018aa2213df50fffcc96b30d175569308924c456111af887d65206388e93ba5a

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 16:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Size

204KB
MD5

16fc1b54814f00d0284d76b8d672bf55
SHA1

1bb7b9ed08747b95e92fcd1f5196a0f173480dc9
SHA256

018aa2213df50fffcc96b30d175569308924c456111af887d65206388e93ba5a
SHA512

bd31e0876168716d9c4da9a631ad43c44b5453dc4135f4b5706638dcfa7363d78a2ec7d8f850ee9ffd62cdb6df1aba16792e0c551d8d89380b54617752b25d26
SSDEEP

1536:1EGh0oul15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oul1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}\stubpath = "C:\\Windows\\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe"	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}\stubpath = "C:\\Windows\\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe"	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95957245-341A-4341-8AEA-888D2041DC45}\stubpath = "C:\\Windows\\{95957245-341A-4341-8AEA-888D2041DC45}.exe"	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95957245-341A-4341-8AEA-888D2041DC45}	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831A226D-79EB-4500-A471-E44DB9EED467}\stubpath = "C:\\Windows\\{831A226D-79EB-4500-A471-E44DB9EED467}.exe"	{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}	{831A226D-79EB-4500-A471-E44DB9EED467}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}	{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831A226D-79EB-4500-A471-E44DB9EED467}	{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}\stubpath = "C:\\Windows\\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe"	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}\stubpath = "C:\\Windows\\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe"	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}	{95957245-341A-4341-8AEA-888D2041DC45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}\stubpath = "C:\\Windows\\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe"	{95957245-341A-4341-8AEA-888D2041DC45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5725BC9-B38E-4684-A3B8-023362BB1834}	{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5725BC9-B38E-4684-A3B8-023362BB1834}\stubpath = "C:\\Windows\\{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe"	{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}\stubpath = "C:\\Windows\\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe"	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}\stubpath = "C:\\Windows\\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe"	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}\stubpath = "C:\\Windows\\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe"	{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}\stubpath = "C:\\Windows\\{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}.exe"	{831A226D-79EB-4500-A471-E44DB9EED467}.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe
2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe
2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe
2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe
2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe
324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe
304	{95957245-341A-4341-8AEA-888D2041DC45}.exe
1484	{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe
2480	{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe
2084	{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe
2892	{831A226D-79EB-4500-A471-E44DB9EED467}.exe
3056	{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe
File created	C:\Windows\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe
File created	C:\Windows\{95957245-341A-4341-8AEA-888D2041DC45}.exe	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe
File created	C:\Windows\{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe	{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe
File created	C:\Windows\{831A226D-79EB-4500-A471-E44DB9EED467}.exe	{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe
File created	C:\Windows\{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}.exe	{831A226D-79EB-4500-A471-E44DB9EED467}.exe
File created	C:\Windows\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
File created	C:\Windows\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe
File created	C:\Windows\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe
File created	C:\Windows\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe
File created	C:\Windows\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe	{95957245-341A-4341-8AEA-888D2041DC45}.exe
File created	C:\Windows\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe	{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe
Token: SeIncBasePriorityPrivilege	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe
Token: SeIncBasePriorityPrivilege	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe
Token: SeIncBasePriorityPrivilege	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe
Token: SeIncBasePriorityPrivilege	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe
Token: SeIncBasePriorityPrivilege	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe
Token: SeIncBasePriorityPrivilege	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe
Token: SeIncBasePriorityPrivilege	1484	{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe
Token: SeIncBasePriorityPrivilege	2480	{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe
Token: SeIncBasePriorityPrivilege	2084	{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe
Token: SeIncBasePriorityPrivilege	2892	{831A226D-79EB-4500-A471-E44DB9EED467}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2808	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	28
PID 3024 wrote to memory of 2808	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	28
PID 3024 wrote to memory of 2808	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	28
PID 3024 wrote to memory of 2808	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	28
PID 3024 wrote to memory of 2860	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	29
PID 3024 wrote to memory of 2860	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	29
PID 3024 wrote to memory of 2860	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	29
PID 3024 wrote to memory of 2860	3024	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	29
PID 2808 wrote to memory of 2996	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	32
PID 2808 wrote to memory of 2996	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	32
PID 2808 wrote to memory of 2996	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	32
PID 2808 wrote to memory of 2996	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	32
PID 2808 wrote to memory of 2740	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	33
PID 2808 wrote to memory of 2740	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	33
PID 2808 wrote to memory of 2740	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	33
PID 2808 wrote to memory of 2740	2808	{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe	33
PID 2996 wrote to memory of 2888	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	34
PID 2996 wrote to memory of 2888	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	34
PID 2996 wrote to memory of 2888	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	34
PID 2996 wrote to memory of 2888	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	34
PID 2996 wrote to memory of 2760	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	35
PID 2996 wrote to memory of 2760	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	35
PID 2996 wrote to memory of 2760	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	35
PID 2996 wrote to memory of 2760	2996	{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe	35
PID 2888 wrote to memory of 2712	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	36
PID 2888 wrote to memory of 2712	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	36
PID 2888 wrote to memory of 2712	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	36
PID 2888 wrote to memory of 2712	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	36
PID 2888 wrote to memory of 2744	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	37
PID 2888 wrote to memory of 2744	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	37
PID 2888 wrote to memory of 2744	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	37
PID 2888 wrote to memory of 2744	2888	{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe	37
PID 2712 wrote to memory of 2036	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	38
PID 2712 wrote to memory of 2036	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	38
PID 2712 wrote to memory of 2036	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	38
PID 2712 wrote to memory of 2036	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	38
PID 2712 wrote to memory of 2764	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	39
PID 2712 wrote to memory of 2764	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	39
PID 2712 wrote to memory of 2764	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	39
PID 2712 wrote to memory of 2764	2712	{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe	39
PID 2036 wrote to memory of 324	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	40
PID 2036 wrote to memory of 324	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	40
PID 2036 wrote to memory of 324	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	40
PID 2036 wrote to memory of 324	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	40
PID 2036 wrote to memory of 440	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	41
PID 2036 wrote to memory of 440	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	41
PID 2036 wrote to memory of 440	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	41
PID 2036 wrote to memory of 440	2036	{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe	41
PID 324 wrote to memory of 304	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	42
PID 324 wrote to memory of 304	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	42
PID 324 wrote to memory of 304	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	42
PID 324 wrote to memory of 304	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	42
PID 324 wrote to memory of 1488	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	43
PID 324 wrote to memory of 1488	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	43
PID 324 wrote to memory of 1488	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	43
PID 324 wrote to memory of 1488	324	{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe	43
PID 304 wrote to memory of 1484	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	45
PID 304 wrote to memory of 1484	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	45
PID 304 wrote to memory of 1484	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	45
PID 304 wrote to memory of 1484	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	45
PID 304 wrote to memory of 1356	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	44
PID 304 wrote to memory of 1356	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	44
PID 304 wrote to memory of 1356	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	44
PID 304 wrote to memory of 1356	304	{95957245-341A-4341-8AEA-888D2041DC45}.exe	44

C:\Users\Admin\AppData\Local\Temp\16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe
  C:\Windows\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe
    C:\Windows\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe
      C:\Windows\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe
        
        C:\Windows\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe
        
        C:\Windows\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe
        
        C:\Windows\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\{95957245-341A-4341-8AEA-888D2041DC45}.exe
        
        C:\Windows\{95957245-341A-4341-8AEA-888D2041DC45}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95957~1.EXE > nul
        9⤵
        
        PID:1356
        
        C:\Windows\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe
        
        C:\Windows\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe
        
        C:\Windows\{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe
        
        C:\Windows\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AEA2~1.EXE > nul
        12⤵
        
        PID:3068
        
        C:\Windows\{831A226D-79EB-4500-A471-E44DB9EED467}.exe
        
        C:\Windows\{831A226D-79EB-4500-A471-E44DB9EED467}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{831A2~1.EXE > nul
        13⤵
        
        PID:3060
        
        C:\Windows\{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}.exe
        
        C:\Windows\{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}.exe
        13⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5725~1.EXE > nul
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31361~1.EXE > nul
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DDF1~1.EXE > nul
        8⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A68BA~1.EXE > nul
        7⤵
        
        PID:440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F0B9~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DB20~1.EXE > nul
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DA8B9~1.EXE > nul
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75388~1.EXE > nul
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\16FC1B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BA3976E-81A4-4c54-B9AF-F94725D7AF24}.exe

Filesize
204KB

MD5
9b3333a4ef713bf2d06e0eedc69249b3

SHA1
30874b8084fd0b9afc2a0257b251eebbfae39647

SHA256
6c2ffff06768802beab0e72a922e8fdaa3b6c0887c8436831df8cb8ada0ce2be

SHA512
d15a1facfde122c4627dbd2e7407e574140e570fc13d857983c77159e356d2d3821ed69b32197eb10f2e060623765318ea5a23c131e8dcd51d2e400070f379fc

Download Submit
C:\Windows\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe

Filesize
204KB

MD5
c2c55bb5fb6594701ed254bd46112076

SHA1
e07a14d699fd24220d991e219e323ef1fc345b50

SHA256
a25b3acbd3aeb6f5365e3e1b9a2361cfbe7d27fe77cddcdb13266ff6abe8509e

SHA512
4c01bee072206d7d8d3b42eecc4bdc525f5d4fd50d448c6e8cfe63587b8e3e6f746cf89edad21ad0f1a045408553cea49ae64b0705af72726d26fd14b2ca1d55

Download Submit
C:\Windows\{1F0B90AA-16B1-4852-8B32-B654DB12EAB1}.exe

Filesize
204KB

MD5
c2c55bb5fb6594701ed254bd46112076

SHA1
e07a14d699fd24220d991e219e323ef1fc345b50

SHA256
a25b3acbd3aeb6f5365e3e1b9a2361cfbe7d27fe77cddcdb13266ff6abe8509e

SHA512
4c01bee072206d7d8d3b42eecc4bdc525f5d4fd50d448c6e8cfe63587b8e3e6f746cf89edad21ad0f1a045408553cea49ae64b0705af72726d26fd14b2ca1d55

Download Submit
C:\Windows\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe

Filesize
204KB

MD5
a59ce266c510f889b850bad0ec38c41f

SHA1
f94b506a1e44c1b1c78f043325f1928ba710e8aa

SHA256
53477d3f0a19678584440a74563a712a810f705287139bc0289ff1ae7d6407a8

SHA512
5ed641504dc3e878071845d3fe48a215f61efc2be84cfd34e2216df222e8858d8386c222c61ba91749fd3c85b434ab225c443464d9ea89d5632d33b29531ddde

Download Submit
C:\Windows\{2DDF17F9-41C3-4ca7-BFEC-4DE07C9FF6E7}.exe

Filesize
204KB

MD5
a59ce266c510f889b850bad0ec38c41f

SHA1
f94b506a1e44c1b1c78f043325f1928ba710e8aa

SHA256
53477d3f0a19678584440a74563a712a810f705287139bc0289ff1ae7d6407a8

SHA512
5ed641504dc3e878071845d3fe48a215f61efc2be84cfd34e2216df222e8858d8386c222c61ba91749fd3c85b434ab225c443464d9ea89d5632d33b29531ddde

Download Submit
C:\Windows\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe

Filesize
204KB

MD5
1deeafab8be4d8991a99be91d62e438f

SHA1
b4bacd62fbd940f307982d5d5a9339c42185b608

SHA256
82583873408513b8ed498123e7f294881bd139d5b461b90c553956525784debd

SHA512
1ab713dfecd4b05b0b9cf80434d2334cf36a3f26202743df7c1d258aba6b605aee53d91967dbff71fdbbd7b19a0b5a00799b4ef963c9b9cd73c4f4e339a38dbf

Download Submit
C:\Windows\{31361E19-73E5-4be4-BD15-0C54ADD07E4C}.exe

Filesize
204KB

MD5
1deeafab8be4d8991a99be91d62e438f

SHA1
b4bacd62fbd940f307982d5d5a9339c42185b608

SHA256
82583873408513b8ed498123e7f294881bd139d5b461b90c553956525784debd

SHA512
1ab713dfecd4b05b0b9cf80434d2334cf36a3f26202743df7c1d258aba6b605aee53d91967dbff71fdbbd7b19a0b5a00799b4ef963c9b9cd73c4f4e339a38dbf

Download Submit
C:\Windows\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe

Filesize
204KB

MD5
7688e3d433fcda93a43a73d2f3271fd0

SHA1
96c4fcb03a5ba7669dc461ecbcb2ee9631194269

SHA256
cb13040fea43e46662023828ab85982290c0283ff4dc1da210bfde34f72039b5

SHA512
e13bc7ad66641dfc1c683833c0667dc6d9962e61264b71f633fb8859d6eb997fb3a78d416be3d87db2886500279afea5a5b02146b12c24e766a9011897c3212e

Download Submit
C:\Windows\{6AEA2E71-D57F-4ab9-AA0D-03BA59F7AEE5}.exe

Filesize
204KB

MD5
7688e3d433fcda93a43a73d2f3271fd0

SHA1
96c4fcb03a5ba7669dc461ecbcb2ee9631194269

SHA256
cb13040fea43e46662023828ab85982290c0283ff4dc1da210bfde34f72039b5

SHA512
e13bc7ad66641dfc1c683833c0667dc6d9962e61264b71f633fb8859d6eb997fb3a78d416be3d87db2886500279afea5a5b02146b12c24e766a9011897c3212e

Download Submit
C:\Windows\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe

Filesize
204KB

MD5
03360ee5d7cef9ddb66d48d0a97cde02

SHA1
bb93a998f5e42dc756ec405b7d377d8f1a19d6a9

SHA256
ecb68ccd4999159d200b4cfa0463717523f60e33514d5543a1e5d49fb2f2ac48

SHA512
4239c4ba4e390d7ff04dfcaacf02b714c87e098d4cb6c972c9a58b68931e4d685553157b0194d3464fb1fb7f21753bc8fbce5e7eaac7c244492a666cf49a227e

Download Submit
C:\Windows\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe

Filesize
204KB

MD5
03360ee5d7cef9ddb66d48d0a97cde02

SHA1
bb93a998f5e42dc756ec405b7d377d8f1a19d6a9

SHA256
ecb68ccd4999159d200b4cfa0463717523f60e33514d5543a1e5d49fb2f2ac48

SHA512
4239c4ba4e390d7ff04dfcaacf02b714c87e098d4cb6c972c9a58b68931e4d685553157b0194d3464fb1fb7f21753bc8fbce5e7eaac7c244492a666cf49a227e

Download Submit
C:\Windows\{753888E7-6CD2-4d4f-B611-4A6B1F2DFBBE}.exe

Filesize
204KB

MD5
03360ee5d7cef9ddb66d48d0a97cde02

SHA1
bb93a998f5e42dc756ec405b7d377d8f1a19d6a9

SHA256
ecb68ccd4999159d200b4cfa0463717523f60e33514d5543a1e5d49fb2f2ac48

SHA512
4239c4ba4e390d7ff04dfcaacf02b714c87e098d4cb6c972c9a58b68931e4d685553157b0194d3464fb1fb7f21753bc8fbce5e7eaac7c244492a666cf49a227e

Download Submit
C:\Windows\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe

Filesize
204KB

MD5
9437e93f5acd7366cc81537927508765

SHA1
62029a8eaf6828361ce979f2e281edeb3b743084

SHA256
211c3477ca9fee96d52c0a3a3da2fd8d0b20aab5761fe1275fea1c2b88658574

SHA512
74e7bc858f071c4eece80ae8694801adbe42f0232f0fcabd4a7e3d63bf3ac5c45308170423682014dfbc0afaa828f89582f69d7c5d35475fb0bc3f852df7f8f8

Download Submit
C:\Windows\{7DB2000E-E5C8-4885-8B08-A214EB9E4A8A}.exe

Filesize
204KB

MD5
9437e93f5acd7366cc81537927508765

SHA1
62029a8eaf6828361ce979f2e281edeb3b743084

SHA256
211c3477ca9fee96d52c0a3a3da2fd8d0b20aab5761fe1275fea1c2b88658574

SHA512
74e7bc858f071c4eece80ae8694801adbe42f0232f0fcabd4a7e3d63bf3ac5c45308170423682014dfbc0afaa828f89582f69d7c5d35475fb0bc3f852df7f8f8

Download Submit
C:\Windows\{831A226D-79EB-4500-A471-E44DB9EED467}.exe

Filesize
204KB

MD5
3ed8efcf0ca65338e787a0a1bf27e5a0

SHA1
77648bce5e3294d05039472c1ebda09bb4aaee9d

SHA256
73a9e20432dddf227aad17326d3fa728f61cfa6c3c1b9674acf05683f72662b8

SHA512
a9596ed319911b2f3dfe7b052e0ad6566a810420c16b443ece9e00b09070c7a5f5c51beb361d1f6d3a22a17e35d592fb9c7a92eb70823cd8ef399c973e57b70e

Download Submit
C:\Windows\{831A226D-79EB-4500-A471-E44DB9EED467}.exe

Filesize
204KB

MD5
3ed8efcf0ca65338e787a0a1bf27e5a0

SHA1
77648bce5e3294d05039472c1ebda09bb4aaee9d

SHA256
73a9e20432dddf227aad17326d3fa728f61cfa6c3c1b9674acf05683f72662b8

SHA512
a9596ed319911b2f3dfe7b052e0ad6566a810420c16b443ece9e00b09070c7a5f5c51beb361d1f6d3a22a17e35d592fb9c7a92eb70823cd8ef399c973e57b70e

Download Submit
C:\Windows\{95957245-341A-4341-8AEA-888D2041DC45}.exe

Filesize
204KB

MD5
0f386fc3975ce5d94e922481f6773f39

SHA1
39f604385543d33b613ef5ef5d30038f2cfaa865

SHA256
074c2c469544c90e20295f1dce811c57fe262772506a196702016c08cad43097

SHA512
2cffe871d0e604abbbce5ae6c1e27fbab45c0c5ffa0ffafaeacbd716d3e66531596f6363054848db0791c42a47950c87c61907a865e136555ac090232f454d58

Download Submit
C:\Windows\{95957245-341A-4341-8AEA-888D2041DC45}.exe

Filesize
204KB

MD5
0f386fc3975ce5d94e922481f6773f39

SHA1
39f604385543d33b613ef5ef5d30038f2cfaa865

SHA256
074c2c469544c90e20295f1dce811c57fe262772506a196702016c08cad43097

SHA512
2cffe871d0e604abbbce5ae6c1e27fbab45c0c5ffa0ffafaeacbd716d3e66531596f6363054848db0791c42a47950c87c61907a865e136555ac090232f454d58

Download Submit
C:\Windows\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe

Filesize
204KB

MD5
ec43439358b4787d65d920ec37b0a8bc

SHA1
81a78bbfb69401a0418428049ca1ab4ce942d223

SHA256
cbce72b4ff7287eca154db480fd6f925c124a9b69da5d3f392c55754f6e5d9ca

SHA512
1f6792e406ad6f7fccc1e4e71218f02afaa691521e97b18c0cbb5cb49c4c8dc72a4972a762ed234c34e66ecf30ce94ddd0fc9d2bb1e88c299da80390b2c31f13

Download Submit
C:\Windows\{A68BA8D1-D085-4b98-B812-5BC00780D9B6}.exe

Filesize
204KB

MD5
ec43439358b4787d65d920ec37b0a8bc

SHA1
81a78bbfb69401a0418428049ca1ab4ce942d223

SHA256
cbce72b4ff7287eca154db480fd6f925c124a9b69da5d3f392c55754f6e5d9ca

SHA512
1f6792e406ad6f7fccc1e4e71218f02afaa691521e97b18c0cbb5cb49c4c8dc72a4972a762ed234c34e66ecf30ce94ddd0fc9d2bb1e88c299da80390b2c31f13

Download Submit
C:\Windows\{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe

Filesize
204KB

MD5
e820b31e9132da5315356194c31e38ff

SHA1
a2a73707d8fa9a97d0c9d3ae6d9d134a7ec80ce0

SHA256
d98b539335c906a4ab2b5956c50ffbdf97aa6aa8581bde2c7489361d824928b4

SHA512
8af202fcd65d327fd05ee66825bb103cd2050da7e9b631b5002f3244c5b79709eaac58e39e353a90137656443f9e43c4ff891ddf07f74e4458fb33957b98cc5a

Download Submit
C:\Windows\{C5725BC9-B38E-4684-A3B8-023362BB1834}.exe

Filesize
204KB

MD5
e820b31e9132da5315356194c31e38ff

SHA1
a2a73707d8fa9a97d0c9d3ae6d9d134a7ec80ce0

SHA256
d98b539335c906a4ab2b5956c50ffbdf97aa6aa8581bde2c7489361d824928b4

SHA512
8af202fcd65d327fd05ee66825bb103cd2050da7e9b631b5002f3244c5b79709eaac58e39e353a90137656443f9e43c4ff891ddf07f74e4458fb33957b98cc5a

Download Submit
C:\Windows\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe

Filesize
204KB

MD5
2fb8c9260622354246c6f7a4037a9406

SHA1
ad32f7143df90c5061ac1c0192e25a32965ca81c

SHA256
dd79a884d6acc0804445ef0217982245f23963138afc13bb501e01e313cb31b7

SHA512
1369c94272904e0ccb73a63addfe05e3ea000060366edec76444676841a7c078e8fe296431bb1078efb5ae19c4495415ba880f7c57b8aeb61c74440062058828

Download Submit
C:\Windows\{DA8B9FB1-F1EB-4338-A709-9BFFA07A03A6}.exe

Filesize
204KB

MD5
2fb8c9260622354246c6f7a4037a9406

SHA1
ad32f7143df90c5061ac1c0192e25a32965ca81c

SHA256
dd79a884d6acc0804445ef0217982245f23963138afc13bb501e01e313cb31b7

SHA512
1369c94272904e0ccb73a63addfe05e3ea000060366edec76444676841a7c078e8fe296431bb1078efb5ae19c4495415ba880f7c57b8aeb61c74440062058828

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads