a7c916639bd813cce9bd1352ee582724d75e3676fd1c927a89c4f4aa2f5a1b95

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/08/2023, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe
Size

380KB
MD5

2984dc8eec87bb42aab0a23da0023b3e
SHA1

9e44ac987f0d3c6028773c78cedde491fcfe3252
SHA256

a7c916639bd813cce9bd1352ee582724d75e3676fd1c927a89c4f4aa2f5a1b95
SHA512

bbc34d41f20488b4244e82490591be8f4d1706197ff6e90d93ac200c7cb1325c31c9c35a8db9c0b5295267e52a2280017c90f837c214fbfe33745dd6e067e754
SSDEEP

3072:mEGh0ojlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGZl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B769CF6F-799D-42dc-BE43-A7987C83D82F}\stubpath = "C:\\Windows\\{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe"	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F910ACC3-48E7-4949-B2F5-163BBFA77A83}	{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F910ACC3-48E7-4949-B2F5-163BBFA77A83}\stubpath = "C:\\Windows\\{F910ACC3-48E7-4949-B2F5-163BBFA77A83}.exe"	{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5688421-5067-4060-AC1C-0A433AC24360}	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}\stubpath = "C:\\Windows\\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe"	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B769CF6F-799D-42dc-BE43-A7987C83D82F}	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B28B6299-A554-4192-83CE-1EDF6D48083A}\stubpath = "C:\\Windows\\{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe"	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814AF210-9313-47e8-9685-8B1D7B258CE8}	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814AF210-9313-47e8-9685-8B1D7B258CE8}\stubpath = "C:\\Windows\\{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe"	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}\stubpath = "C:\\Windows\\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe"	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}\stubpath = "C:\\Windows\\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe"	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CABA530E-E68E-4703-9503-8F487341F6E3}	{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5688421-5067-4060-AC1C-0A433AC24360}\stubpath = "C:\\Windows\\{F5688421-5067-4060-AC1C-0A433AC24360}.exe"	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}\stubpath = "C:\\Windows\\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe"	{F5688421-5067-4060-AC1C-0A433AC24360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}	{CABA530E-E68E-4703-9503-8F487341F6E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}	{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CABA530E-E68E-4703-9503-8F487341F6E3}\stubpath = "C:\\Windows\\{CABA530E-E68E-4703-9503-8F487341F6E3}.exe"	{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}\stubpath = "C:\\Windows\\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe"	{CABA530E-E68E-4703-9503-8F487341F6E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}\stubpath = "C:\\Windows\\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe"	{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}	{F5688421-5067-4060-AC1C-0A433AC24360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B28B6299-A554-4192-83CE-1EDF6D48083A}	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe

Deletes itself 1 IoCs

pid	Process
1976	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe
2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe
2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe
2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe
2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe
2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe
2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe
548	{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe
1884	{CABA530E-E68E-4703-9503-8F487341F6E3}.exe
2856	{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe
2580	{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe
1964	{F910ACC3-48E7-4949-B2F5-163BBFA77A83}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe	{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe
File created	C:\Windows\{F910ACC3-48E7-4949-B2F5-163BBFA77A83}.exe	{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe
File created	C:\Windows\{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe
File created	C:\Windows\{CABA530E-E68E-4703-9503-8F487341F6E3}.exe	{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe
File created	C:\Windows\{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe
File created	C:\Windows\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe
File created	C:\Windows\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe
File created	C:\Windows\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe
File created	C:\Windows\{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe
File created	C:\Windows\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe	{CABA530E-E68E-4703-9503-8F487341F6E3}.exe
File created	C:\Windows\{F5688421-5067-4060-AC1C-0A433AC24360}.exe	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe
File created	C:\Windows\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	{F5688421-5067-4060-AC1C-0A433AC24360}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe
Token: SeIncBasePriorityPrivilege	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe
Token: SeIncBasePriorityPrivilege	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe
Token: SeIncBasePriorityPrivilege	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe
Token: SeIncBasePriorityPrivilege	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe
Token: SeIncBasePriorityPrivilege	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe
Token: SeIncBasePriorityPrivilege	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe
Token: SeIncBasePriorityPrivilege	548	{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe
Token: SeIncBasePriorityPrivilege	1884	{CABA530E-E68E-4703-9503-8F487341F6E3}.exe
Token: SeIncBasePriorityPrivilege	2856	{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe
Token: SeIncBasePriorityPrivilege	2580	{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2620	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	28
PID 2404 wrote to memory of 2620	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	28
PID 2404 wrote to memory of 2620	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	28
PID 2404 wrote to memory of 2620	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	28
PID 2404 wrote to memory of 1976	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	29
PID 2404 wrote to memory of 1976	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	29
PID 2404 wrote to memory of 1976	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	29
PID 2404 wrote to memory of 1976	2404	2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe	29
PID 2620 wrote to memory of 2940	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	32
PID 2620 wrote to memory of 2940	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	32
PID 2620 wrote to memory of 2940	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	32
PID 2620 wrote to memory of 2940	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	32
PID 2620 wrote to memory of 3020	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	33
PID 2620 wrote to memory of 3020	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	33
PID 2620 wrote to memory of 3020	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	33
PID 2620 wrote to memory of 3020	2620	{F5688421-5067-4060-AC1C-0A433AC24360}.exe	33
PID 2940 wrote to memory of 2812	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	34
PID 2940 wrote to memory of 2812	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	34
PID 2940 wrote to memory of 2812	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	34
PID 2940 wrote to memory of 2812	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	34
PID 2940 wrote to memory of 1748	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	35
PID 2940 wrote to memory of 1748	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	35
PID 2940 wrote to memory of 1748	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	35
PID 2940 wrote to memory of 1748	2940	{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe	35
PID 2812 wrote to memory of 2376	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	36
PID 2812 wrote to memory of 2376	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	36
PID 2812 wrote to memory of 2376	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	36
PID 2812 wrote to memory of 2376	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	36
PID 2812 wrote to memory of 2124	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	37
PID 2812 wrote to memory of 2124	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	37
PID 2812 wrote to memory of 2124	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	37
PID 2812 wrote to memory of 2124	2812	{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe	37
PID 2376 wrote to memory of 2852	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	38
PID 2376 wrote to memory of 2852	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	38
PID 2376 wrote to memory of 2852	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	38
PID 2376 wrote to memory of 2852	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	38
PID 2376 wrote to memory of 2740	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	39
PID 2376 wrote to memory of 2740	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	39
PID 2376 wrote to memory of 2740	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	39
PID 2376 wrote to memory of 2740	2376	{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe	39
PID 2852 wrote to memory of 2736	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	40
PID 2852 wrote to memory of 2736	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	40
PID 2852 wrote to memory of 2736	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	40
PID 2852 wrote to memory of 2736	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	40
PID 2852 wrote to memory of 2448	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	41
PID 2852 wrote to memory of 2448	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	41
PID 2852 wrote to memory of 2448	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	41
PID 2852 wrote to memory of 2448	2852	{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe	41
PID 2736 wrote to memory of 2544	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	42
PID 2736 wrote to memory of 2544	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	42
PID 2736 wrote to memory of 2544	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	42
PID 2736 wrote to memory of 2544	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	42
PID 2736 wrote to memory of 488	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	43
PID 2736 wrote to memory of 488	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	43
PID 2736 wrote to memory of 488	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	43
PID 2736 wrote to memory of 488	2736	{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe	43
PID 2544 wrote to memory of 548	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	45
PID 2544 wrote to memory of 548	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	45
PID 2544 wrote to memory of 548	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	45
PID 2544 wrote to memory of 548	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	45
PID 2544 wrote to memory of 2952	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	44
PID 2544 wrote to memory of 2952	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	44
PID 2544 wrote to memory of 2952	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	44
PID 2544 wrote to memory of 2952	2544	{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe	44

C:\Users\Admin\AppData\Local\Temp\2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2984dc8eec87bb42aab0a23da0023b3e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\{F5688421-5067-4060-AC1C-0A433AC24360}.exe
  C:\Windows\{F5688421-5067-4060-AC1C-0A433AC24360}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe
    C:\Windows\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe
      C:\Windows\{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe
        
        C:\Windows\{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe
        
        C:\Windows\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe
        
        C:\Windows\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe
        
        C:\Windows\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B73D~1.EXE > nul
        9⤵
        
        PID:2952
        
        C:\Windows\{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe
        
        C:\Windows\{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{CABA530E-E68E-4703-9503-8F487341F6E3}.exe
        
        C:\Windows\{CABA530E-E68E-4703-9503-8F487341F6E3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe
        
        C:\Windows\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe
        
        C:\Windows\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\{F910ACC3-48E7-4949-B2F5-163BBFA77A83}.exe
        
        C:\Windows\{F910ACC3-48E7-4949-B2F5-163BBFA77A83}.exe
        13⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{797C0~1.EXE > nul
        13⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B03D7~1.EXE > nul
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CABA5~1.EXE > nul
        11⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B769C~1.EXE > nul
        10⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C916~1.EXE > nul
        8⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE35~1.EXE > nul
        7⤵
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B28B6~1.EXE > nul
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{814AF~1.EXE > nul
        5⤵
        
        PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D99FB~1.EXE > nul
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F5688~1.EXE > nul
    3⤵
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2984DC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe

Filesize
380KB

MD5
46b2c6c139c8ea1b91dd5dab8d04da6e

SHA1
346647001fde0533e08e14c940ee845cd16d4e00

SHA256
b746bd7f9b5ada78a7a35f18d2eb82280812713545b69e14ad672e656854ae4d

SHA512
a9b8ed6fd782f866bde9d3a28b9b744296f8a48ad9e50005bfa90a15eeeef22c5f1eb616c84ef25d6f9317592be7c7083d8088d58a03c1342d30110da52237a9

Download Submit
C:\Windows\{2B73DC8D-918B-43fc-8165-294C8BB6B80B}.exe

Filesize
380KB

MD5
46b2c6c139c8ea1b91dd5dab8d04da6e

SHA1
346647001fde0533e08e14c940ee845cd16d4e00

SHA256
b746bd7f9b5ada78a7a35f18d2eb82280812713545b69e14ad672e656854ae4d

SHA512
a9b8ed6fd782f866bde9d3a28b9b744296f8a48ad9e50005bfa90a15eeeef22c5f1eb616c84ef25d6f9317592be7c7083d8088d58a03c1342d30110da52237a9

Download Submit
C:\Windows\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe

Filesize
380KB

MD5
a37d032d392acae108683ec30e1320ad

SHA1
ca585a287ebefea5e227f97f3e0ecb0ad023a6e8

SHA256
e415984e57d5954924305bb865d0776967f334905adf67057a93b1e252f75a08

SHA512
7c956d1fe2cb78e14180e261bf7f43a25dc3a36b8b5b5497d6ad441b92f8db3bfa87c510f762034cbe2eb59d41e4647b6350b83677cd5cd1e8cc4ed6d30b13ce

Download Submit
C:\Windows\{2BE35AB3-D996-482e-A8DF-AFA0DE220F41}.exe

Filesize
380KB

MD5
a37d032d392acae108683ec30e1320ad

SHA1
ca585a287ebefea5e227f97f3e0ecb0ad023a6e8

SHA256
e415984e57d5954924305bb865d0776967f334905adf67057a93b1e252f75a08

SHA512
7c956d1fe2cb78e14180e261bf7f43a25dc3a36b8b5b5497d6ad441b92f8db3bfa87c510f762034cbe2eb59d41e4647b6350b83677cd5cd1e8cc4ed6d30b13ce

Download Submit
C:\Windows\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe

Filesize
380KB

MD5
192c6d1ff713b05d1e0422ccaaa1ce84

SHA1
74a0be144b3db33b6cda652f4fe682bfb5348c92

SHA256
774283d3f3652f2f43b84227f46a08ea3542c618786a535d8f6f476ec67939da

SHA512
e5c9407edcd324f918dc7c2cf63ef4ea13776bfc1ac0798c27530d55bd12ca68f4645ef92b120bbc566c8ca67d33b2939bf523580da2776d9e5ca289bcd2f6b8

Download Submit
C:\Windows\{5C916B11-F06D-40b9-984D-D1E1B56AF1DF}.exe

Filesize
380KB

MD5
192c6d1ff713b05d1e0422ccaaa1ce84

SHA1
74a0be144b3db33b6cda652f4fe682bfb5348c92

SHA256
774283d3f3652f2f43b84227f46a08ea3542c618786a535d8f6f476ec67939da

SHA512
e5c9407edcd324f918dc7c2cf63ef4ea13776bfc1ac0798c27530d55bd12ca68f4645ef92b120bbc566c8ca67d33b2939bf523580da2776d9e5ca289bcd2f6b8

Download Submit
C:\Windows\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe

Filesize
380KB

MD5
ad574721fa8049e02c934760eb49ef0a

SHA1
18bd2a30c2526e72f2261c14da6a4f69cdb8debc

SHA256
670241e1689835b3c2a7bcfb5daf9b983d98f8c9022a2523d593111d5fe391fc

SHA512
cf90b8be7e1df1ec2ff9e0d49754819b659eb62af3419836606d35e74129ab78480efc5f1a701e9d837c72bccd90f78989370441baf8ef35682d2e92443540e7

Download Submit
C:\Windows\{797C0BD2-331C-4c1d-93E5-F25BD5882E8C}.exe

Filesize
380KB

MD5
ad574721fa8049e02c934760eb49ef0a

SHA1
18bd2a30c2526e72f2261c14da6a4f69cdb8debc

SHA256
670241e1689835b3c2a7bcfb5daf9b983d98f8c9022a2523d593111d5fe391fc

SHA512
cf90b8be7e1df1ec2ff9e0d49754819b659eb62af3419836606d35e74129ab78480efc5f1a701e9d837c72bccd90f78989370441baf8ef35682d2e92443540e7

Download Submit
C:\Windows\{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe

Filesize
380KB

MD5
e0b6651635aaa325f64b40ca42e00bc1

SHA1
0c2e383c7db112de84f7037e33bbfde800cf0303

SHA256
0bd97ddfb5f48e5179cb0c5c669274fe88b4f89f3d6b00e1b73c3724a5b86642

SHA512
9ad0508af940d41a20d402de65c6c332873115fbc364add79b597ce2c9190379e29b3275d38f7f890771dec5d8c1ec7f1d0b7292d9975b35db1247fb73d0d374

Download Submit
C:\Windows\{814AF210-9313-47e8-9685-8B1D7B258CE8}.exe

Filesize
380KB

MD5
e0b6651635aaa325f64b40ca42e00bc1

SHA1
0c2e383c7db112de84f7037e33bbfde800cf0303

SHA256
0bd97ddfb5f48e5179cb0c5c669274fe88b4f89f3d6b00e1b73c3724a5b86642

SHA512
9ad0508af940d41a20d402de65c6c332873115fbc364add79b597ce2c9190379e29b3275d38f7f890771dec5d8c1ec7f1d0b7292d9975b35db1247fb73d0d374

Download Submit
C:\Windows\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe

Filesize
380KB

MD5
347aa2180b917125b61947f4787663dc

SHA1
9817d26ae9f26f80e6ca21b8eb078cf24d5bc374

SHA256
7910ad0a9b5c95f25eb850394750213b54e3ec7ffa18128abccbf0aa37732839

SHA512
5d108c8d234514e79f2762fe7db1d79a4386702c4ab8a0fe63dd9e7bab33821c75d2c7b776d1d2944a3f3966079a94bbbecb2af7037c1fcc0c5cae447d96989e

Download Submit
C:\Windows\{B03D73DF-F14B-40f1-A774-75CD6764CAF6}.exe

Filesize
380KB

MD5
347aa2180b917125b61947f4787663dc

SHA1
9817d26ae9f26f80e6ca21b8eb078cf24d5bc374

SHA256
7910ad0a9b5c95f25eb850394750213b54e3ec7ffa18128abccbf0aa37732839

SHA512
5d108c8d234514e79f2762fe7db1d79a4386702c4ab8a0fe63dd9e7bab33821c75d2c7b776d1d2944a3f3966079a94bbbecb2af7037c1fcc0c5cae447d96989e

Download Submit
C:\Windows\{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe

Filesize
380KB

MD5
9cc437235c454d9cfaa0372fce293551

SHA1
fa00f08dc64872ad18a4a97243e516683685abcb

SHA256
8ef877139f17db558d544448462c5b3f7b56607c84e0693ada101e3478aeb515

SHA512
16ecae1c623f00bb925057eb83d3d1207bcadff045b81607f90af00abe827cf0cb3a8aad6705e415aeb3c919b891ac91d8d9f1756304781be76bbe5218dad467

Download Submit
C:\Windows\{B28B6299-A554-4192-83CE-1EDF6D48083A}.exe

Filesize
380KB

MD5
9cc437235c454d9cfaa0372fce293551

SHA1
fa00f08dc64872ad18a4a97243e516683685abcb

SHA256
8ef877139f17db558d544448462c5b3f7b56607c84e0693ada101e3478aeb515

SHA512
16ecae1c623f00bb925057eb83d3d1207bcadff045b81607f90af00abe827cf0cb3a8aad6705e415aeb3c919b891ac91d8d9f1756304781be76bbe5218dad467

Download Submit
C:\Windows\{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe

Filesize
380KB

MD5
15c7e9493ed187ff4bd84ebc966a762c

SHA1
6af0ed2902bb38d083e4552b1096fdf75df74d31

SHA256
b3182089fae59bd9723466b88f18c29e91316ed423f4dd94d821993584ac6b9a

SHA512
46a9ab064bbb3b27f2aa237b33df43dc0af980703c55529eb138c4e93094bd07d9c68e4be12d098a784b0782a7a63c47f184ad81a945c12a7e402f9aebf5c3c0

Download Submit
C:\Windows\{B769CF6F-799D-42dc-BE43-A7987C83D82F}.exe

Filesize
380KB

MD5
15c7e9493ed187ff4bd84ebc966a762c

SHA1
6af0ed2902bb38d083e4552b1096fdf75df74d31

SHA256
b3182089fae59bd9723466b88f18c29e91316ed423f4dd94d821993584ac6b9a

SHA512
46a9ab064bbb3b27f2aa237b33df43dc0af980703c55529eb138c4e93094bd07d9c68e4be12d098a784b0782a7a63c47f184ad81a945c12a7e402f9aebf5c3c0

Download Submit
C:\Windows\{CABA530E-E68E-4703-9503-8F487341F6E3}.exe

Filesize
380KB

MD5
df9a6e8d24972c257fb5eea895554ab0

SHA1
f3a7728c97e30cc9f2ea982db7a40d2a0fb06001

SHA256
acdcb47f838d0993539b0b3ba87ad177713a88a4be4205f785611b2d0fec705c

SHA512
c8fc64d09df1e50f4dc158951f179c34b9d9e4a4886b2366904cdf68e694a83b9373b1e97b34cbcdf565208ddfcc5200c38aa189a29ef4865d699242d2fbcd95

Download Submit
C:\Windows\{CABA530E-E68E-4703-9503-8F487341F6E3}.exe

Filesize
380KB

MD5
df9a6e8d24972c257fb5eea895554ab0

SHA1
f3a7728c97e30cc9f2ea982db7a40d2a0fb06001

SHA256
acdcb47f838d0993539b0b3ba87ad177713a88a4be4205f785611b2d0fec705c

SHA512
c8fc64d09df1e50f4dc158951f179c34b9d9e4a4886b2366904cdf68e694a83b9373b1e97b34cbcdf565208ddfcc5200c38aa189a29ef4865d699242d2fbcd95

Download Submit
C:\Windows\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe

Filesize
380KB

MD5
a07cf5c1bf560be01ee8d8e90ad77546

SHA1
1693ff0a3e80f2709213ad7423a98958406f5f02

SHA256
558c5e55d4bd626775b68110ef6c474a794f715a9293f7b24f83dbac7b4c798a

SHA512
3675d698ed1c1e558737f0534e148d967b694dcfa4ad5e2f39582a079df920593c50ee6238a086454ece04a18197021a22056d96f91d9bc9e91f237838228e63

Download Submit
C:\Windows\{D99FBF2C-C3E9-41e2-BBCD-C52DED2CB6E8}.exe

Filesize
380KB

MD5
a07cf5c1bf560be01ee8d8e90ad77546

SHA1
1693ff0a3e80f2709213ad7423a98958406f5f02

SHA256
558c5e55d4bd626775b68110ef6c474a794f715a9293f7b24f83dbac7b4c798a

SHA512
3675d698ed1c1e558737f0534e148d967b694dcfa4ad5e2f39582a079df920593c50ee6238a086454ece04a18197021a22056d96f91d9bc9e91f237838228e63

Download Submit
C:\Windows\{F5688421-5067-4060-AC1C-0A433AC24360}.exe

Filesize
380KB

MD5
3edac04f62674776c969024187b4e8b3

SHA1
b67b0b929148c49fabaf12e9e1d2e879bbf06564

SHA256
7a10965e7a5aed6c0bf7684f6dd3a493e9421cd18751ae7bbc9d489fbd806f80

SHA512
c4fb6d7e79d5625511091f1ddc368dbcf33b7eabeff97ba2984f1715845aad5bbc33fbd002a37a96608a4ad6364bec3fdbdca52a42737751933b1ba384804f65

Download Submit
C:\Windows\{F5688421-5067-4060-AC1C-0A433AC24360}.exe

Filesize
380KB

MD5
3edac04f62674776c969024187b4e8b3

SHA1
b67b0b929148c49fabaf12e9e1d2e879bbf06564

SHA256
7a10965e7a5aed6c0bf7684f6dd3a493e9421cd18751ae7bbc9d489fbd806f80

SHA512
c4fb6d7e79d5625511091f1ddc368dbcf33b7eabeff97ba2984f1715845aad5bbc33fbd002a37a96608a4ad6364bec3fdbdca52a42737751933b1ba384804f65

Download Submit
C:\Windows\{F5688421-5067-4060-AC1C-0A433AC24360}.exe

Filesize
380KB

MD5
3edac04f62674776c969024187b4e8b3

SHA1
b67b0b929148c49fabaf12e9e1d2e879bbf06564

SHA256
7a10965e7a5aed6c0bf7684f6dd3a493e9421cd18751ae7bbc9d489fbd806f80

SHA512
c4fb6d7e79d5625511091f1ddc368dbcf33b7eabeff97ba2984f1715845aad5bbc33fbd002a37a96608a4ad6364bec3fdbdca52a42737751933b1ba384804f65

Download Submit
C:\Windows\{F910ACC3-48E7-4949-B2F5-163BBFA77A83}.exe

Filesize
380KB

MD5
1b01e1a008e40e69f8b1a4e8e03d6bfa

SHA1
a111f0c0c4cf2f0ee776cf108b1cc53a859f06be

SHA256
291ed333f868b49638d32ec67780e7c68d194289728042fce508b92e07f49020

SHA512
a1b4486a06b24098f9145e483131cf2c41899b3aece608956343bd1653a408d223a0ee984d8c7fcd0219d0cb9618cfe5886304cfc408aab0ab1652af3ff670d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads