Windows\{45C76529-3B98-455e-800B-7B290C923044}.exe

Filesize
408KB

MD5
8d1f9cde9b35902768b6711cb4e1274a

SHA1
52d55e77fefd14c437f2e31594ea804220afacd3

SHA256
310ca114d0100ce9be44dd978d8bcd67a8282bedee722d6a435b560b3710cf35

SHA512
60023d1822b9209170994066f973b9d339b6f0118b530283e1942f300ccf93cb50e0553f035acb6c5142139f8d53ccb90e15dda73a52d583e5b849818d1cc616

Download Submit
C:\Windows\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe

Filesize
408KB

MD5
4c1624048ef31e80daf3b09985a34170

SHA1
11be9f980913af0c47ff3925f480c76b6d2dc861

SHA256
2461bc18f364f0106a3f5e9b1a892ec31b50ec08cebcc850d6a7ac0ee30240cc

SHA512
29f8c6e7f5a77f80e0ffaaa1e7d578ec45b65d4679022366558549c033a69a51b2494b45f1e3ccacfe653bc01b002732d3895eb281912aa0e0de8a4a4351602d

Download Submit
C:\Windows\{6D0C1B6F-332F-43f0-B459-0D8F6AF18F43}.exe

Filesize
408KB

MD5
4c1624048ef31e80daf3b09985a34170

SHA1
11be9f980913af0c47ff3925f480c76b6d2dc861

SHA256
2461bc18f364f0106a3f5e9b1a892ec31b50ec08cebcc850d6a7ac0ee30240cc

SHA512
29f8c6e7f5a77f80e0ffaaa1e7d578ec45b65d4679022366558549c033a69a51b2494b45f1e3ccacfe653bc01b002732d3895eb281912aa0e0de8a4a4351602d

Download Submit
C:\Windows\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe

Filesize
408KB

MD5
4d874ede43146c390fd46116b98a0646

SHA1
5cd104f1691254929923b229db261d80f6f28b22

SHA256
af3ab30f4bf3387d88cbc41634968f40623aaa9a1267b5bc9fd2b7cf4f559879

SHA512
cb986357440d993e37db3a93b54f1bd6bfa510bc009d0db71da8ab7ea2c389eb694924845bf6ebd095353396eee7b8d38c0c70bb5d05730c1249d03095fedaa7

Download Submit
C:\Windows\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe

Filesize
408KB

MD5
4d874ede43146c390fd46116b98a0646

SHA1
5cd104f1691254929923b229db261d80f6f28b22

SHA256
af3ab30f4bf3387d88cbc41634968f40623aaa9a1267b5bc9fd2b7cf4f559879

SHA512
cb986357440d993e37db3a93b54f1bd6bfa510bc009d0db71da8ab7ea2c389eb694924845bf6ebd095353396eee7b8d38c0c70bb5d05730c1249d03095fedaa7

Download Submit
C:\Windows\{6EEE675C-BE34-44c8-917B-1E75D0B989B1}.exe

Filesize
408KB

MD5
4d874ede43146c390fd46116b98a0646

SHA1
5cd104f1691254929923b229db261d80f6f28b22

SHA256
af3ab30f4bf3387d88cbc41634968f40623aaa9a1267b5bc9fd2b7cf4f559879

SHA512
cb986357440d993e37db3a93b54f1bd6bfa510bc009d0db71da8ab7ea2c389eb694924845bf6ebd095353396eee7b8d38c0c70bb5d05730c1249d03095fedaa7

Download Submit
C:\Windows\{8DD931B3-3145-4d5c-B598-3601F8969409}.exe

Filesize
408KB

MD5
093f7f4beb42f2aebcce53ec0b2b6278

SHA1
810605ec0e207b1a028983f41645c7e5896f374d

SHA256
a061c0d6d4347e0a48098aebeca204f1a4bb14db8ac8a8462625fba43e84c058

SHA512
a6fc1d232af87726f0d6b6b9c534a15128a818028e06e2ead87c4a9909a91f96d9148e4a6c2525ade3c8cd0860596553779e678b82feed4a3fe28d78ab46932d

Download Submit
C:\Windows\{8DD931B3-3145-4d5c-B598-3601F8969409}.exe

Filesize
408KB

MD5
093f7f4beb42f2aebcce53ec0b2b6278

SHA1
810605ec0e207b1a028983f41645c7e5896f374d

SHA256
a061c0d6d4347e0a48098aebeca204f1a4bb14db8ac8a8462625fba43e84c058

SHA512
a6fc1d232af87726f0d6b6b9c534a15128a818028e06e2ead87c4a9909a91f96d9148e4a6c2525ade3c8cd0860596553779e678b82feed4a3fe28d78ab46932d

Download Submit
C:\Windows\{979F63E1-2E03-450b-90AF-4416E296E29A}.exe

Filesize
408KB

MD5
32613eb94db3a6485a3da9dfccd80bb2

SHA1
82718d96c0de2f247f4d86584420037d3678149b

SHA256
ec82499bf8410e75add2364c5bac530424da55b25a9171dfc76180f19319772f

SHA512
dc013e13e20ffc34e2f66f1c7df0a346f9011e97bd6527c1519dfa19e3eeee5530ae41e75658c25321afd1e1fe65752e20cd6f72fd4d5bb7fac80551cffc0c1e

Download Submit
C:\Windows\{979F63E1-2E03-450b-90AF-4416E296E29A}.exe

Filesize
408KB

MD5
32613eb94db3a6485a3da9dfccd80bb2

SHA1
82718d96c0de2f247f4d86584420037d3678149b

SHA256
ec82499bf8410e75add2364c5bac530424da55b25a9171dfc76180f19319772f

SHA512
dc013e13e20ffc34e2f66f1c7df0a346f9011e97bd6527c1519dfa19e3eeee5530ae41e75658c25321afd1e1fe65752e20cd6f72fd4d5bb7fac80551cffc0c1e

Download Submit
C:\Windows\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe

Filesize
408KB

MD5
c281dbb4fbbe2f5f8a75090d5debdb61

SHA1
d52c6b7d164c8be4400cefcd0da84513f4ed0824

SHA256
e6af12cc98bae6bb1791ba99b6264122a2a5f6430c50bc2c4384a2718b2ffaa8

SHA512
21979b4eecc8d950faa66bfde14b63bb603a0f2d37005bfdd67c6af5d0f789897c4244c54f2ecfc7f0afa4e6117bbf2eb71966e5834f560441435cfdc0dd1ab1

Download Submit
C:\Windows\{9DBA900D-141B-4963-B68F-30D6CE61ACFC}.exe

Filesize
408KB

MD5
c281dbb4fbbe2f5f8a75090d5debdb61

SHA1
d52c6b7d164c8be4400cefcd0da84513f4ed0824

SHA256
e6af12cc98bae6bb1791ba99b6264122a2a5f6430c50bc2c4384a2718b2ffaa8

SHA512
21979b4eecc8d950faa66bfde14b63bb603a0f2d37005bfdd67c6af5d0f789897c4244c54f2ecfc7f0afa4e6117bbf2eb71966e5834f560441435cfdc0dd1ab1

Download Submit
C:\Windows\{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe

Filesize
408KB

MD5
fe45c300c595a68f134c3101e10fac42

SHA1
e59ebd5f76cb632c189463a06c32f1f1eaed81ff

SHA256
75078f4587df898adfd900d3e3eb18aab39116940f8fcded0a64008d7623e07b

SHA512
9c0b2be6116699ddbbfc1d5f9c513fa9d98b7fd618a2940bd6f17a48b84877871aa95d996c69b5c6383678d9cf1b0943ec4ed18d7fad2c45730b4bf7072b686a

Download Submit
C:\Windows\{A4F78E89-D489-4eff-8944-6D7CC03940AC}.exe

Filesize
408KB

MD5
fe45c300c595a68f134c3101e10fac42

SHA1
e59ebd5f76cb632c189463a06c32f1f1eaed81ff

SHA256
75078f4587df898adfd900d3e3eb18aab39116940f8fcded0a64008d7623e07b

SHA512
9c0b2be6116699ddbbfc1d5f9c513fa9d98b7fd618a2940bd6f17a48b84877871aa95d996c69b5c6383678d9cf1b0943ec4ed18d7fad2c45730b4bf7072b686a

Download Submit
C:\Windows\{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe

Filesize
408KB

MD5
871b960a02f99b002d9e450a11897100

SHA1
ab58d93ebe01537ca1fd741e781feb1d837d969f

SHA256
11e3a665e2100ec5cecf69db3c664907ecd4d0b77172dd010f7ca324bee2c907

SHA512
ce6ecac99aa689098bce392c775157840cb9c615b690fe5bb5367ba98fe75135094330880064f107a71e59683c859a1b8353d9d0af455b3c9d7921e893da3294

Download Submit
C:\Windows\{D0A22701-B37F-4f88-94A7-6AFA53709514}.exe

Filesize
408KB

MD5
871b960a02f99b002d9e450a11897100

SHA1
ab58d93ebe01537ca1fd741e781feb1d837d969f

SHA256
11e3a665e2100ec5cecf69db3c664907ecd4d0b77172dd010f7ca324bee2c907

SHA512
ce6ecac99aa689098bce392c775157840cb9c615b690fe5bb5367ba98fe75135094330880064f107a71e59683c859a1b8353d9d0af455b3c9d7921e893da3294

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.