71f539c8895e4e115f91123ba15db883b1f89b77f789f06421493c69df242b6f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe
Size

380KB
MD5

e64ef2a0d6e1b48a7ba8e666fe49e5de
SHA1

5c43a5241a5aefd5c9385dea94746780a0ccd166
SHA256

71f539c8895e4e115f91123ba15db883b1f89b77f789f06421493c69df242b6f
SHA512

22829ac3fdba9cd239bac7e00b959c6329ea371dd7c2012788a61328934200030c13f023f76c4b6aeeeea6cf22efae1b46fd98ad0fcdaff8c421fe4cb94c795c
SSDEEP

3072:mEGh0oilPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGQl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}\stubpath = "C:\\Windows\\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe"	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0158A846-4803-4422-A257-AAAF8D83A37B}	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0158A846-4803-4422-A257-AAAF8D83A37B}\stubpath = "C:\\Windows\\{0158A846-4803-4422-A257-AAAF8D83A37B}.exe"	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}\stubpath = "C:\\Windows\\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe"	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}\stubpath = "C:\\Windows\\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe"	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83A32F20-DBC8-4790-99C4-94010913DA82}	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}\stubpath = "C:\\Windows\\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe"	{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D66EA952-2677-406a-927B-03426B42F71D}\stubpath = "C:\\Windows\\{D66EA952-2677-406a-927B-03426B42F71D}.exe"	{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}	{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}\stubpath = "C:\\Windows\\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe"	{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}\stubpath = "C:\\Windows\\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe"	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83A32F20-DBC8-4790-99C4-94010913DA82}\stubpath = "C:\\Windows\\{83A32F20-DBC8-4790-99C4-94010913DA82}.exe"	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EA69121-1264-4c5f-BCE3-9477680602DF}\stubpath = "C:\\Windows\\{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe"	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}	{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D66EA952-2677-406a-927B-03426B42F71D}	{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EA69121-1264-4c5f-BCE3-9477680602DF}	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}\stubpath = "C:\\Windows\\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe"	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe

Deletes itself 1 IoCs

pid	Process
840	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe
3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe
2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe
2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe
2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe
2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe
1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe
2680	{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe
2480	{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe
2588	{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe
2152	{D66EA952-2677-406a-927B-03426B42F71D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe
File created	C:\Windows\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe	{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe
File created	C:\Windows\{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe
File created	C:\Windows\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe
File created	C:\Windows\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe
File created	C:\Windows\{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe
File created	C:\Windows\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe
File created	C:\Windows\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe	{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe
File created	C:\Windows\{D66EA952-2677-406a-927B-03426B42F71D}.exe	{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe
File created	C:\Windows\{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe
File created	C:\Windows\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe
Token: SeIncBasePriorityPrivilege	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe
Token: SeIncBasePriorityPrivilege	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe
Token: SeIncBasePriorityPrivilege	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe
Token: SeIncBasePriorityPrivilege	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe
Token: SeIncBasePriorityPrivilege	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe
Token: SeIncBasePriorityPrivilege	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe
Token: SeIncBasePriorityPrivilege	2680	{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe
Token: SeIncBasePriorityPrivilege	2480	{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe
Token: SeIncBasePriorityPrivilege	2588	{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2524	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	28
PID 1808 wrote to memory of 2524	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	28
PID 1808 wrote to memory of 2524	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	28
PID 1808 wrote to memory of 2524	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	28
PID 1808 wrote to memory of 840	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	29
PID 1808 wrote to memory of 840	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	29
PID 1808 wrote to memory of 840	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	29
PID 1808 wrote to memory of 840	1808	e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe	29
PID 2524 wrote to memory of 3036	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	32
PID 2524 wrote to memory of 3036	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	32
PID 2524 wrote to memory of 3036	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	32
PID 2524 wrote to memory of 3036	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	32
PID 2524 wrote to memory of 2280	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	33
PID 2524 wrote to memory of 2280	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	33
PID 2524 wrote to memory of 2280	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	33
PID 2524 wrote to memory of 2280	2524	{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe	33
PID 3036 wrote to memory of 2128	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	34
PID 3036 wrote to memory of 2128	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	34
PID 3036 wrote to memory of 2128	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	34
PID 3036 wrote to memory of 2128	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	34
PID 3036 wrote to memory of 984	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	35
PID 3036 wrote to memory of 984	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	35
PID 3036 wrote to memory of 984	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	35
PID 3036 wrote to memory of 984	3036	{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe	35
PID 2128 wrote to memory of 2860	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	36
PID 2128 wrote to memory of 2860	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	36
PID 2128 wrote to memory of 2860	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	36
PID 2128 wrote to memory of 2860	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	36
PID 2128 wrote to memory of 3028	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	37
PID 2128 wrote to memory of 3028	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	37
PID 2128 wrote to memory of 3028	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	37
PID 2128 wrote to memory of 3028	2128	{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe	37
PID 2860 wrote to memory of 2708	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	38
PID 2860 wrote to memory of 2708	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	38
PID 2860 wrote to memory of 2708	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	38
PID 2860 wrote to memory of 2708	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	38
PID 2860 wrote to memory of 2768	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	39
PID 2860 wrote to memory of 2768	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	39
PID 2860 wrote to memory of 2768	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	39
PID 2860 wrote to memory of 2768	2860	{83A32F20-DBC8-4790-99C4-94010913DA82}.exe	39
PID 2708 wrote to memory of 2456	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	40
PID 2708 wrote to memory of 2456	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	40
PID 2708 wrote to memory of 2456	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	40
PID 2708 wrote to memory of 2456	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	40
PID 2708 wrote to memory of 2076	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	41
PID 2708 wrote to memory of 2076	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	41
PID 2708 wrote to memory of 2076	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	41
PID 2708 wrote to memory of 2076	2708	{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe	41
PID 2456 wrote to memory of 1552	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	42
PID 2456 wrote to memory of 1552	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	42
PID 2456 wrote to memory of 1552	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	42
PID 2456 wrote to memory of 1552	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	42
PID 2456 wrote to memory of 1456	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	43
PID 2456 wrote to memory of 1456	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	43
PID 2456 wrote to memory of 1456	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	43
PID 2456 wrote to memory of 1456	2456	{0158A846-4803-4422-A257-AAAF8D83A37B}.exe	43
PID 1552 wrote to memory of 2680	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	44
PID 1552 wrote to memory of 2680	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	44
PID 1552 wrote to memory of 2680	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	44
PID 1552 wrote to memory of 2680	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	44
PID 1552 wrote to memory of 3032	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	45
PID 1552 wrote to memory of 3032	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	45
PID 1552 wrote to memory of 3032	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	45
PID 1552 wrote to memory of 3032	1552	{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe	45

C:\Users\Admin\AppData\Local\Temp\e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e64ef2a0d6e1b48a7ba8e666fe49e5de_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe
  C:\Windows\{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe
    C:\Windows\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe
      C:\Windows\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\{83A32F20-DBC8-4790-99C4-94010913DA82}.exe
        
        C:\Windows\{83A32F20-DBC8-4790-99C4-94010913DA82}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe
        
        C:\Windows\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{0158A846-4803-4422-A257-AAAF8D83A37B}.exe
        
        C:\Windows\{0158A846-4803-4422-A257-AAAF8D83A37B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe
        
        C:\Windows\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe
        
        C:\Windows\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe
        
        C:\Windows\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe
        
        C:\Windows\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\{D66EA952-2677-406a-927B-03426B42F71D}.exe
        
        C:\Windows\{D66EA952-2677-406a-927B-03426B42F71D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A1F2~1.EXE > nul
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E886C~1.EXE > nul
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4DBC~1.EXE > nul
        10⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAD28~1.EXE > nul
        9⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0158A~1.EXE > nul
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BBC~1.EXE > nul
        7⤵
        
        PID:2076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83A32~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BCDB~1.EXE > nul
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C94CE~1.EXE > nul
      4⤵
      PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EA69~1.EXE > nul
    3⤵
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E64EF2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0158A846-4803-4422-A257-AAAF8D83A37B}.exe

Filesize
380KB

MD5
1330a786692a9b23e7598f5de0bce31d

SHA1
ac6cba5001fd2d4b1b1d1fe3a74b83ae701ca7e4

SHA256
91e6a80ece5b1083b1d92f332db16957348d4225c23bde84e0b6eddd6c29ad17

SHA512
c3e30614b2d45f02cd6e67588e856fca86d058845929aa3fd176ff4a6673df562e52a2489c2d2668b93a47425470c1b442ad4bae2902867518e1d8fd1b80f6f5

Download Submit
C:\Windows\{0158A846-4803-4422-A257-AAAF8D83A37B}.exe

Filesize
380KB

MD5
1330a786692a9b23e7598f5de0bce31d

SHA1
ac6cba5001fd2d4b1b1d1fe3a74b83ae701ca7e4

SHA256
91e6a80ece5b1083b1d92f332db16957348d4225c23bde84e0b6eddd6c29ad17

SHA512
c3e30614b2d45f02cd6e67588e856fca86d058845929aa3fd176ff4a6673df562e52a2489c2d2668b93a47425470c1b442ad4bae2902867518e1d8fd1b80f6f5

Download Submit
C:\Windows\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe

Filesize
380KB

MD5
00d1cfd04e2ed8353472ecc31b9355eb

SHA1
c7a7b0811288a222d3089e0c1b2ad23881c02b83

SHA256
7531cfb74dcec52fe188d2ded4136c424e3c7ea7c6e4b8064a5b08384100f900

SHA512
3a05915cf26604e24964540ccf0cfae5df70bca40a718371b47a9f4f41db8bb691adb95b3493ebc584d7fc0ce1dafbc8e94ba1d717309b00945edbeb3468c725

Download Submit
C:\Windows\{3A1F214B-9518-4555-B0EC-70637EBE5D1B}.exe

Filesize
380KB

MD5
00d1cfd04e2ed8353472ecc31b9355eb

SHA1
c7a7b0811288a222d3089e0c1b2ad23881c02b83

SHA256
7531cfb74dcec52fe188d2ded4136c424e3c7ea7c6e4b8064a5b08384100f900

SHA512
3a05915cf26604e24964540ccf0cfae5df70bca40a718371b47a9f4f41db8bb691adb95b3493ebc584d7fc0ce1dafbc8e94ba1d717309b00945edbeb3468c725

Download Submit
C:\Windows\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe

Filesize
380KB

MD5
3f2985e6b2a4170879aecbf33d4a9b7f

SHA1
545d5b7c68eb2fc5bd627324968503d8aa2fdc78

SHA256
172fd495f790614a7057511e2d05bd07f12bd25daaf3d247f10116151a4693c1

SHA512
8a1fb07b36ed0bf93716fb103f895f71bc97d674df79b59cb682913a1815386040004729895bdcb6c458688cf83a2a4d0f4df776f189aab16e052bf5b652b09f

Download Submit
C:\Windows\{5BCDB3E6-FCCF-40cc-A9CA-203145AD1488}.exe

Filesize
380KB

MD5
3f2985e6b2a4170879aecbf33d4a9b7f

SHA1
545d5b7c68eb2fc5bd627324968503d8aa2fdc78

SHA256
172fd495f790614a7057511e2d05bd07f12bd25daaf3d247f10116151a4693c1

SHA512
8a1fb07b36ed0bf93716fb103f895f71bc97d674df79b59cb682913a1815386040004729895bdcb6c458688cf83a2a4d0f4df776f189aab16e052bf5b652b09f

Download Submit
C:\Windows\{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe

Filesize
380KB

MD5
cd8395ef93a049496ef6a7f6e79c2fc8

SHA1
b10ae9bda81f81b3f87addf7dca696ca0f0419cc

SHA256
f6523b6b3e09a6cb5fd6745c4f6630221f3eebe41db519489876811cc8891308

SHA512
33c4b09ad77724ad9e61db18d595f8fbb73a77e4562272252595940effc2a655252815cb1019064801399cc7ab419d86229edd40d045373b65e1e5211ac14890

Download Submit
C:\Windows\{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe

Filesize
380KB

MD5
cd8395ef93a049496ef6a7f6e79c2fc8

SHA1
b10ae9bda81f81b3f87addf7dca696ca0f0419cc

SHA256
f6523b6b3e09a6cb5fd6745c4f6630221f3eebe41db519489876811cc8891308

SHA512
33c4b09ad77724ad9e61db18d595f8fbb73a77e4562272252595940effc2a655252815cb1019064801399cc7ab419d86229edd40d045373b65e1e5211ac14890

Download Submit
C:\Windows\{7EA69121-1264-4c5f-BCE3-9477680602DF}.exe

Filesize
380KB

MD5
cd8395ef93a049496ef6a7f6e79c2fc8

SHA1
b10ae9bda81f81b3f87addf7dca696ca0f0419cc

SHA256
f6523b6b3e09a6cb5fd6745c4f6630221f3eebe41db519489876811cc8891308

SHA512
33c4b09ad77724ad9e61db18d595f8fbb73a77e4562272252595940effc2a655252815cb1019064801399cc7ab419d86229edd40d045373b65e1e5211ac14890

Download Submit
C:\Windows\{83A32F20-DBC8-4790-99C4-94010913DA82}.exe

Filesize
380KB

MD5
16f9a9662e75c62d2dd0dfe700774ee3

SHA1
bc884befbb0727801004be21a3dc291ae78c8b0c

SHA256
6a68746d4cb3b282e69fff961ad4a1f227006cd7cc459212aabc5da074e3c7db

SHA512
152f92c2ffd2fb3f7fc2b3949e5cb4952207bb786ee2dc7e778360c5a4a893616a8c658a9f067f0dbbedbb1c9a5564c693827a49f0a4f1bdc3495b2ef50b507e

Download Submit
C:\Windows\{83A32F20-DBC8-4790-99C4-94010913DA82}.exe

Filesize
380KB

MD5
16f9a9662e75c62d2dd0dfe700774ee3

SHA1
bc884befbb0727801004be21a3dc291ae78c8b0c

SHA256
6a68746d4cb3b282e69fff961ad4a1f227006cd7cc459212aabc5da074e3c7db

SHA512
152f92c2ffd2fb3f7fc2b3949e5cb4952207bb786ee2dc7e778360c5a4a893616a8c658a9f067f0dbbedbb1c9a5564c693827a49f0a4f1bdc3495b2ef50b507e

Download Submit
C:\Windows\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe

Filesize
380KB

MD5
9d5db1db2585437a9842fa29c9820446

SHA1
0f3b18a2dde15e5c7ce2d036598e4a865000cbcd

SHA256
fc7c503ee576bbfecaea484ec1060ec8a846c6b22949fd2124464d18267e0c16

SHA512
271cc4986cc6cf8e621987c500e1e8fb65e8b1d478c7f69818b8c151a355357bee08bb2a9217660aaf75001111557c83dbbdc1fe8a41772a1a5edfb2c89741b3

Download Submit
C:\Windows\{C4DBC01B-4DDC-47b5-9380-2EFBEA93198F}.exe

Filesize
380KB

MD5
9d5db1db2585437a9842fa29c9820446

SHA1
0f3b18a2dde15e5c7ce2d036598e4a865000cbcd

SHA256
fc7c503ee576bbfecaea484ec1060ec8a846c6b22949fd2124464d18267e0c16

SHA512
271cc4986cc6cf8e621987c500e1e8fb65e8b1d478c7f69818b8c151a355357bee08bb2a9217660aaf75001111557c83dbbdc1fe8a41772a1a5edfb2c89741b3

Download Submit
C:\Windows\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe

Filesize
380KB

MD5
e32e3952097f5214e4cadf39790a76a6

SHA1
f7010f3f8a0ece16d5482c45c836914d928885b7

SHA256
551380f66c152e72a5e9464ec8f5b3185346509a7791db3b2f2f4b242b62ea8e

SHA512
146dee6ce9e98cfbf1fd4d52f40bf4b870f2bc809ca0765550e0c127549239365ac1dfc553c1785235f9cd3a58157b085b08fe317557f17cc45e0a78aee08604

Download Submit
C:\Windows\{C5BBC99B-E488-4e6f-90DE-33CEE5FE3D0C}.exe

Filesize
380KB

MD5
e32e3952097f5214e4cadf39790a76a6

SHA1
f7010f3f8a0ece16d5482c45c836914d928885b7

SHA256
551380f66c152e72a5e9464ec8f5b3185346509a7791db3b2f2f4b242b62ea8e

SHA512
146dee6ce9e98cfbf1fd4d52f40bf4b870f2bc809ca0765550e0c127549239365ac1dfc553c1785235f9cd3a58157b085b08fe317557f17cc45e0a78aee08604

Download Submit
C:\Windows\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe

Filesize
380KB

MD5
d5da4ceb5af3c8224230f505828c4ebd

SHA1
75be5c030915c79ff638b8a463cf0884b629d438

SHA256
ff93ca1610a8ea21baea06116c5a17a9ce25418dcb8c56649aa31a7b9181d174

SHA512
1bbfe1c7758aefe50172fdbd2e5289d4426bbf2ce74a3a73ec3bdc577d34cb9525f6989527de11e795e0425ab7405ac0176854ca0df8430969b171ae7469f6e0

Download Submit
C:\Windows\{C94CE705-9800-4df1-A5E3-3DC53CCAD7FF}.exe

Filesize
380KB

MD5
d5da4ceb5af3c8224230f505828c4ebd

SHA1
75be5c030915c79ff638b8a463cf0884b629d438

SHA256
ff93ca1610a8ea21baea06116c5a17a9ce25418dcb8c56649aa31a7b9181d174

SHA512
1bbfe1c7758aefe50172fdbd2e5289d4426bbf2ce74a3a73ec3bdc577d34cb9525f6989527de11e795e0425ab7405ac0176854ca0df8430969b171ae7469f6e0

Download Submit
C:\Windows\{D66EA952-2677-406a-927B-03426B42F71D}.exe

Filesize
380KB

MD5
2cbf836851f76421f44f3f716ea75988

SHA1
5f9dc19c4cbf1805c2c406e8ab3ee0fe1f3c846e

SHA256
cee3a9a488a318637e3e945f0022cdc8394906d837c07b3fd65c944579140cd7

SHA512
4ec7c7de5d1ca21bdcf26f44166b6a3ee0dcb467dab78bfcd23cd5dac08f999d7ea2be4255d4a8ab8b1f139c06ac06a34129329aecc1d0f9a0dc1e6aa69fae6d

Download Submit
C:\Windows\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe

Filesize
380KB

MD5
92ec99eb9782d0d703d88d31b3c62d50

SHA1
d8dfee102ebb262780612b8003cd34c0d6b64694

SHA256
65ced1baf9626b8234c5695513b31be412610ed72fcea0a0f40eef2d082f8a4f

SHA512
bfb36e54c4ab135edb386f1648eebd0ce0b8f1479b1427703305a931a4cc067e6df7733515e20d7cdc4f0898a70cdbbc2aa219bab492cb74f0e361c65c8e47ff

Download Submit
C:\Windows\{E886CDD7-87DE-4a6b-BD70-36CCBE0D77C9}.exe

Filesize
380KB

MD5
92ec99eb9782d0d703d88d31b3c62d50

SHA1
d8dfee102ebb262780612b8003cd34c0d6b64694

SHA256
65ced1baf9626b8234c5695513b31be412610ed72fcea0a0f40eef2d082f8a4f

SHA512
bfb36e54c4ab135edb386f1648eebd0ce0b8f1479b1427703305a931a4cc067e6df7733515e20d7cdc4f0898a70cdbbc2aa219bab492cb74f0e361c65c8e47ff

Download Submit
C:\Windows\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe

Filesize
380KB

MD5
19f7d5f8ebf1a4e211056ec7ffabf7c8

SHA1
befdbe174e2136ed8a1ad1bfbeb8653dfeb0ac4e

SHA256
2723640369fd42a3a866971f4c369a092c9a7c32694363bdd05ebdf457db0be3

SHA512
ab317a8643086bf4f2a9c8887724f7b2cbb95ea8df3184e736f0ad4e6f01abf969457fe79c42a40991b87db34c1a0719dd731171cc38f1038c09c7f9d5158138

Download Submit
C:\Windows\{FAD28389-0C7A-4c69-AE88-02A04F7F2435}.exe

Filesize
380KB

MD5
19f7d5f8ebf1a4e211056ec7ffabf7c8

SHA1
befdbe174e2136ed8a1ad1bfbeb8653dfeb0ac4e

SHA256
2723640369fd42a3a866971f4c369a092c9a7c32694363bdd05ebdf457db0be3

SHA512
ab317a8643086bf4f2a9c8887724f7b2cbb95ea8df3184e736f0ad4e6f01abf969457fe79c42a40991b87db34c1a0719dd731171cc38f1038c09c7f9d5158138

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads