bb5a4136908637a00bbdace4e90c5883e6f283891cafc998f14f886975ff08e9

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe
Size

344KB
MD5

8e52242e91a530a4021b0ca52aee479e
SHA1

cba7f3538c9151ca21515f7e141f251f2fcd1d86
SHA256

bb5a4136908637a00bbdace4e90c5883e6f283891cafc998f14f886975ff08e9
SHA512

553b7e42457dac8547343fa26c6fa2d97f6618c51718a9deeab13b4f9a13cebb04c9e77acb186b244d7f216740947fff2ff65583d72974f6bf636eeb7afe2946
SSDEEP

3072:mEGh0o/lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADF32651-50CC-42e5-908B-C23E220FC038}	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADF32651-50CC-42e5-908B-C23E220FC038}\stubpath = "C:\\Windows\\{ADF32651-50CC-42e5-908B-C23E220FC038}.exe"	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3192584F-17C9-42ba-B952-B716B45829A7}	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}	{3192584F-17C9-42ba-B952-B716B45829A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}\stubpath = "C:\\Windows\\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe"	{3192584F-17C9-42ba-B952-B716B45829A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AEA721F-0306-426c-B4C3-8980B82206A0}\stubpath = "C:\\Windows\\{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe"	{5158BC65-5B7D-42d2-B058-941465C94536}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AC9B993-8355-489d-A1D7-8DF9915E7842}	{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1F174A-3484-43ef-AAA0-6AA3A813B171}\stubpath = "C:\\Windows\\{3E1F174A-3484-43ef-AAA0-6AA3A813B171}.exe"	{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}\stubpath = "C:\\Windows\\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe"	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3192584F-17C9-42ba-B952-B716B45829A7}\stubpath = "C:\\Windows\\{3192584F-17C9-42ba-B952-B716B45829A7}.exe"	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AEA721F-0306-426c-B4C3-8980B82206A0}	{5158BC65-5B7D-42d2-B058-941465C94536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2699594-2D32-46a5-A171-D988EFC49FF2}\stubpath = "C:\\Windows\\{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe"	{521BE15B-689D-45c7-9BE2-7129F1392936}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AC9B993-8355-489d-A1D7-8DF9915E7842}\stubpath = "C:\\Windows\\{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe"	{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}\stubpath = "C:\\Windows\\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe"	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521BE15B-689D-45c7-9BE2-7129F1392936}	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521BE15B-689D-45c7-9BE2-7129F1392936}\stubpath = "C:\\Windows\\{521BE15B-689D-45c7-9BE2-7129F1392936}.exe"	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2699594-2D32-46a5-A171-D988EFC49FF2}	{521BE15B-689D-45c7-9BE2-7129F1392936}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1F174A-3484-43ef-AAA0-6AA3A813B171}	{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5158BC65-5B7D-42d2-B058-941465C94536}	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5158BC65-5B7D-42d2-B058-941465C94536}\stubpath = "C:\\Windows\\{5158BC65-5B7D-42d2-B058-941465C94536}.exe"	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe
2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe
1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe
648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe
3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe
1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe
2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe
1488	{521BE15B-689D-45c7-9BE2-7129F1392936}.exe
1580	{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe
1716	{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe
2080	{3E1F174A-3484-43ef-AAA0-6AA3A813B171}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe
File created	C:\Windows\{3192584F-17C9-42ba-B952-B716B45829A7}.exe	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe
File created	C:\Windows\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	{3192584F-17C9-42ba-B952-B716B45829A7}.exe
File created	C:\Windows\{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	{5158BC65-5B7D-42d2-B058-941465C94536}.exe
File created	C:\Windows\{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe	{521BE15B-689D-45c7-9BE2-7129F1392936}.exe
File created	C:\Windows\{3E1F174A-3484-43ef-AAA0-6AA3A813B171}.exe	{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe
File created	C:\Windows\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe
File created	C:\Windows\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe
File created	C:\Windows\{5158BC65-5B7D-42d2-B058-941465C94536}.exe	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe
File created	C:\Windows\{521BE15B-689D-45c7-9BE2-7129F1392936}.exe	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe
File created	C:\Windows\{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe	{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe
Token: SeIncBasePriorityPrivilege	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe
Token: SeIncBasePriorityPrivilege	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe
Token: SeIncBasePriorityPrivilege	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe
Token: SeIncBasePriorityPrivilege	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe
Token: SeIncBasePriorityPrivilege	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe
Token: SeIncBasePriorityPrivilege	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe
Token: SeIncBasePriorityPrivilege	1488	{521BE15B-689D-45c7-9BE2-7129F1392936}.exe
Token: SeIncBasePriorityPrivilege	1580	{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe
Token: SeIncBasePriorityPrivilege	1716	{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1120	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	29
PID 2212 wrote to memory of 1120	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	29
PID 2212 wrote to memory of 1120	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	29
PID 2212 wrote to memory of 1120	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	29
PID 2212 wrote to memory of 2716	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	28
PID 2212 wrote to memory of 2716	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	28
PID 2212 wrote to memory of 2716	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	28
PID 2212 wrote to memory of 2716	2212	2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe	28
PID 1120 wrote to memory of 2840	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	31
PID 1120 wrote to memory of 2840	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	31
PID 1120 wrote to memory of 2840	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	31
PID 1120 wrote to memory of 2840	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	31
PID 1120 wrote to memory of 1076	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	30
PID 1120 wrote to memory of 1076	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	30
PID 1120 wrote to memory of 1076	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	30
PID 1120 wrote to memory of 1076	1120	{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe	30
PID 2840 wrote to memory of 1772	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	35
PID 2840 wrote to memory of 1772	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	35
PID 2840 wrote to memory of 1772	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	35
PID 2840 wrote to memory of 1772	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	35
PID 2840 wrote to memory of 456	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	34
PID 2840 wrote to memory of 456	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	34
PID 2840 wrote to memory of 456	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	34
PID 2840 wrote to memory of 456	2840	{ADF32651-50CC-42e5-908B-C23E220FC038}.exe	34
PID 1772 wrote to memory of 648	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	37
PID 1772 wrote to memory of 648	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	37
PID 1772 wrote to memory of 648	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	37
PID 1772 wrote to memory of 648	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	37
PID 1772 wrote to memory of 2984	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	36
PID 1772 wrote to memory of 2984	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	36
PID 1772 wrote to memory of 2984	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	36
PID 1772 wrote to memory of 2984	1772	{3192584F-17C9-42ba-B952-B716B45829A7}.exe	36
PID 648 wrote to memory of 3056	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	38
PID 648 wrote to memory of 3056	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	38
PID 648 wrote to memory of 3056	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	38
PID 648 wrote to memory of 3056	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	38
PID 648 wrote to memory of 1704	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	39
PID 648 wrote to memory of 1704	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	39
PID 648 wrote to memory of 1704	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	39
PID 648 wrote to memory of 1704	648	{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe	39
PID 3056 wrote to memory of 1736	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	40
PID 3056 wrote to memory of 1736	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	40
PID 3056 wrote to memory of 1736	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	40
PID 3056 wrote to memory of 1736	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	40
PID 3056 wrote to memory of 2896	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	41
PID 3056 wrote to memory of 2896	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	41
PID 3056 wrote to memory of 2896	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	41
PID 3056 wrote to memory of 2896	3056	{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe	41
PID 1736 wrote to memory of 2892	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	43
PID 1736 wrote to memory of 2892	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	43
PID 1736 wrote to memory of 2892	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	43
PID 1736 wrote to memory of 2892	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	43
PID 1736 wrote to memory of 2656	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	42
PID 1736 wrote to memory of 2656	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	42
PID 1736 wrote to memory of 2656	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	42
PID 1736 wrote to memory of 2656	1736	{5158BC65-5B7D-42d2-B058-941465C94536}.exe	42
PID 2892 wrote to memory of 1488	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	44
PID 2892 wrote to memory of 1488	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	44
PID 2892 wrote to memory of 1488	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	44
PID 2892 wrote to memory of 1488	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	44
PID 2892 wrote to memory of 1104	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	45
PID 2892 wrote to memory of 1104	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	45
PID 2892 wrote to memory of 1104	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	45
PID 2892 wrote to memory of 1104	2892	{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_8e52242e91a530a4021b0ca52aee479e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2716
- C:\Windows\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe
  C:\Windows\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E7B2~1.EXE > nul
    3⤵
    PID:1076
- - C:\Windows\{ADF32651-50CC-42e5-908B-C23E220FC038}.exe
    C:\Windows\{ADF32651-50CC-42e5-908B-C23E220FC038}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ADF32~1.EXE > nul
      4⤵
      PID:456
  - - C:\Windows\{3192584F-17C9-42ba-B952-B716B45829A7}.exe
      C:\Windows\{3192584F-17C9-42ba-B952-B716B45829A7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31925~1.EXE > nul
        5⤵
        
        PID:2984
    - - C:\Windows\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe
        
        C:\Windows\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Windows\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe
        
        C:\Windows\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{5158BC65-5B7D-42d2-B058-941465C94536}.exe
        
        C:\Windows\{5158BC65-5B7D-42d2-B058-941465C94536}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5158B~1.EXE > nul
        8⤵
        
        PID:2656
        
        C:\Windows\{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe
        
        C:\Windows\{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{521BE15B-689D-45c7-9BE2-7129F1392936}.exe
        
        C:\Windows\{521BE15B-689D-45c7-9BE2-7129F1392936}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{521BE~1.EXE > nul
        10⤵
        
        PID:1644
        
        C:\Windows\{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe
        
        C:\Windows\{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2699~1.EXE > nul
        11⤵
        
        PID:2536
        
        C:\Windows\{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe
        
        C:\Windows\{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC9B~1.EXE > nul
        12⤵
        
        PID:1808
        
        C:\Windows\{3E1F174A-3484-43ef-AAA0-6AA3A813B171}.exe
        
        C:\Windows\{3E1F174A-3484-43ef-AAA0-6AA3A813B171}.exe
        12⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AEA7~1.EXE > nul
        9⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AE7D~1.EXE > nul
        7⤵
        
        PID:2896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E5A2~1.EXE > nul
        6⤵
        
        PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe

Filesize
344KB

MD5
837d480d4a40c45140d020075c3dd99a

SHA1
63c9338b46df65dc2a9507f45621d7a9cc0df3d5

SHA256
2eedf6741cf74ac79c9684b925364d3cb4c62bce88a7a45f676a87ed5afa7c87

SHA512
24ccb56e6fcc59bc622b3bd7fd6bff89a878017aa436a2cb99dbed5bc691a2020396ab944f0d5cbb7fdfe96e2e146501dba659aeadc05422cba0feb2a916c717

Download Submit
C:\Windows\{0AE7D4A0-B762-4b00-A8FF-ED384782DD73}.exe

Filesize
184KB

MD5
86f19fbea42bd1b655b07c4926639b70

SHA1
6d7ddefbaf5786cd4a9b7c4e4da0687ddc7f02f7

SHA256
788f3382ebda825177ff86aaab3e2780cfb02b13a44e3470a9087a18fcf33c59

SHA512
95d5c4bcbcc6d95c3f5d948fd636ce89c64d2cbe4fcd1e4f024fe8ddf2a7293c0d99fa2c7e5822cda3e9ab66cd81f91aa2b128f2654cc9e084502382a4dfb563

Download Submit
C:\Windows\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe

Filesize
193KB

MD5
9b498a73507fde26338c0ba438cd3bce

SHA1
e4038eedb9b4bd7bf823bf03379f7ff6676c6285

SHA256
c558ea98b8422b14396ad306b88431e9798e6d997d28ecf26a45c71b4541f645

SHA512
993178a9b112a5cd83a774b4b74950cd3f5545d7f6c8594287c80e1cd88d2d105b7d7bc61aa83ed35e3be8beec5ef6d85370ba97a6cdb3a0a60681b0fd3793c9

Download Submit
C:\Windows\{0E5A2770-F3BB-4f1b-914D-8D43394F7BE5}.exe

Filesize
132KB

MD5
2ab994d96a85b2cf99829807e038ab89

SHA1
068a80ba2e344df7ee1a44a47d5872d024e5a83d

SHA256
342300a076322b9d026501a92d75276470c506b83df06c89e5110c7174817a8d

SHA512
fd890791f1993552530202f3b6b3a23c26239d7edd2f08b0d2260db62a20a73fb314e58c7018fd9312efe3fcf9b9a656ef2a2e049656d3440cdd0681e2048d60

Download Submit
C:\Windows\{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe

Filesize
344KB

MD5
931775a85650a243cd04db2497940001

SHA1
8cd6717047a8eefd69c464c0e4e35712e13a5810

SHA256
2873d363c65a88217ef4380a60fddb62f5638d80d10bae3fcf7cdd973f781248

SHA512
1209235b70a92473bab161e6f778b2e37349703cd0248fb237ba880d30298cd453a14f34bd59fe21c33cfa70d59f7e2da9c602fda70bacfa57e10b28ded2accc

Download Submit
C:\Windows\{2AEA721F-0306-426c-B4C3-8980B82206A0}.exe

Filesize
38KB

MD5
8539368ea74b60c7d3609161f512dc0b

SHA1
437f0a9e28702131fb66bd68d53e493e0941acfe

SHA256
d935739bdf21005ce137a67c011dcf443f2ab83821e619ce52ebd5c55503ed76

SHA512
f07a917812c898d78184f6191b75c51d700bc5327e762f4750256bb81a9dba4eb966a1593ad10bf173b14718765f434d5e57d9386a96f76d6965fc4315f5afa1

Download Submit
C:\Windows\{3192584F-17C9-42ba-B952-B716B45829A7}.exe

Filesize
217KB

MD5
0b36c4ae476812ab656c89101a17b07f

SHA1
a7ea7d1d8aaa99c0de505dcdde588c5b5b9687de

SHA256
2c3cd1de8e044ca6f7c3ce70c0ae73f0c7e0f2302e043dfe38ab631d43e9ae7b

SHA512
641e180ad2dc348d7b1bf91c7a00086356570c4c2a22e5a9c0a05f9e5452019b94d33dd8457a16bedb66d37d883608d4ea3fe912be7103910f1f1b6399921beb

Download Submit
C:\Windows\{3192584F-17C9-42ba-B952-B716B45829A7}.exe

Filesize
344KB

MD5
35e52c392b9aa5a1d2735732ecaa11a1

SHA1
ebb29a9462dcac254ca743b24d145083811e7c26

SHA256
7c1bff360dcb2965925881c633db1165e03dae9bf72f54f460869d5cd85362f2

SHA512
52eae50b142d57f83317e27ce0a941a4a0b057da77d89175b7f942fcf688f25a9de6245e223079ea2be48e513e3d6e5be28b57146bab27821e2a60bdbd0ea0e6

Download Submit
C:\Windows\{3E1F174A-3484-43ef-AAA0-6AA3A813B171}.exe

Filesize
130KB

MD5
46188eb34b779eb2f9c3eca8f1d821bc

SHA1
87e8442b8e8c2f487f6f63e11d676e1d11eefaed

SHA256
1953f53b6bda619bc2bdd03fb6b511f1e1d9d26b0cbff5136bb3a1edf2f20369

SHA512
1d98d4c1277cecd5cbfe57eab47bee4f92d86fd443f7aa1cb30233e829f33ce7cc0a75122a4545addffde5728e34fd87967b9b282032b5eefbfbe9ad5c97879b

Download Submit
C:\Windows\{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe

Filesize
252KB

MD5
0d5fdc3ada7d2eb991ade11889aa7634

SHA1
4c87cf025793c0b7f60ea360302915e1152f6783

SHA256
d1b35abde000eab10d6ce5a3256a6b478ddfa36d026603896e6168524ed90223

SHA512
0f518486b8f74182bb83385b6b5b92f085154d5058bd19d49005186dd5733187d21b21388f689671564bfb71fc4c9edb3c260704918d6414cdb4d1726cac7255

Download Submit
C:\Windows\{4AC9B993-8355-489d-A1D7-8DF9915E7842}.exe

Filesize
62KB

MD5
3961e2d937e25c48d0e4196b207e1b83

SHA1
a7dcd55336ad534f9318b2179f466036c3470c4b

SHA256
96333aa61bb2d76fd710cd956976914d2a23531dd48fef0d56ffd5099bef3049

SHA512
b19130b234030ccb5f517f8ba7f7721429b9d3d79ccd05f4cbac9e10549e121ff9f1804d1f1cb8f3db90275ae69dec9609cf79636b6952323e64aadb61105fd9

Download Submit
C:\Windows\{5158BC65-5B7D-42d2-B058-941465C94536}.exe

Filesize
238KB

MD5
2216f959f3b03bdd881a492b54a3205e

SHA1
c39e8310c90e4c02a8fa62e72e8e50009f03d753

SHA256
7968a183337cfc092f966b564e12b21dd2c15b1364fb01bf5b0ca905c49dc460

SHA512
cfbbbd85843cb9440b12aa03daefcc7ce8c2d8c2a788a188df1009675f6da03f17fe6e4a197bcd4a618fc85b9b1368fd81fd8b92b9a2a820bb4a1b728b3e06e7

Download Submit
C:\Windows\{5158BC65-5B7D-42d2-B058-941465C94536}.exe

Filesize
344KB

MD5
a9db33ab719a17ee7cd138e41e56442f

SHA1
b5ecdecd3380be60f4771e171cceed5e3f8f92b4

SHA256
f86f086be6a14709d0e574eb48464e6170206d7520fa3dc7f5342bc6a183925e

SHA512
b9b4640430a776b988968a10c37c4e7089b206177a93eccac3026c21c117d08294c2c99a585392b5d9d836ecd7d3d68812acfec2fab56075dbe88cefb531ae64

Download Submit
C:\Windows\{521BE15B-689D-45c7-9BE2-7129F1392936}.exe

Filesize
60KB

MD5
23050ab8b4f0895de64a2b62b48db4d3

SHA1
dceb324b41fdf7396d76418e6fee5ef5f2f003a7

SHA256
e0300ef274c379df8031cbb65e49d74a84bbc1a77e774e6575e897762c076da1

SHA512
e8a35b11db7bd144842b6f92ba308124fee822465b39a2204dc3baf14b9d00c38b90ade4edae9f0e2e542862f53a97087cf9ebae23a7028cf8d6ecf6f8000b01

Download Submit
C:\Windows\{521BE15B-689D-45c7-9BE2-7129F1392936}.exe

Filesize
45KB

MD5
14ed4b756750db6c16f69c3fffe960e5

SHA1
765fde926ba51a7d94c1a2f8af60b92d2dc15531

SHA256
46fbc70020fa242d96b2e87afc794cbbd5efa448fbbe46bdbc77297d527c6ec5

SHA512
550cd21149e9f0571356bf29dc5dbcd7e9b6c2c02bb650ce3ee4fdabbc0b9cd4da8700f28f508859ece514b852fe3232c6ac11f881ab735d77bd7f9ff53d68cb

Download Submit
C:\Windows\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe

Filesize
1KB

MD5
0469c37c06779c374b10516f746e54cd

SHA1
a554cdfb5bfe2fdbef5626dff44175a0a14c9aa7

SHA256
42a50b9c0cdee18b6513ca0684fe36d5108fee23b4202466ba22f5312f2c43b5

SHA512
8116e597ca3fc7d7b801424a1b37533ade4fbe62b33f7045e6eaeb6b03275c7e981498b4e237230262e157aed9d257faadb6ba1586191f0ebb8d87f292cf4ce0

Download Submit
C:\Windows\{6E7B2B14-BA2A-458c-90CE-69163DBC842B}.exe

Filesize
10KB

MD5
940cffdf0241c09e6db1fe5deef3e867

SHA1
8c1e053023dde4ca4c7fba13c4e7300ab3569170

SHA256
2b1a156d9cbb7a5d0a80a3e50fdcebc17d74713801e2fcf984e389682608b914

SHA512
9e3b8c9a8191e1f442d52e4ddac27f1b32a7c229a0e4d94fb90590cd01545b48980fe99701474440bb83d44325d57dbf53a3a199ddd049ab155a53fc8cbf8e08

Download Submit
C:\Windows\{ADF32651-50CC-42e5-908B-C23E220FC038}.exe

Filesize
21KB

MD5
c6dc570b3fb7c300bec5040800ab092e

SHA1
b1715a52d9b96583e2142da61dc8adf4e4886fa8

SHA256
7a71de86000aaa58495efb669ff1bf3c12ba5b78cf186652734bb2fedf02edad

SHA512
3eee933d63e846aeb43ef0c6b830a2e495251f7f6425855ef7ad05e6ba5fb9483c99071a749b2cd350d15a54f37afee34353b8175ec4647e1a7e19dfa61d431b

Download Submit
C:\Windows\{ADF32651-50CC-42e5-908B-C23E220FC038}.exe

Filesize
194KB

MD5
cc95b2c334ffd59693a934a8a08cdabd

SHA1
a2b600ed4b8e4e8fc7ad6a6e0bb8f6a53037426f

SHA256
8c999ddd305e8a2f2d7808e8abfb9da8eb085ac12add8c3c899b85aebd5dcda3

SHA512
b7d70cbf5d783e1d3d6598d7d2348c71140614fb51afba50cc1675f06a0d6e934845e30ab77f7701aa9fd16a0dba8974bf4a40a7a13b45b00379228b7d6f85f0

Download Submit
C:\Windows\{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe

Filesize
98KB

MD5
2fbccbbd4b6ad45e437d25cadef6d7cb

SHA1
d2fc202d603081652f09e52148c8f1cca9756d51

SHA256
8a59ff0cfe15950c996418fe83411d6847c6d5f85afce66923a5f752abc80130

SHA512
b02a42fb63562547226f98123b8ed813d23c68fb52097f0d35ffb303544ffba450ab18bb6534a41306d9c73691b69688abafc24f58508c792cf31e84bd52e5dd

Download Submit
C:\Windows\{C2699594-2D32-46a5-A171-D988EFC49FF2}.exe

Filesize
159KB

MD5
282e63604bf37ec8e89e5f6555cc35e2

SHA1
fe611ac8ec46edd6d6d02e6c7dddef3c74b4edcf

SHA256
78fc19edb9bf7953d1a81af8badd7ae58464e772787550e9f38400209ebf9ab4

SHA512
f98d9d875f4be5a978d02862db8d3416b7896505e04f772b98d211c1c35bd9ae875a418a708f21a5179d14974d6065df4e2293795836a3eae487871b963baaac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads