c3ad7ee7c2fd895a5fcd4c38b9e4802e00fb4c15e7b92033a1e9c4234102f487

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
Size

372KB
MD5

d2c54e9755d4fdae6f35918df0e35813
SHA1

268045d0e67b83f1f839c1143027c8986862946f
SHA256

c3ad7ee7c2fd895a5fcd4c38b9e4802e00fb4c15e7b92033a1e9c4234102f487
SHA512

abd613648f798291e95979dc5957b16ac0e82c204ed7d9d1e57813166d0fcffe1aa79f164926971aed0dc7ad7b45d572c81e9a0bc83497192128935b78bb00a8
SSDEEP

3072:CEGh0oQmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGLl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}\stubpath = "C:\\Windows\\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe"	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA89C8A1-BFC6-410b-AB86-495857317517}	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA89C8A1-BFC6-410b-AB86-495857317517}\stubpath = "C:\\Windows\\{AA89C8A1-BFC6-410b-AB86-495857317517}.exe"	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32DC6972-AF73-4590-84BD-13B9C3262599}\stubpath = "C:\\Windows\\{32DC6972-AF73-4590-84BD-13B9C3262599}.exe"	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616880DF-6428-4ad8-B783-A0C65AA66B1E}\stubpath = "C:\\Windows\\{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe"	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}\stubpath = "C:\\Windows\\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe"	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}\stubpath = "C:\\Windows\\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe"	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}\stubpath = "C:\\Windows\\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe"	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}\stubpath = "C:\\Windows\\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe"	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32DC6972-AF73-4590-84BD-13B9C3262599}	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BDE00EA-675E-43a0-B57C-B344C097AF59}	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BDE00EA-675E-43a0-B57C-B344C097AF59}\stubpath = "C:\\Windows\\{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe"	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF825C39-0258-428d-B5BF-568923F3FD36}	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{616880DF-6428-4ad8-B783-A0C65AA66B1E}	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}\stubpath = "C:\\Windows\\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe"	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF825C39-0258-428d-B5BF-568923F3FD36}\stubpath = "C:\\Windows\\{AF825C39-0258-428d-B5BF-568923F3FD36}.exe"	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe

Executes dropped EXE 11 IoCs

pid	Process
1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe
1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe
2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe
4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe
2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe
3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe
2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe
636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe
944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe
3000	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe
3272	{AF825C39-0258-428d-B5BF-568923F3FD36}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AA89C8A1-BFC6-410b-AB86-495857317517}.exe	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe
File created	C:\Windows\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe
File created	C:\Windows\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe
File created	C:\Windows\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe
File created	C:\Windows\{32DC6972-AF73-4590-84BD-13B9C3262599}.exe	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe
File created	C:\Windows\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe
File created	C:\Windows\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe
File created	C:\Windows\{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe
File created	C:\Windows\{AF825C39-0258-428d-B5BF-568923F3FD36}.exe	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe
File created	C:\Windows\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
File created	C:\Windows\{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4444	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe
Token: SeIncBasePriorityPrivilege	1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe
Token: SeIncBasePriorityPrivilege	2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe
Token: SeIncBasePriorityPrivilege	4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe
Token: SeIncBasePriorityPrivilege	2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe
Token: SeIncBasePriorityPrivilege	3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe
Token: SeIncBasePriorityPrivilege	2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe
Token: SeIncBasePriorityPrivilege	636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe
Token: SeIncBasePriorityPrivilege	944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe
Token: SeIncBasePriorityPrivilege	3000	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 1680	4444	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	88
PID 4444 wrote to memory of 1680	4444	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	88
PID 4444 wrote to memory of 1680	4444	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	88
PID 4444 wrote to memory of 4476	4444	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	89
PID 4444 wrote to memory of 4476	4444	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	89
PID 4444 wrote to memory of 4476	4444	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	89
PID 1680 wrote to memory of 1088	1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe	90
PID 1680 wrote to memory of 1088	1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe	90
PID 1680 wrote to memory of 1088	1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe	90
PID 1680 wrote to memory of 976	1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe	91
PID 1680 wrote to memory of 976	1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe	91
PID 1680 wrote to memory of 976	1680	{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe	91
PID 1088 wrote to memory of 2236	1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe	94
PID 1088 wrote to memory of 2236	1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe	94
PID 1088 wrote to memory of 2236	1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe	94
PID 1088 wrote to memory of 4568	1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe	93
PID 1088 wrote to memory of 4568	1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe	93
PID 1088 wrote to memory of 4568	1088	{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe	93
PID 2236 wrote to memory of 4556	2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe	95
PID 2236 wrote to memory of 4556	2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe	95
PID 2236 wrote to memory of 4556	2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe	95
PID 2236 wrote to memory of 4972	2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe	96
PID 2236 wrote to memory of 4972	2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe	96
PID 2236 wrote to memory of 4972	2236	{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe	96
PID 4556 wrote to memory of 2632	4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe	97
PID 4556 wrote to memory of 2632	4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe	97
PID 4556 wrote to memory of 2632	4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe	97
PID 4556 wrote to memory of 4164	4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe	98
PID 4556 wrote to memory of 4164	4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe	98
PID 4556 wrote to memory of 4164	4556	{32DC6972-AF73-4590-84BD-13B9C3262599}.exe	98
PID 2632 wrote to memory of 3144	2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe	99
PID 2632 wrote to memory of 3144	2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe	99
PID 2632 wrote to memory of 3144	2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe	99
PID 2632 wrote to memory of 1092	2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe	100
PID 2632 wrote to memory of 1092	2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe	100
PID 2632 wrote to memory of 1092	2632	{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe	100
PID 3144 wrote to memory of 2916	3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe	101
PID 3144 wrote to memory of 2916	3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe	101
PID 3144 wrote to memory of 2916	3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe	101
PID 3144 wrote to memory of 5064	3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe	102
PID 3144 wrote to memory of 5064	3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe	102
PID 3144 wrote to memory of 5064	3144	{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe	102
PID 2916 wrote to memory of 636	2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe	103
PID 2916 wrote to memory of 636	2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe	103
PID 2916 wrote to memory of 636	2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe	103
PID 2916 wrote to memory of 1472	2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe	104
PID 2916 wrote to memory of 1472	2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe	104
PID 2916 wrote to memory of 1472	2916	{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe	104
PID 636 wrote to memory of 944	636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe	105
PID 636 wrote to memory of 944	636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe	105
PID 636 wrote to memory of 944	636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe	105
PID 636 wrote to memory of 1456	636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe	106
PID 636 wrote to memory of 1456	636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe	106
PID 636 wrote to memory of 1456	636	{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe	106
PID 944 wrote to memory of 3000	944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe	107
PID 944 wrote to memory of 3000	944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe	107
PID 944 wrote to memory of 3000	944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe	107
PID 944 wrote to memory of 3228	944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe	108
PID 944 wrote to memory of 3228	944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe	108
PID 944 wrote to memory of 3228	944	{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe	108
PID 3000 wrote to memory of 3272	3000	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe	109
PID 3000 wrote to memory of 3272	3000	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe	109
PID 3000 wrote to memory of 3272	3000	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe	109
PID 3000 wrote to memory of 3952	3000	{AA89C8A1-BFC6-410b-AB86-495857317517}.exe	110

C:\Users\Admin\AppData\Local\Temp\d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe
  C:\Windows\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe
    C:\Windows\{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{61688~1.EXE > nul
      4⤵
      PID:4568
  - - C:\Windows\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe
      C:\Windows\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\{32DC6972-AF73-4590-84BD-13B9C3262599}.exe
        
        C:\Windows\{32DC6972-AF73-4590-84BD-13B9C3262599}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe
        
        C:\Windows\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe
        
        C:\Windows\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe
        
        C:\Windows\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe
        
        C:\Windows\{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe
        
        C:\Windows\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\{AA89C8A1-BFC6-410b-AB86-495857317517}.exe
        
        C:\Windows\{AA89C8A1-BFC6-410b-AB86-495857317517}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{AF825C39-0258-428d-B5BF-568923F3FD36}.exe
        
        C:\Windows\{AF825C39-0258-428d-B5BF-568923F3FD36}.exe
        12⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA89C~1.EXE > nul
        12⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46107~1.EXE > nul
        11⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BDE0~1.EXE > nul
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA7F5~1.EXE > nul
        9⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03D4A~1.EXE > nul
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C68~1.EXE > nul
        7⤵
        
        PID:1092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32DC6~1.EXE > nul
        6⤵
        
        PID:4164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D1DD~1.EXE > nul
        5⤵
        
        PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87BDE~1.EXE > nul
    3⤵
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D2C54E~1.EXE > nul
  2⤵
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe

Filesize
372KB

MD5
ee7895c61e1592402cb9aafe9bf18a49

SHA1
7e8b4fd970541a215afd7cbfa57501253d90481e

SHA256
cf6e697500e09614267770d326ebc9bd92ab0ba033954003bbe8c76d8096a531

SHA512
c9f701429ee83c195e0f1179bbdf0b01c8f0bece9a61c82b062be65459d6222b29d0d8bc2e82da842ed2f0b8659229816f7a8ab942e258b7ef6d5e63d1d90b93

Download Submit
C:\Windows\{03D4AE13-EA7B-4f58-AF7B-9E4D1196F4FF}.exe

Filesize
372KB

MD5
ee7895c61e1592402cb9aafe9bf18a49

SHA1
7e8b4fd970541a215afd7cbfa57501253d90481e

SHA256
cf6e697500e09614267770d326ebc9bd92ab0ba033954003bbe8c76d8096a531

SHA512
c9f701429ee83c195e0f1179bbdf0b01c8f0bece9a61c82b062be65459d6222b29d0d8bc2e82da842ed2f0b8659229816f7a8ab942e258b7ef6d5e63d1d90b93

Download Submit
C:\Windows\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe

Filesize
372KB

MD5
c3aca7042f44afcae9cedb3533e731d6

SHA1
54043cff993d437a012f55ab24299604ab077746

SHA256
58bb78e20635c4012d50924a8c958560ef29342c7d89ecfcd5e0e73d687a8bdc

SHA512
b96b11e6d0262af4d35ee26adb743e5f9f6f404ce6171b84706ea34b5d29ca1dd1d7f2cca724578ce8af22a3481ef28a64b00ed7e367e905529b536748e9d9e8

Download Submit
C:\Windows\{15C6821A-E0B9-4baa-BD3C-37D730E2DC45}.exe

Filesize
372KB

MD5
c3aca7042f44afcae9cedb3533e731d6

SHA1
54043cff993d437a012f55ab24299604ab077746

SHA256
58bb78e20635c4012d50924a8c958560ef29342c7d89ecfcd5e0e73d687a8bdc

SHA512
b96b11e6d0262af4d35ee26adb743e5f9f6f404ce6171b84706ea34b5d29ca1dd1d7f2cca724578ce8af22a3481ef28a64b00ed7e367e905529b536748e9d9e8

Download Submit
C:\Windows\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe

Filesize
372KB

MD5
d7d3f7ee9e36ac54e70b5d341a60f724

SHA1
3ee566dd88f36a1b2dec0a1f272646454c4bbdf8

SHA256
f6b2ccfcb2d060867da31286b76e6f367ccdc5cc344c8634a3e3f3aa1306b8a7

SHA512
2c61fa8d0d9afe8b9cf26f84343db15e036e1185733c19fe8b162f8c4d9417abaccdb8eba23432e3af2b85dc0027eb6abe6ee6cb92811e30b87aeec35565b098

Download Submit
C:\Windows\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe

Filesize
372KB

MD5
d7d3f7ee9e36ac54e70b5d341a60f724

SHA1
3ee566dd88f36a1b2dec0a1f272646454c4bbdf8

SHA256
f6b2ccfcb2d060867da31286b76e6f367ccdc5cc344c8634a3e3f3aa1306b8a7

SHA512
2c61fa8d0d9afe8b9cf26f84343db15e036e1185733c19fe8b162f8c4d9417abaccdb8eba23432e3af2b85dc0027eb6abe6ee6cb92811e30b87aeec35565b098

Download Submit
C:\Windows\{2D1DDD1C-D62E-41b6-B5A8-D53555C200A8}.exe

Filesize
372KB

MD5
d7d3f7ee9e36ac54e70b5d341a60f724

SHA1
3ee566dd88f36a1b2dec0a1f272646454c4bbdf8

SHA256
f6b2ccfcb2d060867da31286b76e6f367ccdc5cc344c8634a3e3f3aa1306b8a7

SHA512
2c61fa8d0d9afe8b9cf26f84343db15e036e1185733c19fe8b162f8c4d9417abaccdb8eba23432e3af2b85dc0027eb6abe6ee6cb92811e30b87aeec35565b098

Download Submit
C:\Windows\{32DC6972-AF73-4590-84BD-13B9C3262599}.exe

Filesize
372KB

MD5
77ff1be821ba948f92b2dad157a71b68

SHA1
0bbfd9598d67b0d773dfb88beeca808fa5911123

SHA256
fbada34a318517a3437fdf439ef302813a5e563fa3253d0944dc84ce69860e60

SHA512
2612f7c547d8ef226e548654cfa386307701e09dab697dda1327107fe6020460a0d38a5ce4cb80cc30ce094b0040a91c2eb1efb91e68c088b874f1166a20e6fd

Download Submit
C:\Windows\{32DC6972-AF73-4590-84BD-13B9C3262599}.exe

Filesize
372KB

MD5
77ff1be821ba948f92b2dad157a71b68

SHA1
0bbfd9598d67b0d773dfb88beeca808fa5911123

SHA256
fbada34a318517a3437fdf439ef302813a5e563fa3253d0944dc84ce69860e60

SHA512
2612f7c547d8ef226e548654cfa386307701e09dab697dda1327107fe6020460a0d38a5ce4cb80cc30ce094b0040a91c2eb1efb91e68c088b874f1166a20e6fd

Download Submit
C:\Windows\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe

Filesize
372KB

MD5
52f38c9f04334e486d31878b3c24a74a

SHA1
001c2195c4a748d08f08169565403d4c80d68832

SHA256
a09866db54b3048298d239cf2d37bbc3d6d0b03b63f91119063d5a2dee705c65

SHA512
04925dd9bd54bddf336f4807331ba36c341a5748ff394c9639e1ce3a86f4562e4a4fcd2ca40d52b3b0b9348f91fa06c343fdc6968df72d8a002d67b22ff0f753

Download Submit
C:\Windows\{461070B0-94B9-4c48-8806-6EE85E8D0B7B}.exe

Filesize
372KB

MD5
52f38c9f04334e486d31878b3c24a74a

SHA1
001c2195c4a748d08f08169565403d4c80d68832

SHA256
a09866db54b3048298d239cf2d37bbc3d6d0b03b63f91119063d5a2dee705c65

SHA512
04925dd9bd54bddf336f4807331ba36c341a5748ff394c9639e1ce3a86f4562e4a4fcd2ca40d52b3b0b9348f91fa06c343fdc6968df72d8a002d67b22ff0f753

Download Submit
C:\Windows\{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe

Filesize
372KB

MD5
b3dbf816f4ff671e619c78e3bbf5f679

SHA1
70afb88007ade205a17a8b0dafa32ca5eea38c4e

SHA256
5e46505fa8475c36a130412dd9b974fe74994753942023b9c5249c633e4fb125

SHA512
385ccbed54e284b1ea7eb7c0afdb7dd5d3b6d5a1038d006c39cc030048c4d751706f00adaa63fd806c60805cbb7562a566c95f76eaf4dfd6510c29616b67461d

Download Submit
C:\Windows\{616880DF-6428-4ad8-B783-A0C65AA66B1E}.exe

Filesize
372KB

MD5
b3dbf816f4ff671e619c78e3bbf5f679

SHA1
70afb88007ade205a17a8b0dafa32ca5eea38c4e

SHA256
5e46505fa8475c36a130412dd9b974fe74994753942023b9c5249c633e4fb125

SHA512
385ccbed54e284b1ea7eb7c0afdb7dd5d3b6d5a1038d006c39cc030048c4d751706f00adaa63fd806c60805cbb7562a566c95f76eaf4dfd6510c29616b67461d

Download Submit
C:\Windows\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe

Filesize
372KB

MD5
eb83715f0a0b6ae49ac5e77aded34040

SHA1
895bd661736a91e02ee35997e891381f9243976c

SHA256
8d63854713d46ffebbc517fdfa083d7f4174db9d8b9f831540516f9daf6b4dd8

SHA512
041aa5785360628cd39a5cb47499e5815a8e5438eb2dd631430535ad3cc04d58e5f6403f8ab718b156c97c2bd9d0cadc7a94b80b279127a433d8e0f8f5a390b6

Download Submit
C:\Windows\{87BDE7BF-762B-482c-B7B9-18C2ACB7A9F0}.exe

Filesize
372KB

MD5
eb83715f0a0b6ae49ac5e77aded34040

SHA1
895bd661736a91e02ee35997e891381f9243976c

SHA256
8d63854713d46ffebbc517fdfa083d7f4174db9d8b9f831540516f9daf6b4dd8

SHA512
041aa5785360628cd39a5cb47499e5815a8e5438eb2dd631430535ad3cc04d58e5f6403f8ab718b156c97c2bd9d0cadc7a94b80b279127a433d8e0f8f5a390b6

Download Submit
C:\Windows\{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe

Filesize
372KB

MD5
1d92a451f8b238d2ea3ed76c3125e308

SHA1
c68d4cf394519dfebe4081d19e56d8d761febb82

SHA256
084347033de141e2324a68700d1c3aca2c9a222624047e0bf84bf28d57b2a75a

SHA512
6aa442fdfb430eb816462f659e3b02b9c496cba7a34fd323821d24c9233127449736112afbab820737d7e71267547fe0d0b28fb5641c4984a678edae2b37e7b2

Download Submit
C:\Windows\{8BDE00EA-675E-43a0-B57C-B344C097AF59}.exe

Filesize
372KB

MD5
1d92a451f8b238d2ea3ed76c3125e308

SHA1
c68d4cf394519dfebe4081d19e56d8d761febb82

SHA256
084347033de141e2324a68700d1c3aca2c9a222624047e0bf84bf28d57b2a75a

SHA512
6aa442fdfb430eb816462f659e3b02b9c496cba7a34fd323821d24c9233127449736112afbab820737d7e71267547fe0d0b28fb5641c4984a678edae2b37e7b2

Download Submit
C:\Windows\{AA89C8A1-BFC6-410b-AB86-495857317517}.exe

Filesize
372KB

MD5
adaf7ed36fa1873230e4110c870b388c

SHA1
9848c7c74aa216126a61c9f8576aaa8b06e10ad4

SHA256
e31f3538110a4f829c9e70b04da16c3b60b6480f028812758c40f6b373232519

SHA512
51046a35c84d156f9c0e89e6560e0d731b5e2c28ea7a882dd812c60fb8e16c4915acdbea769e59fbbbf0d7839b0e4f5a4d3503faa0879d65b234792445bebcad

Download Submit
C:\Windows\{AA89C8A1-BFC6-410b-AB86-495857317517}.exe

Filesize
372KB

MD5
adaf7ed36fa1873230e4110c870b388c

SHA1
9848c7c74aa216126a61c9f8576aaa8b06e10ad4

SHA256
e31f3538110a4f829c9e70b04da16c3b60b6480f028812758c40f6b373232519

SHA512
51046a35c84d156f9c0e89e6560e0d731b5e2c28ea7a882dd812c60fb8e16c4915acdbea769e59fbbbf0d7839b0e4f5a4d3503faa0879d65b234792445bebcad

Download Submit
C:\Windows\{AF825C39-0258-428d-B5BF-568923F3FD36}.exe

Filesize
372KB

MD5
6451b4c051babde8c18df331dbafe6b0

SHA1
38baedcde7aff70a2515934125e1a930041d31a9

SHA256
40b6c141239e980222ddf7f23021bfb6d13d6a941e42bf93aa283a025ba9a9e5

SHA512
632c6d4a6502edcb7adeed33447a4878be65d1e4becb0eb32017e79f5eabe1aeff63d804b8b882fa409662e55d5fac95c005f642dd3a751d98eb3bf0a24ab5ef

Download Submit
C:\Windows\{AF825C39-0258-428d-B5BF-568923F3FD36}.exe

Filesize
372KB

MD5
6451b4c051babde8c18df331dbafe6b0

SHA1
38baedcde7aff70a2515934125e1a930041d31a9

SHA256
40b6c141239e980222ddf7f23021bfb6d13d6a941e42bf93aa283a025ba9a9e5

SHA512
632c6d4a6502edcb7adeed33447a4878be65d1e4becb0eb32017e79f5eabe1aeff63d804b8b882fa409662e55d5fac95c005f642dd3a751d98eb3bf0a24ab5ef

Download Submit
C:\Windows\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe

Filesize
372KB

MD5
9f3b2588ecc81a304a167a9feb6445f1

SHA1
9a71527cf24d5998c8ec7a00ad76b70595097508

SHA256
0580919d3ef928a1f959aed1847be3f5383960d8301235a3983f9ce553cd43aa

SHA512
bc9ebed5a33e160d769b28d77e47267ed52795353426b6c6b658101c9ae98af9dce05b1505b887e1d3676636d3a99b93abc7e30bf88b11b22a5ce973dfa102d7

Download Submit
C:\Windows\{BA7F55B8-2D9C-41c0-B6CF-7E00F2B8023F}.exe

Filesize
372KB

MD5
9f3b2588ecc81a304a167a9feb6445f1

SHA1
9a71527cf24d5998c8ec7a00ad76b70595097508

SHA256
0580919d3ef928a1f959aed1847be3f5383960d8301235a3983f9ce553cd43aa

SHA512
bc9ebed5a33e160d769b28d77e47267ed52795353426b6c6b658101c9ae98af9dce05b1505b887e1d3676636d3a99b93abc7e30bf88b11b22a5ce973dfa102d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads