1660a6cb50ecf578b9340e39efa8fd2386051a347ed8eccff741db816a67df9b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 15:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe
Size

372KB
MD5

14d1deed6a7b93ea5daad69d30858fe5
SHA1

571e6fd0e11dfc4f4707c9884628293f705c0f03
SHA256

1660a6cb50ecf578b9340e39efa8fd2386051a347ed8eccff741db816a67df9b
SHA512

ca9bd242de61ebd43b9db45e8dd4e411e55c658baa14fe802d96ca0d7df4f7c2976c3a0830db9409ed90d5b92b7a0e8097bd79ef5ba95f65e184966eb79b21d9
SSDEEP

3072:CEGh0ohmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGul/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}	{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}	{D4630094-540A-418a-B919-B1362D86B773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E46D01-1054-49a4-9AD4-28B259D23CB0}	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}\stubpath = "C:\\Windows\\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe"	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01FC3F4-94D7-4725-9131-F5361A512103}\stubpath = "C:\\Windows\\{F01FC3F4-94D7-4725-9131-F5361A512103}.exe"	{09708528-CBBB-4466-909F-69F91DDBD597}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C60830-F35A-49a8-83DE-148D8C95D835}\stubpath = "C:\\Windows\\{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe"	{2D3D35B4-A249-4834-8765-0D100C20B847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823ABAB0-629D-475e-ACBA-AB56499004E6}	{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823ABAB0-629D-475e-ACBA-AB56499004E6}\stubpath = "C:\\Windows\\{823ABAB0-629D-475e-ACBA-AB56499004E6}.exe"	{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4630094-540A-418a-B919-B1362D86B773}\stubpath = "C:\\Windows\\{D4630094-540A-418a-B919-B1362D86B773}.exe"	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E46D01-1054-49a4-9AD4-28B259D23CB0}\stubpath = "C:\\Windows\\{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe"	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C60830-F35A-49a8-83DE-148D8C95D835}	{2D3D35B4-A249-4834-8765-0D100C20B847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}\stubpath = "C:\\Windows\\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe"	{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4630094-540A-418a-B919-B1362D86B773}	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}\stubpath = "C:\\Windows\\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe"	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D3D35B4-A249-4834-8765-0D100C20B847}	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}\stubpath = "C:\\Windows\\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe"	{D4630094-540A-418a-B919-B1362D86B773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09708528-CBBB-4466-909F-69F91DDBD597}	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09708528-CBBB-4466-909F-69F91DDBD597}\stubpath = "C:\\Windows\\{09708528-CBBB-4466-909F-69F91DDBD597}.exe"	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01FC3F4-94D7-4725-9131-F5361A512103}	{09708528-CBBB-4466-909F-69F91DDBD597}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D3D35B4-A249-4834-8765-0D100C20B847}\stubpath = "C:\\Windows\\{2D3D35B4-A249-4834-8765-0D100C20B847}.exe"	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2588	{D4630094-540A-418a-B919-B1362D86B773}.exe
2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe
2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe
2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe
2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe
2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe
2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe
1912	{2D3D35B4-A249-4834-8765-0D100C20B847}.exe
380	{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe
1644	{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe
916	{823ABAB0-629D-475e-ACBA-AB56499004E6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D4630094-540A-418a-B919-B1362D86B773}.exe	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe
File created	C:\Windows\{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe
File created	C:\Windows\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe
File created	C:\Windows\{09708528-CBBB-4466-909F-69F91DDBD597}.exe	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe
File created	C:\Windows\{2D3D35B4-A249-4834-8765-0D100C20B847}.exe	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe
File created	C:\Windows\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	{D4630094-540A-418a-B919-B1362D86B773}.exe
File created	C:\Windows\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe
File created	C:\Windows\{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	{09708528-CBBB-4466-909F-69F91DDBD597}.exe
File created	C:\Windows\{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe	{2D3D35B4-A249-4834-8765-0D100C20B847}.exe
File created	C:\Windows\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe	{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe
File created	C:\Windows\{823ABAB0-629D-475e-ACBA-AB56499004E6}.exe	{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe
Token: SeIncBasePriorityPrivilege	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe
Token: SeIncBasePriorityPrivilege	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe
Token: SeIncBasePriorityPrivilege	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe
Token: SeIncBasePriorityPrivilege	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe
Token: SeIncBasePriorityPrivilege	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe
Token: SeIncBasePriorityPrivilege	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe
Token: SeIncBasePriorityPrivilege	1912	{2D3D35B4-A249-4834-8765-0D100C20B847}.exe
Token: SeIncBasePriorityPrivilege	380	{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe
Token: SeIncBasePriorityPrivilege	1644	{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2588	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	28
PID 2124 wrote to memory of 2588	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	28
PID 2124 wrote to memory of 2588	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	28
PID 2124 wrote to memory of 2588	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	28
PID 2124 wrote to memory of 2416	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	29
PID 2124 wrote to memory of 2416	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	29
PID 2124 wrote to memory of 2416	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	29
PID 2124 wrote to memory of 2416	2124	14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe	29
PID 2588 wrote to memory of 2024	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	30
PID 2588 wrote to memory of 2024	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	30
PID 2588 wrote to memory of 2024	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	30
PID 2588 wrote to memory of 2024	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	30
PID 2588 wrote to memory of 2796	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	31
PID 2588 wrote to memory of 2796	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	31
PID 2588 wrote to memory of 2796	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	31
PID 2588 wrote to memory of 2796	2588	{D4630094-540A-418a-B919-B1362D86B773}.exe	31
PID 2024 wrote to memory of 2112	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	34
PID 2024 wrote to memory of 2112	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	34
PID 2024 wrote to memory of 2112	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	34
PID 2024 wrote to memory of 2112	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	34
PID 2024 wrote to memory of 2556	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	35
PID 2024 wrote to memory of 2556	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	35
PID 2024 wrote to memory of 2556	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	35
PID 2024 wrote to memory of 2556	2024	{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe	35
PID 2112 wrote to memory of 2820	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	36
PID 2112 wrote to memory of 2820	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	36
PID 2112 wrote to memory of 2820	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	36
PID 2112 wrote to memory of 2820	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	36
PID 2112 wrote to memory of 2732	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	37
PID 2112 wrote to memory of 2732	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	37
PID 2112 wrote to memory of 2732	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	37
PID 2112 wrote to memory of 2732	2112	{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe	37
PID 2820 wrote to memory of 2528	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	38
PID 2820 wrote to memory of 2528	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	38
PID 2820 wrote to memory of 2528	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	38
PID 2820 wrote to memory of 2528	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	38
PID 2820 wrote to memory of 2840	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	39
PID 2820 wrote to memory of 2840	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	39
PID 2820 wrote to memory of 2840	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	39
PID 2820 wrote to memory of 2840	2820	{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe	39
PID 2528 wrote to memory of 2704	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	40
PID 2528 wrote to memory of 2704	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	40
PID 2528 wrote to memory of 2704	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	40
PID 2528 wrote to memory of 2704	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	40
PID 2528 wrote to memory of 2736	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	41
PID 2528 wrote to memory of 2736	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	41
PID 2528 wrote to memory of 2736	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	41
PID 2528 wrote to memory of 2736	2528	{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe	41
PID 2704 wrote to memory of 2776	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	42
PID 2704 wrote to memory of 2776	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	42
PID 2704 wrote to memory of 2776	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	42
PID 2704 wrote to memory of 2776	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	42
PID 2704 wrote to memory of 1332	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	43
PID 2704 wrote to memory of 1332	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	43
PID 2704 wrote to memory of 1332	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	43
PID 2704 wrote to memory of 1332	2704	{09708528-CBBB-4466-909F-69F91DDBD597}.exe	43
PID 2776 wrote to memory of 1912	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	44
PID 2776 wrote to memory of 1912	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	44
PID 2776 wrote to memory of 1912	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	44
PID 2776 wrote to memory of 1912	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	44
PID 2776 wrote to memory of 532	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	45
PID 2776 wrote to memory of 532	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	45
PID 2776 wrote to memory of 532	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	45
PID 2776 wrote to memory of 532	2776	{F01FC3F4-94D7-4725-9131-F5361A512103}.exe	45

C:\Users\Admin\AppData\Local\Temp\14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\14d1deed6a7b93ea5daad69d30858fe5_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{D4630094-540A-418a-B919-B1362D86B773}.exe
  C:\Windows\{D4630094-540A-418a-B919-B1362D86B773}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe
    C:\Windows\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe
      C:\Windows\{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe
        
        C:\Windows\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe
        
        C:\Windows\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{09708528-CBBB-4466-909F-69F91DDBD597}.exe
        
        C:\Windows\{09708528-CBBB-4466-909F-69F91DDBD597}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{F01FC3F4-94D7-4725-9131-F5361A512103}.exe
        
        C:\Windows\{F01FC3F4-94D7-4725-9131-F5361A512103}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{2D3D35B4-A249-4834-8765-0D100C20B847}.exe
        
        C:\Windows\{2D3D35B4-A249-4834-8765-0D100C20B847}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe
        
        C:\Windows\{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe
        
        C:\Windows\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{823ABAB0-629D-475e-ACBA-AB56499004E6}.exe
        
        C:\Windows\{823ABAB0-629D-475e-ACBA-AB56499004E6}.exe
        12⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A263~1.EXE > nul
        12⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5C60~1.EXE > nul
        11⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D3D3~1.EXE > nul
        10⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F01FC~1.EXE > nul
        9⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09708~1.EXE > nul
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AFFD~1.EXE > nul
        7⤵
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69AB5~1.EXE > nul
        6⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E46~1.EXE > nul
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9DCE~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4630~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\14D1DE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09708528-CBBB-4466-909F-69F91DDBD597}.exe

Filesize
372KB

MD5
407a4c62d8e9be684739ffac4b121d44

SHA1
798e66a1310b123d885b7322269a9e0193ec5408

SHA256
ba87e46bc1814a59935379d35ded67d4c3804d67143367043700d02c734c6bde

SHA512
df4f2bcda2b2c66392f10ea522d7c6702237bcb91ff38e72258b4d47d3ab36609e9696d9c78d4cf454baca700cfc467ad19c9b902b7d97b329fe166c1fe21e34

Download Submit
C:\Windows\{09708528-CBBB-4466-909F-69F91DDBD597}.exe

Filesize
372KB

MD5
407a4c62d8e9be684739ffac4b121d44

SHA1
798e66a1310b123d885b7322269a9e0193ec5408

SHA256
ba87e46bc1814a59935379d35ded67d4c3804d67143367043700d02c734c6bde

SHA512
df4f2bcda2b2c66392f10ea522d7c6702237bcb91ff38e72258b4d47d3ab36609e9696d9c78d4cf454baca700cfc467ad19c9b902b7d97b329fe166c1fe21e34

Download Submit
C:\Windows\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe

Filesize
372KB

MD5
baaba2103dec4a8bf6d602afffd2e0bc

SHA1
3c97c097395f4d5afa348e04afca68c33b873b4c

SHA256
c1481121e88a10e4cafc5fb313ed60b5eca1073bf2b2c87b4c57d58ea80ab224

SHA512
3770b7f473d505d0e9bac44f04801aa99c0502b3e32aefd875e04665497b3c2510ea5f534fe7830210f7be179ddceb2e4c8b8b574f41a8dd5304655a69d256f1

Download Submit
C:\Windows\{2AFFD228-4CF3-4053-B829-EE5C0EA4DB91}.exe

Filesize
372KB

MD5
baaba2103dec4a8bf6d602afffd2e0bc

SHA1
3c97c097395f4d5afa348e04afca68c33b873b4c

SHA256
c1481121e88a10e4cafc5fb313ed60b5eca1073bf2b2c87b4c57d58ea80ab224

SHA512
3770b7f473d505d0e9bac44f04801aa99c0502b3e32aefd875e04665497b3c2510ea5f534fe7830210f7be179ddceb2e4c8b8b574f41a8dd5304655a69d256f1

Download Submit
C:\Windows\{2D3D35B4-A249-4834-8765-0D100C20B847}.exe

Filesize
372KB

MD5
1f381ad0195f0b17c16646111814c6ef

SHA1
521e79b732133eb52ea50e7693445134e072a4e4

SHA256
c2b127f51f9cfc93617d23603f135167aa44f79b9c9b20eba2a6f2f89b65a5f7

SHA512
29121deecb4064f0677ab41a5323b0d5bbd30e6cd52aba3a4d9569f1d6dc361f6fa3169a9fb1fefcfe1f941096a62e58fc969322e398258a602dc37e125323c2

Download Submit
C:\Windows\{2D3D35B4-A249-4834-8765-0D100C20B847}.exe

Filesize
372KB

MD5
1f381ad0195f0b17c16646111814c6ef

SHA1
521e79b732133eb52ea50e7693445134e072a4e4

SHA256
c2b127f51f9cfc93617d23603f135167aa44f79b9c9b20eba2a6f2f89b65a5f7

SHA512
29121deecb4064f0677ab41a5323b0d5bbd30e6cd52aba3a4d9569f1d6dc361f6fa3169a9fb1fefcfe1f941096a62e58fc969322e398258a602dc37e125323c2

Download Submit
C:\Windows\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe

Filesize
372KB

MD5
2382f4c815b1bd6562b4db278c647a5d

SHA1
475b8075e9982353ae439f5a6a835f5be4867b9b

SHA256
2fd82530b1a1d19dd6100e3dc050c25da42d928cea2fb15d5786c39978661ee4

SHA512
18a31bca1e33484a9c1bd20c984010885c6903e5dcff6b25452768a0edf8a66872f197cd1cc66e38b80bd11009e1bb39317a26414099a13116efa9518aaee549

Download Submit
C:\Windows\{69AB5F40-A8F0-45ca-B73E-72E62D496DE7}.exe

Filesize
372KB

MD5
2382f4c815b1bd6562b4db278c647a5d

SHA1
475b8075e9982353ae439f5a6a835f5be4867b9b

SHA256
2fd82530b1a1d19dd6100e3dc050c25da42d928cea2fb15d5786c39978661ee4

SHA512
18a31bca1e33484a9c1bd20c984010885c6903e5dcff6b25452768a0edf8a66872f197cd1cc66e38b80bd11009e1bb39317a26414099a13116efa9518aaee549

Download Submit
C:\Windows\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe

Filesize
372KB

MD5
18075253d86b2626fcf747cbef4f14bd

SHA1
49b0f93aca097d39cd6eedaa025d3c6b9e148c72

SHA256
d023960b48fc2f3e788948ef1af6fd64f97de177d7e2a52fdc8985db42a83644

SHA512
5394de3d4efa4fa2a9d7df5f611839c98d819904136a226c8afb2458d493204fe76e69c6c467272cab593a6566ae0aaf001cdb4a9bcc4bcf478d09ec57d7b9db

Download Submit
C:\Windows\{6A2635E3-E1AE-4f1d-B275-BDF1E89C1EB0}.exe

Filesize
372KB

MD5
18075253d86b2626fcf747cbef4f14bd

SHA1
49b0f93aca097d39cd6eedaa025d3c6b9e148c72

SHA256
d023960b48fc2f3e788948ef1af6fd64f97de177d7e2a52fdc8985db42a83644

SHA512
5394de3d4efa4fa2a9d7df5f611839c98d819904136a226c8afb2458d493204fe76e69c6c467272cab593a6566ae0aaf001cdb4a9bcc4bcf478d09ec57d7b9db

Download Submit
C:\Windows\{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe

Filesize
372KB

MD5
09a2f0a774695d3967c0879a7e34ac6f

SHA1
99a4c75642a20c5a62ecd0e600486e69b07038e6

SHA256
643f6d6555d53cfd16aa90ffcc5d643913e7c24a0fd1ca1be1b047cf83fa2bda

SHA512
ea40d34fa4c6713d1f547a5064d301b695557bb8ea3527a17ff389aa156847cff8e215b02f04215131ef487527fd37401d0746971a53dde7c2d4f2a04dcc2a82

Download Submit
C:\Windows\{76E46D01-1054-49a4-9AD4-28B259D23CB0}.exe

Filesize
372KB

MD5
09a2f0a774695d3967c0879a7e34ac6f

SHA1
99a4c75642a20c5a62ecd0e600486e69b07038e6

SHA256
643f6d6555d53cfd16aa90ffcc5d643913e7c24a0fd1ca1be1b047cf83fa2bda

SHA512
ea40d34fa4c6713d1f547a5064d301b695557bb8ea3527a17ff389aa156847cff8e215b02f04215131ef487527fd37401d0746971a53dde7c2d4f2a04dcc2a82

Download Submit
C:\Windows\{823ABAB0-629D-475e-ACBA-AB56499004E6}.exe

Filesize
372KB

MD5
a9c6b9ae561c0401d6529d9276631115

SHA1
b2a88784dcd5d60831af860418d9269db27632a4

SHA256
d2fb68fc33ef2775950ad35b72b2ead2eca34678a7eccc0b579f8332e90cc63b

SHA512
11505ec1625f0f35bcc4fcb5016500f8bfa9181a954ffd815041319184e846f17c3cc068491a57223d175b2d9d67cc9f544662ecc1d33028e2e5fb3a46182103

Download Submit
C:\Windows\{D4630094-540A-418a-B919-B1362D86B773}.exe

Filesize
372KB

MD5
2c4e18f0c52a90b6e257512710328a51

SHA1
254238c26c10f9f04a31c3b090e38840d6e5175b

SHA256
83d990b5b62054fb0a9c134dc6fb23f41ded468fea864be8148f96b3577ba106

SHA512
0f776b4431bf4f3d3b0eb7b00c54bcedc9fa050f1a5277d10eeb9b62eadc872cf0ca06de4685ce2da548bd1d9bac1a9a76cb752ad698590cf6366edd2be446e0

Download Submit
C:\Windows\{D4630094-540A-418a-B919-B1362D86B773}.exe

Filesize
372KB

MD5
2c4e18f0c52a90b6e257512710328a51

SHA1
254238c26c10f9f04a31c3b090e38840d6e5175b

SHA256
83d990b5b62054fb0a9c134dc6fb23f41ded468fea864be8148f96b3577ba106

SHA512
0f776b4431bf4f3d3b0eb7b00c54bcedc9fa050f1a5277d10eeb9b62eadc872cf0ca06de4685ce2da548bd1d9bac1a9a76cb752ad698590cf6366edd2be446e0

Download Submit
C:\Windows\{D4630094-540A-418a-B919-B1362D86B773}.exe

Filesize
372KB

MD5
2c4e18f0c52a90b6e257512710328a51

SHA1
254238c26c10f9f04a31c3b090e38840d6e5175b

SHA256
83d990b5b62054fb0a9c134dc6fb23f41ded468fea864be8148f96b3577ba106

SHA512
0f776b4431bf4f3d3b0eb7b00c54bcedc9fa050f1a5277d10eeb9b62eadc872cf0ca06de4685ce2da548bd1d9bac1a9a76cb752ad698590cf6366edd2be446e0

Download Submit
C:\Windows\{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe

Filesize
372KB

MD5
68eb355b85b5a3bc8d37b01df5a8832f

SHA1
9667060216022cfd7a9822757361b41a44330395

SHA256
79ebc696bce48ffb0a2bdaff7bbbbe2e5103902f6330718b18d7ba2cb300099a

SHA512
6f64950f6698ee266ab78f7b90529d0b3028c478d93297ffd4eff539ca5e2692c32c5662cfda1863ff7703658062458340afe87e29096cc3004eaa491664dd92

Download Submit
C:\Windows\{D5C60830-F35A-49a8-83DE-148D8C95D835}.exe

Filesize
372KB

MD5
68eb355b85b5a3bc8d37b01df5a8832f

SHA1
9667060216022cfd7a9822757361b41a44330395

SHA256
79ebc696bce48ffb0a2bdaff7bbbbe2e5103902f6330718b18d7ba2cb300099a

SHA512
6f64950f6698ee266ab78f7b90529d0b3028c478d93297ffd4eff539ca5e2692c32c5662cfda1863ff7703658062458340afe87e29096cc3004eaa491664dd92

Download Submit
C:\Windows\{F01FC3F4-94D7-4725-9131-F5361A512103}.exe

Filesize
372KB

MD5
f0d62813a0e599fc722afa8082ad2943

SHA1
6c5ccf1d297144ecb0325bf1a611705bf2944f50

SHA256
ad8a6cba44635958f7598659f44407aa750639666acf7f4b5685cded79ec076b

SHA512
f94d651c35ede3d39f5dff98deaf61a91d24b8c1b5d33af88e42e71e0bffbc3646dcb85acb46259b489b8a87882185bec4a20c137a06dbafefb38c52b76ca9ae

Download Submit
C:\Windows\{F01FC3F4-94D7-4725-9131-F5361A512103}.exe

Filesize
372KB

MD5
f0d62813a0e599fc722afa8082ad2943

SHA1
6c5ccf1d297144ecb0325bf1a611705bf2944f50

SHA256
ad8a6cba44635958f7598659f44407aa750639666acf7f4b5685cded79ec076b

SHA512
f94d651c35ede3d39f5dff98deaf61a91d24b8c1b5d33af88e42e71e0bffbc3646dcb85acb46259b489b8a87882185bec4a20c137a06dbafefb38c52b76ca9ae

Download Submit
C:\Windows\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe

Filesize
372KB

MD5
7b874aaf65be23761e73ee34b6cd1b78

SHA1
5d36632602cf896265c83511464ad8b0d899e590

SHA256
128d5da97d2ad62ce308fa4e807d1da22d1a3ceb764c8102f1ddc906a6b31aad

SHA512
10c4a4a49587843fa85c485d69f1a17ecc8b669c2ab53ac5c14ba33d15c320e7b0e0b9bf26d1983213c8011882a10106750b6112d838a45987a279cfbf0084c6

Download Submit
C:\Windows\{F9DCEB21-80DB-4ba6-8C86-ACE3241C1B49}.exe

Filesize
372KB

MD5
7b874aaf65be23761e73ee34b6cd1b78

SHA1
5d36632602cf896265c83511464ad8b0d899e590

SHA256
128d5da97d2ad62ce308fa4e807d1da22d1a3ceb764c8102f1ddc906a6b31aad

SHA512
10c4a4a49587843fa85c485d69f1a17ecc8b669c2ab53ac5c14ba33d15c320e7b0e0b9bf26d1983213c8011882a10106750b6112d838a45987a279cfbf0084c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads